Mobile Payment @ the POS

1
Technology in Retail Payment Innovations

• Mobile Payment _at_ the POS

• Jack Jania
• SVP Gemalto
• Jack.Jania_at_gemalto.com

• October 2012

2
Agenda

• The changing POS payment environment
• Mag-Stripe, EMV, NFC.
• NFC - TSM ecosystem
• NFC Payment examples
• Conclusion

3
Every few decades, an industry gets hit by a
tsunami of changes
U.S. PaymentsIndustry

• 2011 Key Changes
• Isis announcement
• EMV Liability Shift
• Durbin Amendment

REGIONAL NETWORKS
EMV Durbin Mobile
GLOBALNETWORKS
4
The associations have a technology solution ready
today
VSDC
MChip
D-Pas
AEIPS
WLEMV
EMV 4.3 CompliantApps
5
Agenda

• The changing POS payment environment
• Mag-Stripe, EMV, NFC.
• NFC - TSM ecosystem
• NFC Payment examples
• Conclusion

6
Mag-stripe transaction

• Mag-stripe data is read by the POS
• The data is STATIC identical for each
  transaction
• CVC/CVV is the encryption of (PAN, Expiry date,
  Service Code) using a key specific to that card.
  This key can be retrieved by the issuer
  authorization system.

7
Magstripe transaction

• The POS computes the authorization request and
  sends it to the issuer authorization system

8
Magstripe transaction

• The authorization system performs risk management
• It also checks the validity of the CVC/CVV by
  recalculating it using
• the (PAN, Expiry date, Service code) transmitted
  in the authorization request
• the secret key associated to that card.
• If the CVC/CVV is validated, the card is
  considered genuine

9
Magstripe transaction
Authorization Response Approved / Declined

• The authorization response is sent back to the
  POS.

10
Mag-stripe transactions

• Mag-stripe cards are easy to clone
• Card authentication is based on STATIC data
• ? Cloned cards will be considered authentic,
  since they carry the same data as real cards

11
EMV Contact Contactless Cards
Mag-stripe on the back
Contactless Antenna inside
EMV Chip
12
Mag-Stripe vs EMV transactional data

