Session 2: Understanding the payment ecosystem and the issues Visa Europe

Similar documents
Mobile Security / Mobile Payments

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

Visa Inc Investor Day. Technology at Visa. Rajat Taneja EVP, Technology and Operations

How Next Generation Trusted Identities Can Help Transform Your Business

HCE security implications. Analyzing the security aspects of HCE

Maintaining Trust: Visa Inc. Payment Security Strategy

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

SEPA goes Mobile Dr. Marijke De Soete ETSI Security Workshop January 2011 Sophia Antipolis, France

3. Why should I use Samsung Pay instead of my physical cards?

TOP RISK CONCERNS MERCHANT DATA BREACHES. Presented by Ann Davidson, VP of Risk Consulting at Allied Solutions

Apple Pay FREQUENTLY ASKED QUESTIONS

EMERGING PAYMENTS. Breakout and Workshop

DIGITAL TECHNOLOGY An Evolution in the Payment Landscape. AMEX Digital Solutions

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Mobile Payments. Moving at the Speed of Innovation. Eric Kuhn, Enterprise Digital Product Development April 2017

How Mobile is Reshaping Payments

MDES to support converged wallets CEESCA 2015 Dubrovnik

Identity-Enabled Transactions Based on the EMVCo Payment Tokenization Specification. Authors: Yue Zhu Asmaa Aljohani Gyan Singh Namdhari.

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Stop in the name of EMV! Is merchant regulation breaking your heart? April 4, Amegy Bank, a division of ZB, N.A. Member FDIC

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

NFC embedded microsd smart Card - Mobile ticketing opportunities in Transit

Will you be PCI DSS Compliant by September 2010?

Mobile Banking and Payments Emerging Trends and Opportunities

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

NFC Service Launch in Hong Kong. Alex Kun SVP, Product Development and Management Wireless Business

Will Mobile Phones Replace Cards?

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

FFIEC Guidance: Mobile Financial Services

PCI Compliance Updates

Webinar Tokenization 101

When Worlds Collide Payments meet mobile Osman Inegol, Mobile Business Unit

PCI DSS and VNC Connect

Paying. on the go: Mobile payments slowly catch on in the United States

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

A Proposed e-payment Service for Visually Disabled

Natural Security Alliance

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Trusted Computing Today: Benefits and Solutions

Introducing. Worldpay Total. Worldpay international omni-channel payment solution

Evolution of Cyber Attacks

Mobile NFC Services Opportunities & Challenges. NGUYEN Anh Ton VNTelecom Conference 31/10/2010

PSD2 webinar session - Q&A

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Corporate Mobile Banking: A Treasury Perspective

PSD2 Compliance - Q&A

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

2009 Fare Collection Workshop

Secure Card Reader Authenticators

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

UK Edges Closer Towards a Cashless Future as Android Pay Launches

PCI DSS and the VNC SDK

The Future of PCI: Securing payments in a changing world

GSM Association (GSMA) Mobile Ticketing Initiative

SECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Keep the Door Open for Users and Closed to Hackers

State of US Mobile Payments (NFC)

MOBILE WALLET TECHNOLOGIES: GLOBAL MARKETS. IFT070A April Priyanka Patel Project Analyst ISBN:

How. Biometrics. Expand the Reach of Mobile Banking ENTER

6 Vulnerabilities of the Retail Payment Ecosystem

Navigate our app like a pro. How-to s, guides and more. Certified by J.D. Power* for providing An Outstanding Mobile Banking Experience.

AKAMAI CLOUD SECURITY SOLUTIONS

WHITE PAPER 2019 AUTHENTICATOR WHITE PAPER

Topics. Ensuring Security on Mobile Devices

3 Citi Wallet Service - FAQ. 1) Get Started Q1. How can I become a 3 Citi Wallet user?

Mobile Banking App Guide (ios and Android Apps) Mobile Banking App Guide (ios and Android)

Using Biometric Authentication to Elevate Enterprise Security

Digital Transformation through Open Software Defined Infrastructure Justin Dustzadeh, Vice President and Head of Global Infrastructure Network

New Paradigms of Digital Identity:

Let s Hack NFC. How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications?

New Product Announcement: AC2000 v7.1 Integrations

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

The Next Generation of Credential Technology

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

All you need to know about OCBC Google Pay

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Cyber Security and You: The Future of Physical Access in a Digital World. Chip Epps & Daniel Bailin HID Global

Hassle-free banking in the DIGITAL AGE through NEXT-GEN. Technologies W H I T E PA P E R

Federal Reserve Bank 2016 Mobile Banking & Payments Survey

Authentication Technology for a Smart eid Infrastructure.

Enabling Compliance for Physical and Cyber Security in Mobile Devices

Cybersecurity and the Role of Mobile Financial Transactions. Jackie McCarthy Director, Regulatory Affairs NCSL Capitol Forum December 5, 2016

IMB Apple Pay - Frequently Asked Questions

Is Your Online Bank Really Secure?

