Smart card to the cloud for convenient, secured nfc payment

Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Smart Card to the Cloud for Convenient, Secured
NFC Payment
KONA I

Who We Are?
Sazzadur Rahaman
Software Engineer and Team Lead @ KONA SL
Image Source: http://the9gag.com/top-rated/4am-programmer-room-4440

Who We Are?
Md. Sanoar Hossain Khan
Senior Software Engineer and Development Project Manager
@ KONA SL

Outline
 Payment Systems in Action: A Bird’s Eye View
 Moving Smart Cards to the Cloud: The Era of HCE
 Birth of Kona Pay: A New Payment Platform in Town
 A journey with Kona Pay: Joy of Smashing Challenges
 Kona Pay into the Wild: From Korea to USA
 Q/A

Payment Systems in Action:
A Bird’s Eye View

acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone

acquirer
Payment System Overview – Transaction Flow
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
1
3
2
4
5

Smart card
Magnetic Cards vs Smart Cards
Smart card components
Secure
IC
Chip
(SE)
Contactless Smart card
Secure
IC
Chip
(SE)
Magnetic Stripe Card
Open magnetic stripe
Service
applet
User
data
NFC
radio
User
data

Standard NFC Cards and Mobile-based Card
Same components in different form factor
Smart card
IC Chip
(SE)
Service
applet
User
data
SE
NFC
• SE Provider providing SEs (generally MNOs)
• Service Provider providing Services to the
consumers (generally Banks)
SWP
End-User
mobile
handset
Convenient than the other form factors

Need for Trusted Service Manager
o Manages Secure Element
o Arranges data exchange and business
relationships among stakeholders
o Generates Security Domains (SDs).
Manages Keys used in generating SDs.
Service Providers can safely and
independently manage their services.
o Makes service provisioning simpler.
Therefore achieves services activation
in a short period of time
Trusted
Service
Manager
SE
Provider
1
SP 1
SE
Provider
2
SE
Provider
3
SP 2
SP 3
Service
applet
User
data
Service
applet
User
data
Service
applet
User
data
Still the ecosystem is more complex than previous

Moving Smart Cards to the Cloud:
The Era of HCE

SE-less mobile card: Host Card Emulation
Concept of Host Card Emulation
Transaction processing before
HCE
Additional Option with HCE
With Google Android 4.4 and above, the NFC controller communicates with host OS first,
allowing it choose where to request applet and user data, and bypass the SE if required.
Service
applet
User
data
Secure
Element
Local storage
Internet
?

Security via Tokenization
Issuer (Bank)
Token ServerUser’s PAN, expiry date etc.
Token
Token
Vault
Token
Generator User
mobile
1. Static Parameters
2. Dynamic Parameters

Security via Tokenization
Token’s use during transactions
Issuer (Bank)
Token Server
User
mobile
User’s PAN, expiry date etc.
Token
Token
Vault
Token
Adapter
During a contactless payment transaction they travel through the POS to the Issuer system. The Issuer
sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid,
authorizes the transaction.
POS
Acquirer bank
Authorization
6
1
2 3
4
5

Different flavors (models) of HCE
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
User data
Model—1
• Applet in Cloud
• User data and keys
in Cloud
Model—2
• Applet in OS
• User data and keys
in OS
Model—3
• Applet in OS
• User data in Cloud
Model—4
• Applet in OS
• User data in Cloud
• Token downloaded
to OS
Model—5 (SE-biased)
• Applet in OS
• User data in SE
Mobile Device
Mobile OS
HCE APIs
Service
applet
(agent)
NFC Controller
User data
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
Mobile Device
Mobile OS
HCE APIs
Service
applet (agent)
NFC Controller
Token
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
SEUser
data
User
data
User data

Birth of Kona Pay:
A New Payment Platform in Town

Issuer / Bank
In-store payment
using plastic card Online payment
Plastic card issuance Tokenization
Mobile Card Issuance
In-store payment
using Mobile card In-App Payment
Multiple business and technical arrangements

Merchant: Online Fraud – Liability Shift
Fraud & Liability
• Potential Data Breech
 Phishing, Key logging, etc.
 Hacking Card on File (CoF)
 Transaction data modification or interception
• Key Liability towards Merchant
 Need to secure e-Store, CoF and Transaction
Online Shopping
• Manually enter Card info
 User inconvenient
• Store Card info in online account
 Merchant need to support Card on File (CoF)
• Online Transaction
 Mag-stripe transaction

User
• Lots of Credit
Card, ID Card,
Coupons, etc…
• Different credit
card, different
PIN.
• Input credit card
information manually
• Trust Merchants with
Credit Card Info
• Insecure online
transactions.
• Multiple vouchers,
coupons, gift cards,
etc.
• Need to carry those
around physically.
• Longer card delivery
time.
• Card cloning.
• Constantly check for
suspicious transactions, notify
the bank.
• Hassle to block the card and
get a new one, also the
reimbursement of the money
from bank.

