Open Bank Card Payments for...
Transcript of Open Bank Card Payments for...
Property of the Smart Card Alliance © 2011
Following a Standards Based Approach for Open Transit Payments Stephanie EL RHOMRI New Services Marketing Manager, FIME
Open Bank Card Payments for Transit A Smart Card Alliance Educational Institute Workshop
2011 Mobile and Transit Payments Summit Marriott City Center Hotel, Salt Lake City, UT ― February 15-18, 2011
Property of the Smart Card Alliance © 2011
Agenda
Overall picture The contactless specifications Native Card vs Open Platform Application specifications Technical challenges of a migration
Property of the Smart Card Alliance © 2011
Overall Picture Scope of all specifications
Property of the Smart Card Alliance © 2011
A complex environment
Felica
NFC
FOR
UM
ISO/IEC14443
CFM
S
Mifare
Property of the Smart Card Alliance © 2011
Smartcard specifications mapping
Physical RF Layer
Protocol Layer
OS
Application
Leve
l 1
Leve
l 2
ISO
/IEC
144
43 A
/B
EM
V c
tls
Global Platform
Mifa
re C
lass
ic
Mifa
re
Des
fire
Felic
a
Cal
ypso
VC
PS
MC
HIP
CFM
S
Exp
ress
Pay
ISO
/IEC
180
92
ISO
/IEC
144
43 A
ISO
/IEC
14
443
A
ISO/IEC 7816-4
Multos JavaCard
ISO/IEC 14443 A/B
Property of the Smart Card Alliance © 2011
The contactless specifications Scope of ISO/IEC14443, EMV Contactless, Mifare family, Felica From the physical layer to the security of the card
Property of the Smart Card Alliance © 2011
Smartcard specifications mapping
ISO/IEC 14443 – 1 physical characteristic
EMV ctls communication protocol
Mifare Classic
Mifare Desfire
ISO/IEC7816 – 4 Organization, security and commands for interchange
ISO/IEC 14443 – 2 RF power and signal interface
ISO/IEC 14443 – 3 Initialization and Anti-collision
ISO/IEC 14443 – 4 Transmission protocol
Type A Type A or Type B Type A Type A or Type B
ISO/IEC 15693- 1
ISO/IEC 15693- 2 Air Interface and
Initialization
ISO/IEC 15693 – 3 Anti-collision and
transmission protocol
Felic
a R
F Fe
lica
OS
Property of the Smart Card Alliance © 2011
Relation between current standards and NFC
ISO/IEC 21481 = ECMA 356 = NFC IP 2
NFC Forum
ISO/IEC18092 = ECMA 340 = NFC IP 1
ISO/IEC 14443 Type A
106 kbits/s
Felica 212,424 kbits/s
ISO/IEC 14443 Type B
106 kbits/s
ISO/IEC 15693
Property of the Smart Card Alliance © 2011
Features
Specs ISO/IEC 14443
EMVctls ISO/IEC 18092
Mifare Classic
Mifare Desfire
Felica
Version 2008 2.0.1 2004
Protocol Type A Type B
Type A Type B
Type A Felica
Type A Type A Felica
Command set
14443-3 14443-4
14443-3 Felica
14443-3 Mifare
14443-3 14443-4 Mifare
Felica
Security No No No Proprietary DES DES
Baudrate 106,212, 424,848
kbps
106 kbps 106, 212, 424 kps
106 kbps 106 kbps 212 kbps
Multi-app Yes Yes Yes Yes Yes Yes
Property of the Smart Card Alliance © 2011
Native card vs Open Platform From a card product to an application based solution
Property of the Smart Card Alliance © 2011
Native Platform
Native code = specific language for a silicon chip.
Code stored in ROM, can’t be modified.
Chip card with small E2PROM (2-4kb) without RSA coprocessor meets the minimum requirements of EMV
Property of the Smart Card Alliance © 2011
Javacard
Open Standard Define a virtual machine (JCVM) and an API Able to load and execute applications on a JCVM
Applications loaded in E2PROM Applications compatible from one card to another
Property of the Smart Card Alliance © 2011
Native vs Open Native card Open standard
Benefits Small memory Cost effective Fast execution time
Applications can be modified post-issuance Possibility to add applications Card vendors independent Fast prototype development
Drawbacks No application modification Can only support applications developed in native card and "hidden" in ROM Costly for security side Prototypes development uneasy (difficult??) Card vendor dependant
Memory required for JVM with associated API Computational speed limited (Byte code interpreted at runtime)
Property of the Smart Card Alliance © 2011
GlobalPlatform
Card specifications Current version 2.2 Amendments Configuration: UICC Configuration, Mapping Guidelines
Other specifications Device System
Property of the Smart Card Alliance © 2011
GP – one application for any business model
Co issuer with another PTA
Hosted by a Mobile Network Operator
Property of the Smart Card Alliance © 2011
GP – one interface for many form factors
Over-the-air
platform
SIM Card as SE
Same
scripts
eSE or SMC
as SE
Card
3rd Party
(optional)
Over-the-internet
platform Contactless
device
Contactless
device
Personalization
center
USB - SMC
device
Property of the Smart Card Alliance © 2011
Features Native Card Open OS GP Card
Card OS Proprietary Java Card - Multos Java Card - Multos or other
Back office Specific integration
Easy but not standardized
- Application loading - Application Personalization
Multi application
Difficult Supported - Separate management - Secure communication
Application Card vendor dependent
- Card vendor independent - Form factor independent
- Card vendor independent - Form factor independent
Property of the Smart Card Alliance © 2011
Application Specifications Focus on the Transportation Market Focus on the Payment Market
Property of the Smart Card Alliance © 2011
Calypso outlook
Suited to transport and mobility needs.
