TM
GlobalPlatform’s Value Proposition for
Mobile Point of Sale (mPOS)
Dongyan Wang
GlobalPlatform Technical Program Manager
Wednesday 19 March
GP Confidential
©2013
1
@GlobalPlatform_
www.linkedin.com/company/globalplatform
GlobalPlatform Members
TM
TM
Introducing GlobalPlatform Standards...
TM
• With GlobalPlatform standards:
• Create once based on:
o Stable and interoperable application programming interfaces (APIs)
o Stable security requirement
• Deploy ‘everywhere’
GlobalPlatform
3
GlobalPlatform Positioning
TM
GlobalPlatform is the standard for managing applications
on secure chip technology
Trusted
Execution
Environment
Secure
Element
AND
Across several market sectors and in converging sectors
Premium
Content
Mobile as a Center of the New Service
Deployment
TM
Trusted Execution Environment
The trusted execution environment (TEE) provides with a unique
capability to ensure that a transaction:
• Is approved by the right end user
• Is on the right and trusted device
• Takes place between the application and cloud or back-end service
What is a TEE?
TM
Open to malware and
rooting / jailbreaking
Isolation of sensitive
assets
• TEE provides hardware-based
isolation from rich operating systems
(OS) such as Android
• TEE runs on the main device chipset
and relies on hardware roots of
trust (crypto keys and secure boot)
Rich OS Application Environment
Trusted Execution Environment
Trusted
Application
DRM
Trusted
Application
Payment
Payment
Trusted
Application
Corporate
Corporate
Client Applications
GlobalPlatformTEE Internal API
API
GlobalPlatformTEEInternal
GlobalPlatform TEE Client API
Trusted Core
Trusted
TEE Kernel
Environment
Functions
Rich OS
Hardware Platform
6
HW Secure Resources
• TEE has privileged access to
platform and device resources (user
interface, memory controller, video /
audio hardware, crypto
accelerators, biometry…)
• Technology already massively
deployed
• Premium content protection is
currently a major use case
GlobalPlatform TEE Functions
TM
•
•
•
•
•
•
•
Hardware-based
TEE Functions = ToolBox
Code and data isolation
Secure cryptography
Secure storage
Secure clock
Trusted user interface
Secure element (SE)
interface
Administration scheme
Value for Secure App
Providers includes
• Device authentication
• User authentication
• Protection of any
sensitive software
engine
• Digital signature and
encryption
• Secure communication
to server and / or SE
• Upgradable environment
Unique Feature for mPOS : Trusted User
Interface (UI)
Message to be signed
▪ Transaction summary displayed by TEE
▪ Rich OS environment cannot tamper
with the message
▪ The user signs exactly what s/he is
seeing
Explicit Validation Means
▪ PIN / password entry  rich OS
environment cannot have access to
entered credential


Security Indicator
▪ Text or image
▪ ‘Sign-in seal concept’
▪ Information securely configured by the user and
securely controlled by the TEE
▪ Prove to the user that the screen is TRUSTED
by seeing this known information

 Tools to build ‘what you see is what you sign’,
anti-phishing and non repudiation
TM
Trusted mPOS (1/3)
TM
• Near field communication (NFC)
smartphone can be used as card reader
• A trusted channel is opened between the
card and the mPOS
Trusted mPOS (2/3)
TM
• When needed the end user enters a PIN
to confirm a contactless transaction
• A trusted application will use the trusted
UI feature to protect the PIN from any
rich OS application
PIN
Trusted mPOS (3/3)
TM
• mPOS needs to be integrated with back
and front office applications
• TEE protects the credential required to
ensure a trusted channel is opened
between the mPOS and the server
TEE Supports Value Added Services on mPOS
TM
• Thanks to the GlobalPlatform open
architecture supporting multiple
applications, a smartphone with a
qualified TEE is able to support different
mPOS applications
– Such as mPOS APPs world, mobile,
loyalty programs, actionable intelligence,
cross-channel and in-store marketing
programs.
• But also barcode scanning, LBS,
eReceipts, coupons, QR codes, wallets,
click & collect, geo-targeted mobile
advertising and alternative in-store
payments.
TEE Supports Multiple mPOS Model
TM
• Thanks to the GlobalPlatform open
architecture supporting multiple
applications from multiple actors, a
smartphone with a qualified TEE is able
to support different POS
• TEE security certification offers a real
insurance for the mPOS deployment
• TEE administration will provide a
standard language to manage a mPOS
application
– Load, install, delete
– Update
Support Different Use Cases
TM
eCommerce
•
•
mPOS installed in enduser smartphone
End-user enters his PIN
on his mobile
Commerce
•
•
mPOS installed in merchant
smartphone
End-user enters his PIN on
merchant mobile
Hybrid
•
14
mPOS installed in merchant
smartphone BUT
• End-user enters his PIN on
his mobile
Summary
TM
• Collaboration between TEE and card allows the best of both worlds
– High level security of smart card/SEs and usability of smartphone
• The massive deployment of GlobalPlatform SE and TEE generates a
standardized infrastructure for:
– Enhancing the usability and security of today’s services
– Deploying new payment services (peer-to-peer, remote payment)
• Compliancy is needed to deploy a mobile service across different devices from
different providers
• Security across different device and suppliers is a must that is central to the
GlobalPlatform technology
15
More @ www.globalplatform.org
TM
16