• 000000000000000000083902014A200228830C8859DE1F37E
  74D8B657FB70D110108002C035400BA038001C0003200000E1
  6181E20242A8488A8AEB2CADADC000000621C7310080384006
  21C5A0808038400621C4108080384006216030003030000621
  DFA0008038400621F880402048000621450000202000062108
  4040204000062149500010480006205F5000604800062116D0
  0030200006212610003028000621CAC0008038400621E66000
  80384000000000000000000000000000000000062196B00620
  17B0062049C006206930062073C0062097D00620A1800620A5
  E00620B3700620B3B00620E5F00620ECB00621EF50062218C0
  06222350000000000000000000021E921AB21A721E521C2219
  E03800380043A0756075B07880C880080043A105A00C004BA1
  85A057A5A000005FA005A000005FA005A05FA05FA000020202
  00005010100000110160600010000558988FFA000000004101
  0006200000000000000000000000000000014145A100000035
  1080000005A554E2003040000EA60004E200F0000000000000
  000000000000000000000067A0A16051316232636000000000
  000005A83C13175E543256125AB0EE34F54EAA431EA2AE5572
  64CC12A1F6E868A268994000000000000000062E0D0833DB0F
  19D15DC4C706DE3BCAB0000000000000000A291D970A2C20DF
  76EE60E022CB646C1000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  000005AAD126F5A5A5A5A5A000000000000000000000000FF0
  100000000000000000100005B6373B15ABED28E130038FCE57
  D5A752AD9B0CF98F50000000000000000241234FFFFFFFFFF0
  0000000000000000000000000000000000000000000000000F
  FFFFFFFFFFFFFFF5A000000000000000000000000000000000
  0002B084008400010000000002500000000000075300000000
  30000030000000000000000000000000000000000000000000
  00000084000000008400000000840000000084000000008400
  00000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000
  0000000800000000019500019FB0039000C100102011801010
  02001010000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  0000000000000000000000000000000000000000000A19F270
  19F02065F2A029A039F36029F5206000000000000000000000
  00000000000000000000000000000000000D55502F60200D65
  50295029F1455029D019F235502AA0100CA5502970600CB550
  2A40600C45502FB0300C55502FE0300C35502F80300C955029
  10200D15502C3199F4F9503541100C85502930200945603042
  000825603010200C75502900100D35502DC1200D7550324039
  FA15502AB069FA25502BD0600CD55032A0300CE55032D0300C
  F5503270300DE9502740900D95603332000D8560330029FA75
  503530100DA5602F20200DB5602F40200DC5602EE0200DD560
  2F0028577C46B600E5D1ECC0FE9EB0F42B13E15FEA9F7479A0
  F3217C4BCD742108178D9FB07D11F32A2426098F1328BF92E6
  CCEF353D1FD4386C68DDD9B9EA1EEAB978E5B8B3074BB128D0
  7F50B207148DEAAD0C034B755ED83A38BD82B2A74D69CE1E65
  F0B9E7454BE9224FB65AA859BEA5DFBBEAB631A51FB1F5F54E
  16F3934C8DFC833A6A110158BAE3217DEE096E409DD20FDFEF
  2EB6716CB23A71B42E318C23546F88BB9AECBF36390E569CBD
  1F5C5A3366CFDBAFBE54A29D4CC696DF2E60163D58950C8AF1
  89BD38BEF90B0A9ED4E0039204F1300E4457551C440BFAF41E
  B52D98E916DAE7F1DDB3779187FC869DF8CF99E0114A77AF8A
  F0EFF5226D5CF2D4F9E8C2A50FF6B6FD1E4AEFA2C2308570DB
  429258FCEF9C41632B76BB3A85F5F9C58B15DC022E4D24CD6F
  A60209F8794C2BE1A7C11DBD2DAFBDF6D8E7A5E7293E4A6FE5
  C7543EE99376B5FB7CD702AF3E93D3B35677B1F6EDD991B1CB
  9AFA76A2A5FBAB440926BC82AC3DAD41C7993EE7AADCB7F215
  5D0AC417092713E4209C6B4EF252DD204CE8DF2FC9DB8F557D
  B74BD409D2B5F948ECC076CF453E991A388B3F69EF827FAC9B
  952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D48
  D0000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000041
  41C243C0774076B077C076E078007700784077202010201010
  1010101078800FF088800FF098800FF0A8800FF0B8800FF867
  081835F25031101125F24031312319F0702FF005A085589880
  0000000015F3401018E10000000000000000042015E0342031
  F039F0D05B8508C88009F0E0500000000009F0F05B8708C980
  05F280208409F4A01828C219F02069F03069F1A0295055F2A0
  29A039C019F37049F35019F45029F4C089F34038D0C910A8A0
  295059F37049F4C08000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000033703157135589880000000001D13122019990000
  000001F5F200B5354524F55442F4A4546469F080200029F420
  208409F4401020000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  000000000000000000000C37081C08F01F39081902E9E82DF9
  12E0C73BD3C3F77A530A70998DB353D61651CE91623F20FA97
  938001E23C32A1BBDB33B99F04D7BA496E2C205FAAD8413584
  18B47BD39671D88957ECF4AF08D6C13F1B7EBA6BF21A893A3F
  3469978D43DB7634D5CAA1C15396242B99BE3988B7A5CF2B44
  288E9FF29097AF02D9A61B6C27CE89390A94F738772811713E
  D38F1F5D29122FB824DFC7701CF2B92242B97330BA4E9A6F28
  8D450D98F9BB36D9ABF001EEF883F51D99B683ADD8EBE99577
  E83C99F3201030000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  000000000000000000000000000000000BE7081BB9F4681901
  44F280DB621BE009632BF0CD887BFC885DC62885BA2CCC951D
  7DEDA9B34B7CDC07BC822D5D6CB555F5B881141F57069D4E77
  9FE8A85BDBFE69801BAB48385D75BEE0D4806AA9A20141B705
  74B58342205DC344B8BB4D94909B4EA3996A9372B9E4044537
  FA2E0FC3A26BAEABAFEBCEE1060E3DE4D1A2319D277AFB0732
  602D4F2353A955868D21C9C5394A74D98F7AE9F4701039F481
  AB952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D
  48D9F49039F370400000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  0000000000000000000000000000000000000000000001F701
  D9F5501F09F56160180007FFFFFF0000000000000000000300
  0FF00000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  00000000000000000000000000000000000000000000000000
  0000000001761154F07A0000000041010500A4D41535445524
  341524400296F278407A0000000041010A51C500A4D4153544
  552434152448701015F2D02656EBF0C059F4D020B0A0000000
  0