Strategies for the Implementation of PIV I Secure Identity Credentials

The COMPLETE GUIDE NFC VERSION 1.0 PUBLISHED 09/13/18

Mobile Payment Security, Threats, and Challenges

Re-using Existing Global Financial Networks to authenticate Card Not Present (CNP) Payments

Mobile Wallet Service Terms and Conditions

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Advances in NFC & Mobile Payments Trials and Technology

With certain types of prepaid account, you can do just about everything a traditional bank account allows you to do, including using your prepaid

CIBC FirstCaribbean Mobile App. FREQUENTLY ASKED QUESTIONS (FAQs)

Display Cards for Securing E Commerce

APG8202 PINhandy 2 OTP Generator

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Cyber Security Updates and Trends Affecting the Real Estate Industry

Transcription:

Session 2: Understanding the payment ecosystem and the issues Visa Europe Agnes Revel Martineau VP, Head of Product Specifications, Standards and Industry Liaison ETSI 01st, July, 2014

Agenda You said mobile payment What is the mobile environment? How to approach it? In detail. What has been done? What next? 2

You said mobile payment Vision What is mobile payment? Standard maturity 3

Vision - Focused on consumer choice Any Handset Network Technology Issuer Wallet Payment product 4

What is mobile payment? Mobile payment is a fabulously generic term which means different things to different people If I use: the browser on my phone to purchase an item from a web site an application to make an in game purchase my banks application to move money from my internet bank portal a person to person payment using one of many different solutions a contactless payment at Point of Sale a mobile to accept card payments (as a terminal) All these (and quite a few others) will probably be considered by consumers as mobile payments One device Anywhere, anytime Richer consumer experience 5

Mature Standards 6

What is the mobile environment? How to approach it? Mobile - an Untrusted environment SE based approaches Stickers Approaches Cloud based Approaches 7

Mobile is an untrusted environment SNIFFING Mobile phones are easy to steal / lose - 9 million mobile devices are lost annually Mobile phones have limited input capabilities - long or complicated passwords don t work Mobiles are designed as portable devices, so use with a second device (two factor) is painful Malware on mobile phones is rising fast; causing a drop in new computer-related malware SCREEN CAPTURE (preinstalled) service/daemon Root access allowing modifications SIDE CHANNEL ATTACKS Device front camera Device orientation and acceleration data Device microphone Combination of side channels MODIFIED PAYMENT APP FROM APPSTORES But users tend not to worry about malware on mobile phones, and have limited options to deal effectively with it. PHISHING TAPJACKING Invisible overlay Transparent pop ups Fake PIN pad 8

Mobile Payment Application - SE based Mobile equivalent of the payment application that runs in the chip on a contact or contactless chip payment card. Different options for SE (Visa Compliant): Protect keys that generate the Transaction Authentication credential used during the payment Payment App Allows consumer to select card, wave and pay Account Data Physically hosted on a secure chip embedded in the device NFC Controller Transmits payment information to the terminal Contactless Payment Terminal 9

Mobile Payment Application - Sticker Non-integrated mobile equivalent of the payment application that runs in the chip on a contact or contactless chip payment card Self-adhesive Tags, can be attached conveniently to any mobile device Help habituate consumers towards making mobile payments Can be combined with a companion app to provide a near-nfc experience Contain an embedded chip and antenna 10

Mobile Payment Application Cloud Based approach for contactless payment using NFC HCE In the cloud equivalent of the payment application that runs in the chip on a contact or contactless chip payment card. Cannot store long term Keys in mobile app/os so need a different approach to Transaction Authentication: Limited use Transaction Authentication credentials (Time or Domain). The Secure Server performs core functions that provision and manage consumer accounts and transaction authentication credentials according to predefined preferences The mobile application provides an interface to the user. Messages as securely exchanged between the Secure Server and the mobile application Enforce use of dynamic data / keys (account parameters) and limited validity (time to live, maximum number of transactions) Account Data Hosted in the cloud on a secure server Payment Application Allows consumer to select card, wave and pay NFC Controller Transmits payment information to the terminal Reduced integration effort and cost Reduced numbers of actors Contactless Payment Terminal 11

In detail What has been done Enforcing security and Authentication Privacy 12

Enforcing Security and Authentication in an untrusted environment? Multiple layers of security protect Visa mobile payments: Array of security methods used within Mobile device Advanced security technology to uniquely identify each contactless transaction against counterfeit fraud Real time analysis of transaction by processing network against potential fraud As we evolve to Cloud Based Payment: Shift of security from the front-end (mobile) to the back end (secure server) Increase use of Fraud detecting / behavioral engines Evolution in Cardholder verifications methods Limitation in time and domain of Data and Keys Risk Based authentication and Defence in layer 13

Privacy Privacy by design All product development ensure that careful consideration is given to consumer privacy Clear analysis of risks is carried How to mitigate risk? What is the residual risk? Is it acceptable? Continuous enhancements during lifecycle of the product Active participation to Privacy Impact Assessment (RFID mandate) Driving the industry effort on single European template for the financial sector Tokenisation Introduce yet another layer of privacy by replacing a consumer PAN by a surrogate token, making it form factor specific, channel specific and/or merchant specific 14

What next? 15

As we evolve to the next generation of Mobile payment Simplifying and cutting cost of integration We can expect emergence of new technologies and methods to carry out mobile payment We should be agnostic to those rails and support innovation We can expect increased Malware We should reinforce Consumer education and information on the risks associated with the use of mobiles and how to protect themselves Rooting / jailbreak phone App Downloading from untrusted sources We should have stronger rules in place on OS and App stores to ensure App store verification of App codes and origin of the application Intrusion detection by OS or security application We should enforce best practices for application developer Clearer messaging of permissions requested by given application Reduce set of permissions to only the necessary ones 16

Thank you 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback