September 17th, 2014 by Elma Jane
Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.
To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.
Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.
HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.
This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.
HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: (MNOs), (OS), assets, bank, card, card issuers, cloud, cloud based payments, cloud based secure element, cloud-based, hardware secure element, Host Card Emulation (HCE), issuing bank, MasterCard, mobile, mobile app, mobile application, mobile network operators, mobile payment, mobile payment application, nfc, operating system, payment application, payment transaction, payments, platform, risk, secure element, smart phone, software, software based technologies, token, tokenization, transaction, virtual payment, visa
December 20th, 2013 by Elma Jane
Third-party Cookies vs. Consumer Privacy
Some interesting tools that consumers and businesses should be aware of. As consumers, we will likely see more opportunities to opt out of online activities that collect data about our behaviors. We could also see more tools that allow consumers to provide more accurate information.
The Drive to Personalize
Most every ecommerce merchant uses data to personalize shoppers’ experiences. Some common personalization tactics are:
Present upsell and cross-sell offers.
Online merchants use first-party information from their own databases and cookies to track shopping behaviors. They also purchase third-party databases that help predict behavior and products that will appeal to a specific target shopper. Similar methods have been used with offline direct marketing for years. Online tools like third-party cookies…i.e. cookies left by a domain other than the one a user is visiting…and deep data mining have made the practice easier.
Retarget shoppers who have visited a store but did not make a purchase; Segment and personalize merchandising offers in your online store. Target emails at selected consumers who are more likely to buy a certain product;
When used properly with ad networks and ecommerce personalization and recommendation engines, third-party databases increase conversion rates and average order values. They also increase customer loyalty by providing a better customer experience.
Data Collection
Most of the data is now collected with third-party cookies or other means that consumers have opted into, even if they did not necessarily think of it that way. Every time you agree to a license agreement, for example, it’s likely that you are agreeing to share your data in aggregate and anonymously with third parties. Most companies put that in their agreements to protect themselves in the future, regardless of whether they collect the data now.
If third-party cookies are eventually eliminated, there will likely be some type of replacement system that will provide similar functionality. In fact, there’s already a scarier method of tracking consumer behaviors…using digital fingerprinting techniques that profile your computer.
This technique is virtually impossible to block as other devices can see things like your operating system, browser type, your fonts, screen size and depth, time zone, cookie settings, browser plugins, and http header information. The good news is that the use of fingerprinting is relatively small. But, some observers believe this will be a future alternative to third-party cookies.
Tools for Consumers
Axciom, one of the larger data providers, is now offering a tool at AboutTheData.com that allows consumers to see information that Axciom has collected about them and actually correct it if they choose. The bad news is that you have to provide Axciom with even more information than it already has to view the information it has on file. However, you can also choose to opt out of its databases.
You will need to create a login and answer a series of questions to verify your identity. Once that is done, you can review your data, which is broken into several categories.
You may be surprised by the amount of information Axciom maintains. Realize that this is just one of many databases that have information about you that is used in online and offline applications.
Posted in Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments Tagged with: anonymously, average, browser, cookies, customer, data, data mining, databases, digital, domain, ecommerce, fingerprinting, identity, license agreement, loyalty, offline, online, operating system, opted, order, privacy, purchase, Rates, shoppers, values
