UL and the UL logo are trademarks of UL LLC © 2014

NFC based payment: how will it develop relative to upcoming alternative approaches?

Hong Kong | March 2014

About UL…

Be the best, and achieve meaningful size in all that we do

CertifyValidateTestInspectAuditAdvice & Educate

We

Safe productsSafe buildings

Safe workplacesSafe water, food & health

Safe, clean energy

Compliance

Security

About UL Transaction Security

Working towards a safer world by being the number one independent center in Transaction Security Technology

• Unrivalled expertise across industry domains• State-of-the-art services/products portfolio• Recognition in our local markets – Thought Leadership• Scalable offering

Service offering

UL supports worldwide many mCommerce initiatives with advisory services

Weve ISIS• “UL staff has been extremely valuable to

ISIS in supporting the testing and integration of our TSM.”

• “.. the UL team always considered any issues beyond just the technical aspects and looked at the wider commercial and customer implications, which was and is invaluable for us.”

• “The strategic workshops hosted by UL TS at the start of our project were crucial to create a common vision and helped us to speed up the project”

• “The effort from the UL team has been crucial for our project. Their competence, attitude and hard work have been inspiring for us all.”

Customer References

DNB & Telenor Mobiel Betalen Nederland

Agenda

Alternative approaches to NFC-based payments

Alternative to SE-based NFC implementation

Impact and Outlook

QR/Bar codes: remotely-based

Trigger redirects paymenttransaction to e-money transfer

Lifecycle management

E-Money Service

Merchant’s physical shop

Authentication and payment transaction (e-money transfer)

Internet

Internet

Bluetooth Low Energy: remotely-based

Trigger redirects paymenttransaction to e-money transfer

Lifecycle management

E-Money Service

Merchant’s physical shop

Authentication and payment transaction (e-money transfer)

Internet

Internet

BLE: How does it work?User experience perspective

Proximity marketing when consumer

passes nearby B&M store

Cashier submits

payment from the POS by

selecting customer from list of nearby checked-in customers

Consumer is checked in at

the store

As the consumer enters a micro-

region at the store, he receives

personalized deals or coupons

Cashier verifies identity of

consumer using visual inspection.

Customer chooses payment

scheme

Consumer approaches cash register to choose payment scheme and give verbal

approval for payment

The Beacon network at the store is aware that consumer is in the area and “checks him in”

after he approves so.

POS detects presence of

customer nearby. List of customers

nearby is re-sorted

The POS is equiped with a beacon as well

BLE: Business opportunities

Proximity marketing

Micro Location-based notification

Customized marketing

Specific directions

Indoor mapping

“Contactless payments”

BLE versus NFC

BLE and NFC are both short range wireless data transfer technologies, even though the range at which BLE operates is much longer.

Tens of meters compared to a few centimeters for NFC

• Between both technologies there are minor differences in power consumption

• Whereas NFC is focused on one-to-one data exchange, BLE allows for multiple simultaneous connections

• Both BLE and NFC utilize AES-128 bit data encryption and pairing modes

The principle underlying use for both technologies is different

“Traditional” NFC

Handset

Tag Handset Terminal

Read / Write mode

Peer 2 peer mode

Card emulationmode

Host CPU Secure Element

Sco

pe

SE-based NFC: proximity-based

SP-TSM

NFCLifecycle management

SEI-TSM

Merchant’s physical shop

High investments

Complex network

Immature business

arrangements

...

Low degree of standardisatio

n

High degree of collaboration

needed

Challenge for SE-based NFC Card Emulation: SEI ≠ SP

Physical cards:

SEI = SP

NFC Card emulation:

SEI ≠ SP

Perso bureau

Card vendor

BPOSupplycontract

SP

SP TSM SEI TSM

BPO BPO

Supplycontract

Card vendor

Supply contract

SP SEI

Android KitKat’s HCE promises to change that

Host-based Card Emulation

AID Routing Rule

Default Host

AID Y Secure Element

NFC Controlle

r

Host CPU

Android OS

Contactless

smartcard reader

Secure Elemen

t

Select AID “x”

Select AID “y”

Android device

Android has in-built security mechanisms (e.g. sandboxing). These may be over-ruled in case the device is rooted.

HCE takes place in environment that is not secure: the host

NFC Controll

er

Host CPU

Android OS

Contactless

smartcard reader

Secure Eleme

nt

Select AID “x”

Android device

Device rooting

HCE & Cloud solutions.

App 1

App 2

Wallet

Device Authentication. Key Management. Tokenization.

Token storage.

PCI requirements. Host physical and logical requirements.

HCE accelerates the NFC ecosystem

NFC Ecosystem is getting ready to scale up:• Device support• Consumers are used to access services

from mobile devices• Infrastructure is growing

With HCE SPs have the freedom to choose for the HW security or not

SE access discussions are however delaying development, while many

services do not require top-level security from day one

HCE impact on NFC ecosystem

Impact on Explanation

SPs • Are given an additional degree of freedom

App development• Enhancing the security of HCE applications• Existing wallet and payment apps to be updated

TSM• The role of (SP-)TSMs may change from the

personalization of an applet to the personalization of an HCE service.

SEI (& SEI TSM)• The role of the SEI is removed (or much lighter) for HCE

services

Example 1: HCE for open-loop high value payments

SP’s compromise point-of-view

Pro

• Convenience• Reduced costs• Less players +

no SE issuers

Con

• Decreased security

• High potential losses

• Certification unclear (yet)

Example 2: HCE for low value payments, closed loop systems, transit, access control

SP’s compromise point-of-view

Con

• Decreased security

• Low potential losses

• Compatibility

Pro

• Convenience• Reduced costs• Less players +

no SE issuers

Summary

• Alternatives approaches are available, all bring their own challenges.

• Cash and Physical cards are still the most commonly deployed

22

THANK YOU.