• B5268xxxxxxxxxxxxSmith/John11012011660400000000
  0000000000000?
• 5268xxxxxxxxxxxx11012011660400000000?

13
EMV chip transaction Online

• Transaction initiation POS and card exchange
  data
• Track 2 equivalent data
• Card settings and capabilities
• Transaction data (amount, currency, date, etc)

14
EMV chip transaction Online

• Card generates an Authorization ReQuest
  Cryptogram (ARQC).
• ARQC is the encryption of card and terminal data
  using a secret key specific to that card. This
  key can be retrieved by the issuer authorization
  system.
• ARQC is a DYNAMIC cryptogram it is different for
  each transaction

15
EMV chip transaction

• ATC is a transaction counter
• It is incremented for each transaction
• ? The card will never generate the same ARQC
  value twice

ATC Amount Currency Date
ARQC
16
EMV contact transaction Online

• Authorization request is sent to the issuer
  authorization system
• Same data as a mag-stripe transaction
• Additional EMV data

17
EMV contact transaction Online

• The authorization system performs risk management
• It also checks the validity of the ARQC by
  recalculating it using
• the data transmitted in the authorization request
• the secret key associated to that card
• If the ARQC is validated, the card is considered
  genuine, and there is a guarantee that the
  transaction data has not been tempered with
  (amount, )

18
EMV contact transaction Online

• Issuer host generates an authorization response
• Response may include an Authorization ResPonse
  Cryptogram that authenticates the issuer and the
  issuer decision. The card may validate the ARPC
  before giving its final decision.

19
EMV contact transaction Online

• Card authentication is based on DYNAMIC data
  (ARQC) generated by the card secret key
• Card secret key cannot be retrieved from one card
  and duplicated onto another card

20
Introduction to NFC

• What is Near Field Communication?
• Short range wireless (lt4 cm) Low speed (lt424
  kbits/sec)
• User friendly simple (no discovery, no pairing,
  just tap)
• Passive capability (one of the devices can be
  unpowered)

NFC has 3 modes
1. Card Emulation allows a mobile phone to
simulate a physical contactless card 2.
Reader/Writer allows reading or writing
information to or from a passive tag/poster 3.
Peer-to-Peer allows bidirectional communication
between devices
21
Anatomy of an NFC Smart Phone
NFC phones contain special hardware NFC
hardware is supported by multiple cell phone
manufacturers
Secure Element
Secure Element Stores sensitive data (like
payment card information) NFC Controller Manages
traffic and RF signals NFC Antenna Collects
transmits the RF
NFC Controller
NFC Antenna
22
EMV contactless and NFC transactions Online

• Contactless and NFC transactions offer the same
  level of security as contact transactions.
• Contactless and NFC devices leave the field
  before the authorization response is received by
  the POS.
• Issuer actions can be performed
• Card during the next contact transaction
• Mobile phone using the OTA (over-the-air) channel

23
Agenda

• The changing POS payment environment
• Mag-Stripe, EMV, NFC.
• NFC - TSM ecosystem
• NFC Payment examples
• Conclusion

