September 17th, 2014 by Elma Jane
Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.
To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.
Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.
HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.
This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.
HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: (MNOs), (OS), assets, bank, card, card issuers, cloud, cloud based payments, cloud based secure element, cloud-based, hardware secure element, Host Card Emulation (HCE), issuing bank, MasterCard, mobile, mobile app, mobile application, mobile network operators, mobile payment, mobile payment application, nfc, operating system, payment application, payment transaction, payments, platform, risk, secure element, smart phone, software, software based technologies, token, tokenization, transaction, virtual payment, visa
June 3rd, 2014 by Elma Jane
Apple announced new Touch ID API better known among the masses as fingerprint ID, which will allow app developers to use fingerprint authentication for mobile payments and other applications.
This means that in addition to protecting the mobile device itself, the technology can now be used also to secure individual applications on the device against unauthorized use. Customers could potentially use prints from different fingers to control different apps. For instance, right thumbprint for access to the device, left index finger for access to the mobile bank app within the device.
The new feature for third party software developers provides a logical progression for the removal of password protection across a range of applications, including payments.
Financial services providers who offer the convenience of a mobile application for their customers can now also offer said customers an additional layer of security for the information that application holds.
Posted in Credit Card Security, Mobile Payments, Smartphone Tagged with: app, Apple, bank, device, financial services, Financial services providers, fingerprint authentication, fingerprint ID, mobile, mobile application, mobile bank app, Mobile Payments, payments, Security, software, software developers, Touch ID API
April 22nd, 2014 by Elma Jane
Mobile Business App.
Customers should be able to easily find you wherever they are, from any device. Mobile presence is more or less essential for business success in today’s world, whether you just have a mobile-optimized website, or a full-scale dedicated mobile application for your business.
With smartphones and tablets, people have a computer in their pockets when they’re out and about are where people are engaging with content, so business want a mobile strategy.
The problem many businesses have with mobile strategy development is determining what is most effective, both in terms of reach and cost. Creating a mobile app isn’t the right path for every company, but if it’s something you’re considering, check the following questions before you invest.
Android, HTML5 or iOS?
No matter what platform you choose, it’s important not to take on too much too soon, regardless of your technical skill level. There are a lot of different solutions for app development. Keep it simple and work on it. Once you’ve made the decision to develop an app and figured out your end-goal for it, determine what platform you want to use. When businesses choose to create an app for only Android or iOS, they end up missing half the market, but building an app on both major platforms requires two different sets of technical skills. While an app creator can make it much easier to develop an app on multiple platforms, including Windows Phone and Blackberry, maintaining a multiplatform presence will end up costing you more. HTML5 Web-based apps may not be as visible as those in major platform app stores, but they are compatible on mobile browsers of any operating system, as well as desktop browsers.
Make an own app, or become part of an existing?
If you want to create your own native app, make sure you have a plan to continually update and work on it. Don’t underestimate the ongoing maintenance. Constantly engage with the app, and as you’re planning it in the first place, think about what you want to add over time.
Many businesses begin the app development process without considering the amount of time and money they will need to invest in the process. Becoming part of an existing app for example, a directory-type app that lists businesses in your industry can be an easier, less expensive way to claim your segment of the mobile market. The app creator can do the heavy technical work while also providing you with the opportunity to connect with its larger network of users.
What do you want to gain from your business app?
Is it to bring people into your store or to get them to visit your website? Many businesses waste a lot of resources because they think people will just come to their app. It’s trendy to say that you have a mobile app, but if your goal is just to have that mobile presence, you’ll create something that no one will ever see. Small businesses should set a clear goal to focus on before beginning app development. Having a mobile presence is more or less essential for business success in today’s world. Whether you just have a mobile-optimized website, or a full-scale dedicated mobile application for your business, your customers should be able to easily find you wherever they are, from any device.
Posted in Best Practices for Merchants, e-commerce & m-commerce, Financial Services, Mobile Payments, Mobile Point of Sale, Smartphone Tagged with: Android, android or ios, app, app development, blackberry, business, device, html5, iOS, mobile, mobile application, mobile browsers, mobile presence, mobile strategy, mobile-optimized website, multiplatform, pockets, Smartphones, tablets, web-based apps, windows phone