Fast, secure contactless transaction
Set of technical specifications Card and SAM Security Mechanism Data Model (recommendation) Terminal Applicative Software Security Management and Architecture
Standardized and multi-application solution
Physical RF or electrical Layer
Protocol Layer
OS
Application
ISO
/IEC
144
43 A
/B
ISO/IEC7816-4
Calypso Data model
ISO
/IEC
781
6 1
to 3
CEN EN 1545
Calypso Security Mechanism
Property of the Smart Card Alliance © 2011
Calypso Secure Transaction
Secure session Authentication of the card Authentication of the
terminal Authentication of all the
data exchanged Proof of card
modifications Ratification SAM
Property of the Smart Card Alliance © 2011
CFMS Application
Standard defined by APTA UTFS Aim:
Transit, Parking, Tolling, Colleges and Universities, Corporate
Interoperability, intermodality Accept multi-applicative supports
Contactless Fare Media System Standard From the card structure to the central system interface A common set of data objects Based on ISO/IEC 14443 and ISO/IEC 7816-4 Security Guidelines
Property of the Smart Card Alliance © 2011
CFMS Architecture
PICC
Regional Central System
Part II – Contactless Fare
Media Data Format and
Interface Standard
Part III – Regional Central System
Interface Standard
Par
t I –
Intro
duct
ion
and
Ove
rvie
w
Par
t IV
– S
yste
m S
ecur
ity P
lann
ing
and
Impl
emen
tatio
n G
uide
lines
Par
t V –
Com
plia
nce
Cer
tific
atio
n an
d Te
stin
g S
tand
ard
Card Interface Device
Concentrator
Agency Central System
Card Interface Device
Concentrator
Agency Central System
Property of the Smart Card Alliance © 2011
MasterCard
MasterCard® PayPass™ • Mag-stripe profile • M/Chip™ profile
New specification: M/Chip™ Advance • Fully integrates PayPass™ • Enhanced on-card risk management • Enhanced payment and related services • Integrated Data Storage supporting new third party schemes • Backwards compatibility with existing M/Chip™ platforms
MasterCard Proprietary Information
Property of the Smart Card Alliance © 2011
MasterCard
Data storage integrated in the payment application On-card data slots Data reading/writing integrated in transaction flow Data storage access over contact and contactless
interface Secure high speed on card data storage Write access control for stored data Skimming controls & replay prevention Handle separate data for different operators
MasterCard Proprietary Information
Property of the Smart Card Alliance © 2011
EMV Contactless Reader Specification
Combined terminal specification Contactless kernels approval process will be managed by EMVCo
Book A; Architecture and General Requirements Book B: Entry Point Book Cs:
Kernel Visa Kernel MasterCard Kernel American Express Kernel JCB
Book D: Contactless Communication Protocol
Property of the Smart Card Alliance © 2011
ISO TC204 WG8
ISO/PDTR 14806 Public transport requirements for the use of payment applications for fare media
Various use cases Requirements with or without Data Storage
Property of the Smart Card Alliance © 2011
Technical challenges of a migration Migration impact
Property of the Smart Card Alliance © 2011
Key questions
Key questions Comments Legacy infrastructure - EMV contactless compliance (L1)
- Payment brand compliance (L2) - Migration from proprietary solution - Terminal integration
Fare model Flat fare, distance based fare, season ticket
Commuters or occasional customers - Issuance of banks card with Data Storage functionality - Acceptance of card without the Data Storage functionality
Communication with the reader Real time or upload at the depot
Property of the Smart Card Alliance © 2011
Key questions
Key questions Comments Back office implementation Management of both transit and
payment functions Risk Accept the risk to lose the first fare Revenue inspection - Access to deny list
- Data Storage PCI DSS Merchant that deals with credit cards
Compliance requirements adapted according to the amount of transactions - Tokenization - Encryption - Key management
Property of the Smart Card Alliance © 2011
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Stephanie EL RHOMRI [email protected] www.fime.com