Converging Factors
Single Payment Platform
ALL
Form Factors
ALL
Provisioning Modes
ALL
Payment Modes
ALL
Security Measures
 Plastic contact card
 Plastic contactless card
 N Card
 SE (UICC, mSD, eSE)
 Host card emulation
 Central mass perso
 Instant perso
 SE/HCE OTI or OTA
 SE/HCE (post) issuance
OTI/OTA
 In-store: plastic cards
 In-store: SE/HCE mobile
 In-app: SE/HCE mobile
 In-app/remote: plastic
contactless using NFC
 EMV
 Tokenized plastic card
 Whitebox crypto, LDE
 PKI
 FIDO, TEE (in roadmap)
* N Card is dual interface plastic card, supports both contact and contactless, can store multiple credit cards,
gift/loyalty/coupons, transport card, etc., can be (post) personalized using mobile wallet and used to make in-store as well
as in-app transaction using NFC between the card and mobile.
** Tokenized plastic card does not store the original PAN inside, rather an alternate PAN which generates cryptogram for
the issuer to verify.

Converging Factors
Single Wallet
N Card SE (UICC, mSD, eSE) Remote Payment HCE
• N Card is dual interface plastic card
• Supports both contact and contactless
• Can store multiple credit cards, gift/loyalty/coupons, transport
card, etc.,
• Post personalized using mobile wallet
• Supports in-store and in-app transaction using NFC between the
card and mobile.

Payment Network
Acquirer
User
POS
Remote Payment
Gateway
Mobile Application
TSM
Mobile Application Platform Cloud Platform
Voucher Issuance System Card Issuance System
Token Service Provider
Transaction Management System
Issuer CMS
Card
Components of Kona Pay
Service Manager

Personalization Flow
Issuer
Authorization
System
Service Manager
Card Issuance
System (Data
Prep)
Raw Data
Issuer
Perso Machine
• Plastic Cards
Card Issuance
System (Data
Perso)
P3 data

Issuer
Authorization
System
Service Manager
Card Issuance
System (Data
Prep)
Raw Data
Issuer
Perso Machine
Token
Service
Provider
Secure Server
Tokenized Plastic Cards
Card Issuance
System (Data
Perso)
P3 data

Mobile
Application
Issuer
Authorization
System
Cloud
Platform
Service Manager
MAP
Card Issuance
System (Data
Prep)
Raw DataP3 data
HCE
applet
Issuer
Mobile
Token
Service
Provider
Secure Server
Internet

Mobile
Application
TSM
Issuer
Authorization
System
SE
Cloud
Platform
Service Manager
Card Issuance
System (Data
Prep)
Raw DataP3 data
Issuer
Mobile
Token
Service
Provider
Secure Server
Mobile App
Platform

Mobile
Application
TSM
Issuer
Authorization
System
Cloud
Platform
Service Manager
MAP Card Issuance
System (Data
Prep)
Raw DataP3 data
Issuer
Dual Interface
Card
Mobile
Token
Service
Provider
Secure Server

Mobile
Application
TSM
Issuer
Authorization
System
SE
Cloud
Platform
Service Manager
MAP
Card Issuance
System (Data
Prep)
Raw DataP3 data
HCE
applet
Issuer
Dual Interface
Card
Mobile
Perso Machine
Token
Service
Provider
Secure Server
• Plastic Cards
• Tokenized Plastic Cards
Card Issuance
System (Data
Perso)
Internet
P3 data

Transaction Flow
Mobile
Application
TMS
Issuer
Authorization
System
SE
Service Manager Perso Machine
HCE
applet
Issuer
Dual Interface
Card
Mobile
POS
Transaction
update
Acquirer Payment
NetworkIn-store
purchases
POS
TSP
Cloud
Paltform
TSM
MAP
Card Issuance
System (Data
Prep)
Secure Server

Transaction Flow
Mobile
Application
TMS
Issuer
Authorization
System
SE
Service Manager Perso Machine
HCE
applet
Issuer
Dual Interface
Card
Mobile
Transaction
update
Acquirer Payment
Network
Remote
Payment
Gateway
In-app
purchases
TSP
Cloud
Paltform
TSM
MAP
Card Issuance
System (Data
Prep)
Secure Server

