Beyond EMV New channels for Authentication

1
Beyond EMVNew channels forAuthentication
Payment
2
WebSTIC USB key for Online Authentication

• Secured and convenient access for Home Banking

3
WebSTIC USB key for Online Authentication

• A secure convenient solution
• A USB key which contains a Flash controller
  module and a combined Smart Card
• The Flash memory part securely host a home
  banking dedicated browser which is launched at
  the key insertion
• The dedicated browser will connect only to the
  Home Banking Server with SSL connection
• The pages are accessed only after a PIN
  validation by the smart card which will send an
  OTP or sign a challenge to the server plus
• Its a 2 factors authentication solution
  Something you own (the key) , something you know
  (PIN) plus additional security (a dedicated
  browser linking only to the home banking server
  with SSL,)

4
WebSTIC for Online Authentication

• Step by Step

0 User is connected to Internet
1 User takes his key
User at Home
2 User plug the key
3 The Browser is launched from the secured area
of the Key
4 The Browser connect the Home Banking Server
with SSL using the adress stored in the
Smart Card
5 The Browser ask the Smart Card in the key for
authentication
6 PIN is requested by the Smart Card in the Key
7 If PIN is valid the user access home banking
pages
5
Features, details and options

• Access to the server
• The browser (stored in the flash memory) is
  automaticaly launched after key insertion
• Possible graphic customisation of the browser
• The browser can only access the pre-stored
  address (in the smart card) of the home banking
  web server and only via SSL.
• Virtual PINpad for PIN entry
• Authentication mechanisms
• All the authentication mechanisms are securely
  provided by the smart card
• Based on 3DES, MasterCard CAP, VISA DPA or any
  other mechanisms such as PKI
• Authentications mechanisms can be done in
  background (just PIN input is shown) or can be
  explicitly shown if details for a transaction
  signature must be visible to user.
• Specific pages
• Some Error pages (no Internet connection, page
  does not exist,) can be locals and stored in the
  key

6
Benefits

• Convenience for the cardholder
• Just a key
• Just a PIN
• Access directly and only to the home banking web
  site
• Portability with same interface security
• Tangible benefits for Issuers
• Customer convenience and confidence
• More security through direct access
• A branded a dedicated solution to access online
  services
• Less support to Cardholders for online banking
• Cost reductions from
• Reduced customer support, less branch visits and
  less fraud prevention investments
• More use of online services

7
MobileContactless PaymentThe SIMphonIC
FlyBuysolutions
8
Mobile Contactless a Wide Range of Applications
Peer2Peer Data exchange
Interactive Contactless Advertisement
9
Some definitions

• Contactless Payment
• Already in place or about to be launched with
  contactless payment cards or dual-interface
  (contact/contactless) cards
• Target cash replacement with maximum amount of
  25 and no PIN
• The model within the EMV zone should use offline
  payment (no call from the Point Of Sales to
  validate the payment during the transaction
  over night batch processing) with a limit in term
  of cumulated amount or number of transactions.
  Use of DDA (RSA based) capabilities of
  contactless smartcards for authentication between
  cards and POS.
• Secure Element
• The Secure Element or SE host the contactless
  applications
• For Payment applications it has to be a secured
  certified microprocessor
• The SE can be in the handset itself or in a
  removable component such as the SIM card
• NFC component
• In the mobile handset the NFC component is in
  charge of the communications
• Specific component linked to an antenna mounted
  or buried in the handset.
• Can send or receive data through the antenna
  following ISO 14443 standard
• Comunicate with the SE following a NFC protocole
  (SWP, S2C,)
• OTA Management
• Other The Air management of Payment applications
• Possibly OTA download of the application in a SE

10
2006-2007 a variety of technical solutions
SW
SW
Application processor
Application processor
SD or MMC
SD or CF card as the secured element of the NFC
Front End. SIM may control the Secure Element
SIM CENTRIC SOLUTION NFC Front end secured by
the SIM
Standalone Sticker.No link between the Sticker
and the phone
11
SIM CENTRIC solution

• SIM centric solutions the preferred ones
• SIM used as the Secure Element in the Mobile
  Handsets
• Mobile operators are the one paying to install
  the NFC technology in the handsets
• ? they need to keep somehow control over the
  contactless services in the mobile phones.
• Operators have the possibility to add value to
  their commercial offer with new, attractive and
  innovative services to their clients and, as an
  ultimate goal, to increase their ARPU.
• The SIM is the removable secure element of mobile
  phones
• The applications provisioning systems for SIMs
  are already in place and can be reused

12
One Vision Two implementations

• SIMphonIC FlyBuy
• The SIM based solutions for mobile NFC Payment
• Use standard NFC component for contactless
  communication (SWP, S2C,)
• The Secure element used to run and host critical
  applications (payment, transport, e-tickting) is
  the SIM card
• 2 Options
• One chip used for communication NFC Paymentg
• 2 components
• 1 for communication
• 1 dedicated to NFC Payment and other applications

Interface SW (STK or JAVA)
Application processor
13
Personalization process for contactless cards

• Contactless Payment Cards must follow
  standardized process
• Cards emitted for an issuer (MasterCard or Visa
  member) must be certified
• (Functional including Security certification)
• Manufacturing and personalisation sites must be
  audited and certified
• (Physical logical certifications)
• Personalisation require specific know-how and
  experience

How to Adapt this process and the associated
constraints for NFC Payment ?
14
Personalisation Solutions

• Loading of Payment applications without
  personalisation during the manufacturing phase of
  the SIM (card distribution following the SIM
  model)
• Secured Personalisation Other The Air of NFC
  Payment applications plus activation/de-activation
  services
• Or
• Full manufacturing personalisation of the SIM
  card as a Banking card (card supplied t
• only activation/de-activation of the
  pre-personalised payment application OTA

GSM network OTA perso
Personalisation upon request (by third party/end
user with operator validation)
Administration Monitoring
15
Thank you for Your AttentionQuestions
Comments?