Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

In-Depth: Garmin Pay Provisioning Company Fit Pay Hopes to Build on Early Lead with Spin-Off, but Larger Competitors are Gearing Up

NFC TIMES Exclusive Insight – U.S.-based Nxt-ID disclosed late Thursday that the spin-off of its payments unit, Fit Pay, which provides bank card provisioning for Garmin Pay, would again be delayed, as it waits another couple of weeks for the closing of a nearly $17 million loan it needs to move forward with the new company.

In-Depth: Australia’s No. 2 City Shuns Open-Loop Transit Payments, Sticking with Closed-Loop Mifare for Launch of Mobile Service

Apr 10 2019

NFC TIMES Exclusive Insight – While Australia is the top market worldwide for use of contactless bank cards at retail, any hopes for those same open-loop cards and card credentials on NFC phones being used as part of a nationwide, interoperable transit payments service have been dashed for now. 

Analysis: Apple Announces Breakthrough with Apple Card, but is It Mostly Slick Marketing?

NFC TIMES Exclusive Insight – With typical style and élan, Apple introduced its new credit card, Apple Card, at a product launch event this week, one of several new services the tech giant is counting on to provide growth as its iPhone sales slip.

In-Depth: Nxt-ID Gets Much-Needed Financing, Clearing Way to Spin Off Its Payments Wearables Provisioning Unit Fit Pay

Apr 5 2019

NFC TIMES Exclusive Insight – U.S.-based Nxt-ID, whose Fit Pay unit provides payment card provisioning for Garmin Pay, has announced a closing date for a $16.5 million loan it will use for working capital and to refinance an existing loan.

Australia’s Commonwealth Bank Sees Jump in Mobile Transactions with Apple Pay, Though Still Small Share of Total Card Use

NFC TIMES Exclusive Insight – Commonwealth Bank of Australia, one of Australia’s largest banks, has said its mobile wallet transactions have increased by nearly three times in the two months since introducing Apple Pay, according to a report, though the bank declines to release any actual transaction figures, and mobile transactions still are believed to make up a very small percentage of total transactions.

In-Depth: Singapore Prepares to Launch Acceptance of Open-Loop Transit Payments Following Lengthy Trial

NFC TIMES Exclusive InsightWhen it launches its SimplyGo service April 4, Singapore’s Land Transport Authority will become the first major transit authority in Asia outside of China to launch acceptance of open-loop payments of fares.

Analysis: NFC Forum’s New Money Transfer Spec Likely Too Little, Too Late to Reverse QR Growth Trends

NFC TIMES Exclusive – As QR code-based mobile payments continue to threaten take-up of NFC technology, especially in Asia, the NFC Forum industry trade group is taking action.

Developer of Visa Transit SAM Says Technology Could Help Turn Closed-Loop Ticketing System into EMV Payments Service

Mar 14 2019

NFC TIMES Exclusive – The developer of Visa’s new transit secure-access module, or SAM, said the technology could potentially help turn even a low-end, closed-loop transit-ticketing system, such as Mifare Classic, into an EMV-enabled payments system–although that could still require transit operators to install new acceptance terminals, and they would still need to set up a back-end system to support it.

Swedish Watchmaker Latest Passive Wearables Maker with Plans to Enable Payments

NFC TIMES Exclusive Insight – Small Swedish analog watchmaker TRIWA next week plans to launch payments wearables enabled for tokenized Mastercard-branded cards issued by Swedish banking group SEB, with provisioning company Fidesmo telling NFC Times there will be more watch brands to come enabling payments.

Analysis: Apple’s Planned Credit Card with Goldman Sachs Unlikely to Significantly Boost Apple Pay

NFC TIMES Exclusive Insight – While Apple’s deal with Goldman Sachs to jointly roll out a new credit card this year integrated with Apple Pay and Apple’s devices made headlines Thursday, it was neither the first news of this partnership nor the first deal of its kind for Apple.

Sony Launches Smart Strap in Europe Supporting NFC Payments; High-End Device Costs as Much as Latest Apple Watch

Feb 16 2019

NFC TIMES Exclusive Insight – Sony has introduced its NFC-enabled smart watch strap, Wena, to the UK and Ireland, which will allow users to turn their analog watches into hybrid smartwatches and tap the straps to pay with tokenized EMV-compliant cards loaded into the devices from wallet apps.

Open-Loop Payments to Launch on London’s Airport Train Service with Calls for Further Expansion

Feb 15 2019

NFC TIMES Exclusive Insight – ­The Heathrow Express airport line serving London will begin accepting contactless open-loop payments along with closed-loop Oyster cards next week–more than six years after commuters first could pay by tapping their bank cards and NFC phones to ride on buses on the separate Transport for London system.