EMVCo: Global Specifications for Secure Mobile Transactions

Brian Byrne, Director of Operations, EMVCo

8 October 2015

Copyright ©2015 EMVCo 2

Agenda

Introduction to EMVCo

• Payment Tokenisation

• Level 1 Handset Approval

• Software Based Mobile Payments

NFC Related Initiatives

Industry Engagement

Introduction to EMVCo

Copyright ©2015 EMVCo 4

EMVCo’s Mission

To facilitate the worldwide interoperability and acceptance of secure

payment transactions by managing and evolving the EMV

Specifications and related testing processes

Copyright ©2015 EMVCo 5

Scope

EMV Contact Chip Spec

EMV Chip Terminal Type

Approval Process

Interoperability Management

CCD / CPA EMV Chip Specs

EMV Chip Security

Evaluation & Card Type Approval

Contactless & Mobile

Next Generation

Terminal mPOS, Security &

Integration Task Forces

Tokenisation 3D-Secure 2.0 Next…

Copyright ©2015 EMVCo 6

Roles of EMVCo and Payment Systems

EMVCo

Manage and evolve EMV Specifications

Perform product testing & certification

Enhance payment security

Support emerging payment technologies

Global, Regional and Domestic Payment Systems

Product development

EMV mandates

Commercial incentives

Fraud liability shift policy

Payment Tokenisation

Copyright ©2015 EMVCo 8

Overview of EMV Payment Tokens

EMV payment tokens further enhance security of digital payments and simplify purchase

experience when shopping on mobile, computers or other smart devices

Replaces a traditional card account number with a unique

payment token

Restricts the use of a payment token by device, merchant, transaction type or channel

Fraudulent activity reduced because:

Payment token is limited to a specific acceptance

domain

Payment token can be unlinked from card account number as

required

Card account numbers are less available for

compromise

Copyright ©2015 EMVCo 9

One Example of the Payment Tokenisation Process

Mobile/

Digital Wallet

Interaction

Cardholder

Authorisation

Request:

• Token

• Token Exp. Date

Merchant Acquirer

Authorisation

Response:

• Token

Issuer

Authorisation

Request:

• Token

• Token Exp. Date

Authorisation

Response:

• Token

Authorisation

Request:

• PAN

• PAN Exp. Date

• Token + Token

Exp. Date

Token Vault

Payment Network

De-Tokenise

Token Service Provider

Copyright ©2015 EMVCo 10

Focus of EMVCo’s Payment Tokenisation Activity

Key elements of the new specification include:

New data fields to provide richer information about the transaction

Consistent approach to identify and verify a consumer before

generating the token

The EMV Specification will:

Ensure broad-based acceptance of a token as replacement for a card

account number

Enable participants in the existing ecosystem to route and

authenticate a payment token

Improve payment card security with tokens that are limited for use in

specific environments

Requirements for Token domain restriction controls to prevent token

misuse

Copyright ©2015 EMVCo 11

Examples of Token Activity

Card-on-File

MerchantDigital Wallet QR and Bar Code

Merchant uses tokens

in lieu of PANs in

card-on-file database

Branded Digital Wallet

presents “Pay with

Wallet” in front of card-

on-file

QR or Bar Code

supplier put a “bar-

code” in front of

card-on-file

NFC

Tokens in NFC

device

Broad proliferation of models (remote and proximity) has accelerated token usage:

EMV Chip

Tokens in EMV

chip device

Card #4

Card #3

Card #2

Card #1

Copyright ©2015 EMVCo 12

EMVCo Payment Tokenisation Roadmap

2015 Goals

Q1-3 2015

TSP registration & listing programme

management:

• List and registration process to be made

available on the EMVCo website

• Ongoing work with PCI SSC for investigation of

industry standard TSP security requirements

2015 - 2016

Payment Tokenisation Specification –

Technical Framework Updates:

• Clarifications – including more clarity on

assurance levels and aggregator concept

• Payment account reference (PAR)

• Expanded token use cases – transit, EMV chip

card offline, 3rd party TSP, ATM, split shipment,

receipt-less returns.

2015 - 2016

Ongoing industry engagement:

• Regional payments bodies

• Global standards bodies

• Merchants, processors, issuers, acquirers

• Payment innovators and others

2015 Goals

Tokenisation Engagement Opportunities:

• Oct 15: Seminar | Barcelona, Spain

• Nov 3: Seminar | Jakarta, Indonesia

• Nov 4: Webinar in conjunction with SCA

Copyright ©2015 EMVCo 13

Handset Approval

Copyright ©2015 EMVCo 14

Mobile Payment Products Level 1 - Test Coverage

Mobile Payment Products

NFC Controller

Host CPU (SoC)HCE

UICC eSE

EMVCo test coverage

Phase 1

- Analogue and Digital

Phase 2

- Performance- Impact of the mobile device on the transaction duration

- Interoperability - Compatibility with terminals in the field

- Validation is a subset of interoperability (terminals and positions)

Copyright ©2015 EMVCo 15

• The purpose is to permit product providers to submit their products to a single type approval process.