Issuer / Bank
N Card
• Soft card
• SE-based card
Single wallet
In-app and
online payment
Voucher
redemption
One platform supports all form-factors and channels
In-store
payment

Merchant: No Liability | No PCI-DSS | Higher Conversion
Merchant
TOKEN
No more Liability
• Card on File
 Does not store real PAN
 Only store Token (alternate PAN)
• Manual Entry
 No need to enter Card info manually
 Token will be used on entire ecosystem
• Transaction Security
 EMV transaction instead on Magstripe
 Highly secure – impossible to break
No more PCI-DSS
• Cost Saver
 Does not need Certification Issuance / Renewal
 Less administrative cost on Infrastructure
Higher Conversion
• User Experience
 Secured and hassle free Shopping
 Increase conversion rate

User
N Card
One PIN
Single wallet
Secure
transactions
Convenient voucher
redemption
Single click transaction

A journey with Kona Pay:
Joy of Smashing Challenges

Challenges - Development with the Spec Releases
Host Card Emulation is a relatively (in payment industry terms) recent idea. However the
major brands have rapidly endorsed and developed specifications to help vendors.
VCP-CS
o Compatible with EMV tokenization
spec
o Defined components of HCE eco-
system: for provisioning,
tokenization, verification, lifecycle
management etc.—with general
responsibilities
o Behavior guidance for application
in mobile. Compatible with VCPS
Q1 Q2 Q3 Q4
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Android 4.4
mobile OS
platform
with HCE
support
VCP-CS (VISA
Cloud-based
Payments -
Contactless
Specifications)
1.0
EMV
Payment
Tokenizatio
n
Specificatio
n 1.0
VCP-CS 1.1
VCP-CS 1.2
MasterCard
Cloud-Based
Payments
Specification
1.0
Draft AmEx
specification
s
Cartes
2014
2014
EMV Tokenization Specifications
o PAN, expiry date, cardholder name,
cryptographic keys to be tokenized
o Tokens have similar format to
original data
o Token ranges different from original
PAN ranges etc.
o Different business models—
digitized card in mobile, card-on-file
online etc.
MasterCard CBP
o Compatible with EMV
tokenization spec
o Defined components of
HCE eco-system—with
specific responsibilities
and actions
o Defined specific behavior
for application in mobile
in detail.

Challenges - Development with the Spec Releases
• Had to adapt lots of changes within short time
– Had to try different business models to fit in
• Hard Deadline to stay ahead of the market competitors
• We had to forecast different behaviors for MasterCard CBPS Specs
– Sometimes it worked and sometimes it didn’t

Challenges We Faced
• Maintaining Effective Peer Code Review, under Serious Deadlines
• Automated Test Coverage
• Scrum Practice in Distributed Teams
• Testing while development
– Mocking the dependency
– Implement the skeleton first from top to bottom.

Challenges We Faced
• Effective Team Collaboration while doing, webservices
– Dependency Analysis before planning a sprint is very vital
Image Source: http://wonderfulengineering.com

People behind Kona Pay
• Total Developers: 22
• Total QAs: 7
• Scrum Teams: 5

Scrum Meeting

Lessons to make scrum successful

Technologies Used for Kona Pay
Mobile App
• Host Card
Emulation
• Smart Card Service
• PKI middleware
• White Box
Cryptography
• ActiveAndroid
• Dagger
• ButterKnife
• Retrofit
• Eventbus
Web Applicaton
• Spring Framework
• Spring MVC
• Spring Integration
• JPA
• Hibernate
• Jboss AS
Other Tools
• RabbitMQ (MQTT)
• HornetQ
• Memcached
• Infinspan
• OpenSSO
• ElasticSearch-
Logstash-Kibana
Database
• Oracle
• MySql

Technologies Used for Kona Pay
Testing
• Jbehave
• Gatling
• Jmeter
• Collis
Environment
• Eclipse
• Gradle
• Jrebel
• Git
• Jenkins
Review & Issue
Tracking
• reviewboard
• Redmine

Kona Pay into the Wild:
From Korea to The World

Kona Pay was Unveiled in South Korea for Korean Market

Kona Pay in Outside Korea
• Kona Pay is unveiled in Money20/20 2015 for US Market
• Kona Pay will be unveiled in Cartes-2015 for Europe Market

Q/A

Thanks

Smart card to the cloud for convenient, secured nfc payment

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à Smart card to the cloud for convenient, secured nfc payment

Similaire à Smart card to the cloud for convenient, secured nfc payment (20)

Dernier

Dernier (20)

Smart card to the cloud for convenient, secured nfc payment