24
NFC Ecosystem
Bank, Transport Operators, Merchants
SP TSM Services
MNO TSM

MNO OTA Platform
Mobile Wallet
Consulting
SE Applications
UICC eSEs
Contactless Infrastructure
NFC Phone
Micro SDs
25
Functional block flow diagram
Personalization System
Tower
Phone
SP TSM
SE/MNO TSM
Wallet (UI)
(Contactless Spec For Reader App)
NFC
SE
Reader
Data Prep
Virtual Card
POS Terminal
Card Mgmt. System
Merchant Acquirer
Cardholder/ Authorization
Transactional System
26
Bank and Wireless Operator TSM architecture
27
SP-TSM and MNO TSMRoles and responsibilities
Payment TSM
SP global subscriber view
SP Security Domain management
SDSP
MNO TSM (Business Enabler)
MNO globalsubscriber view
Application provisioning and personalization
Lock unlock
Global SE control
X
SE handset replacement
Notifications
012...012
Single entry pointfor any TSM
Post-perso (top-up, counter reset )
Token management
End of life
28
Little bit more detail
Bank backend systems
Bank Mainframe / Account Management
NBE
Prepare and transfer mobile card input file
Gemalto Operation center
TSM Certified Zone
MNO TSM 1 (Business Enabler)
MNO 1 Backend System
Service Interface
PaymentTSM
Mobile EMV DP

GP TSM Messaging orAFSCM API
Post-issuance event from CMS or SVA / Customer
Service / Internet
Mobile Customer Workflow Manager

Notification of post-issuanceevents from
customer handset or MNO
MNO TSM 2 (Business Enabler)
MNO 2 Backend System
Authorization System
Key ceremonyPayment MKeyexchange
Post-issuance events from back-end (OTA channel)
Key Management
OTP / Authentication System
Real timetransmission of post-issuanceevent
from customer handset (OTA channel)
One-off provisioning
Key ceremonyCAP / Auth. Keyexchange
Recurrent flow
Alternatively supplied by3rd party
Mobile EMV DP
CustomerHandset
Controlling Authority
For GP2.2ASE only
29
Bank data is encrypted end-to-end during transport
SCP02 (for SD)
03.48 secure OTA
EMV Data
EMV Data

• Confidential Card Content Management (CCCM of GP
  standards)
• Guaranty the confidentiality of application code,
  commands and data exchanged OTA
• Authorized Management
• Levels for MNO and TSM SD separate in USIM
• Enables a TSM to create new SD, download
  personalize applications in total freedom

30
Agenda

• The changing POS payment environment
• Mag-Stripe, EMV, NFC.
• NFC - TSM ecosystem
• NFC Payment examples
• Conclusion

31
ISIS mobile Card Payment Flow In-store
transaction
VISA MasterCard Amex Discover Network
Issuing bank
Merchant acquirer
2
1
3
Card Present Transaction
In-store POS (Merchant)
32
Google Wallet V2 In-store transactionGoogle
becomes Issuer Merchant
VISA MasterCard Amex Discover Network
MasterCard Network
Linked Card Issuing bank
Merchant acquirer
Card Present Transaction
2
3
Card Not Present Transaction
5
4
ISSUER
MERCHANT
Google Cloud
In-store POS (Merchant)
Wallet ID
Bank CMS DB Wallet ID (Google VC MC) vs Linked
cards
Issuer Authorization Host
Merchant Acquirer Host
33
Conclusion

• EMV infrastructure is much more secure than the
  existing mag-stripe card infrastructure.
• NFC mobile payment leverages existing EMV POS
  methodology to enhance mobile payment security
• Payment risk ownership will be predicated on the
  back office model adopted by the mobile provider
  Issuing bank

34
Technology in Retail Payment Innovations

• Jack Jania
• SVP Gemalto
• Jack.Jania_at_gemalto.com

• October 2012

35
Gemalto (NYXgto.pa) secures the lives of
billions of people in payments, mobile,
governments/military corporations

• 2.1 billion revenue 2011
• Innovation
• 14 RD centers worldwide
• 1,500 engineers
• 107 inventions first filed in 2011
• 1,200 patent families
• Global footprint
• 15 production centers
• 28 personalization facilities
• 74 sales marketing offices
• Experienced team
• 10,000 employees
• 100 nationalities
• 43 countries

Regional revenue