Mobile Payment Products Level 1 - Test Coverage

EMVCo Phase 1

Mobile with eSE or UICC

TA for Mobile with UICC TA for Mobile with eSE

TAS for Mobile with UICC TAS for Mobile with eSE

1 certification for each Payment System1 TAS for each EE in the Mobile Product

Certified by Payment System 1

Certified by Payment System 2

Certified by Payment System 3

EMVCo Phase 2

Mobile with eSE, UICC and HCE

TA for Mobile with UICC, eSE & HCE

Certified by EMVCo

One single certification by EMVCo

LOA for Mobile with UICC, eSE & HCE

Copyright ©2015 EMVCo 16

Software Based Mobile

Payments

Copyright ©2015 EMVCo 17

• Payment transactions where the consumer device is a connected mobile device such as a mobile phone and the card credentials are stored in an application located in the Rich Execution Environment (REE) or in the Trusted Execution Environment (TEE) of the device.

– Does not involve any Secure Element (SE) in the device.

• The card credentials in such an application are referred to as a 'Software Card'.

Software-based Mobile Payments: What is it?

Copyright ©2015 EMVCo 18

• 2 main use cases for Mobile Transactions:

– Contactless Payment, using Host Card Emulation (HCE)

– Remote Payment

• Assumption: for contactless payment, interface towards merchant are not impacted by Software-based Mobile Payments

• EMVCo’s initial focus is the Contactless Payment use case

Software-based Mobile Payments: Use Cases

Copyright ©2015 EMVCo 19

• Host Card Emulation now enabled on many devices

– Available from Android version 4.4 (Kitkat), and endorsed by many OEMs

– Easy deployment on mobile devices

• Deployment fully under the control of Mobile Payment Application Provider – independently from mobile device OEM and MNO

• User downloads application from Application Store

• All-in-one application (Card Emulation + User Interface)

Software-based Mobile Payments: Why?

Copyright ©2015 EMVCo 20

• REE and TEE represent a different risk model (compared to SE). Therefore Software-based Mobile Applications must employ risk mitigation techniques:– Make credentials in mobile application unattractive to attackers

• Tokenization of the associated physical PAN

• No storage of highly sensitive assets– only limited value credentials are present (e.g. short-lived data)

• Best effort to sandbox and obfuscate credentials (e.g. whitebox encryption)

– Increase use of authorisation system and back-end processing capabilities

• Online-only transactions

• Strong fraud monitoring (e.g. duplicate transactions)

• Possibility of instant disablement

Software-based Mobile Payments: Constraints

Copyright ©2015 EMVCo 21

• Security Requirements of Mobile Payment Application:– Objective: protect the payment credentials inside the Mobile

Payment Application (both in use and in idle state)• Offer confidence to Issuers when they deploy Software Cards in a

third-party application

• Security Requirements of the provision protocol– Objectives:

• Protect the payment credentials when they are sent to the mobile payment application

• Ensure credentials are delivered to a duly authenticated mobile application

• Status• EMVCo initial evaluation of possible Security

Requirements/Guidelines. Coordinating efforts with PCI SSC and Global Platform.

Possible Areas for EMVCo Standardisation

Industry Engagement

Copyright ©2015 EMVCo 23

Engagement with Global Organisations

PCI SSC

Data Security

GSMA

Mobile

Applications

NFC Forum

Contactless

GlobalPlatform

Multi-

Application

Secure Platform

EMVCo

Security

Interoperability

and Emerging

Payments

Copyright ©2015 EMVCo 24

Engagement with Key Industry Stakeholders

Objective – Engage with regional and national bodies as needed to support the

continued migration to EMV technology

Other bodies

EMVCo

Security

Interoperability

and Emerging

Payments

Examples include:

Copyright ©2015 EMVCo 25

EAP Connects EMVCo to Industry Leaders

Benefits:

AccessEngage and connect

with EMVCo’s Executive

Committee, Board of Managers and

Working Groups

Insight Learn more about

EMVCo’s work programme,

including future initiatives

InfluenceContribute to the

future evolution of the EMV

Specifications by sharing expertise, experience and requirements

ForesightReceive advanced updates on EMV

Specifications and technical

amendments

Copyright ©2015 EMVCo 26

Thank You!For more information visit www.emvco.com or join us on LinkedIn