Ecosystem Scenarios for Cloud-based NFC Payments

advertisement
Ecosystem Scenarios for Cloudbased NFC Payments
Pardis Pourghomi and George Ghinea
School of Information Systems, Computing and Mathematics
Brunel University
London, UK
UB8 3PH
pardis.pourghomi@brunel.ac.uk
Introduction to NFC
• NFC is designed for short distance wireless communication
• NFC is complementary to Bluetooth and 802.11 with their
long distance capabilities
• Easy and simple connection method
• Enables the exchange of data between devices over the
distance of up to 20 centimetres
• Provides communication method to non-self powered
devices
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
2
Examples of using NFC enabled mobile phones
• Download music or video from a smart poster
• Exchange business cards, Pay bus or train fair, Parking
tickets, Pay at Kiosks, Pay and purchase at Point of Sale
Terminals
• Access controls in office, hotels, airports, print receipts to
printer
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
3
What is a Secure Element (SE)?
• SE is intended as an attack resistant microcontroller
• Combination of hardware, software, interfaces and
protocols embedded in a mobile handset that enable secure
storage
• Provides a secure area for the execution of the applications
and protection of the payment assets (i.e. payment keys,
application codes, payment data)
• Can also be involved in authentication process
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
4
What is a Secure Element (SE)?
• Operating system running on the SE must be able to install,
personalize and manage multiple applications
• The SE is essential in NFC transactions and
ownership/control of it may yield commercial or strategic
advantage
• SE types: Stickers, removable Secure Memory Card (SMC),
Universal Integrated Circuit Card is (UICC), Embedded SE
(eSE)
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
5
NFC ecosystem players
• Consumer: is the party that is considered as the end user
in an NFC ecosystem.
• Merchant: is considered as the consumer matching part.
• Secure Element issuer (SEI): is the party that issues the
SE in an NFC ecosystem. It is also controlling the SE in
which it decides how the storage of an SE should be used.
• Secure Element provider: SE provider is the
manufacturer of the SE. It has a direct relationship with SE
issuer and service provider.
• Service Provider (SP): is the party that issues the
payment application and deploys data element to
consumer. SP is also responsible for managing the payment
application which is stored in SE.
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
6
NFC ecosystem players
• Mobile Network Operator (MNO): is responsible for
providing the GSM network for data transmission. In our
case, the MNO is the SE issuer (SE in the form of UICC).
• Trusted Service Manager (TSM): The role of TSM is to
integrate several SEs and SPs.
• Acquirer: The main role of the acquirer is handling
financial payments by clearing and settling transactions
through the financial institutions.
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
7
SE management
• SE management in a mobile multi-application environment
is very challenging
• SP and SE issuers have ‘n’ to ‘n’ active relationship
• Partners may have limited control over the service
environment
• Current card issuance models cannot support the dynamic
post issuance personalization process (lack of SP’s control
on SE)
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
8
Mobile wallet + Cloud computing
•
Is there a need for cloud?
•
Would NFC do the job on its own?
•
There is a need for a clear right to go market strategy for
mobile payments
•
There is not much agreement in the minds of mobile wallet
stakeholders
•
Which technology will finally get accepted by consumers and
merchants?
•
PayPal, Telefonica/O2, and Best Buy have announced wallets
that are using cloud technology – “cloud wallets”
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
9
NFC wallet & Cloud wallet
NFC Wallet
Cloud Wallet
A chip is required – stored in the phone
A mobile app is required – Logging
A mobile app is required – Logging
Client registers with the SP (cloud)
Phone can be scanned on the POS
Registered info are stored in an offline
database
Beneficial for busy environments e.g. train Pre-paid account is required
stations
Improves the loyalty experience of clients
Required info (e.g. credit card details) is
pulled out from the database when client
aims to make a payment
Different apps can be integrated into a
single app
Beneficial for merchants – no need to
change their current POS terminals
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
10
NFC Cloud Wallet model – Overview
1) Customer scans his NFC enabled phone on the POS to
make the payment
2) The payment application is downloaded into customer’s
mobile phone SE
3) The POS communicates with the cloud provider to check
whether the customer has enough credit
4) Cloud provider transfers the required information to the
POS
5) The merchant either authorizes the transaction or rejects
customer’s request
6) The merchant communicates with the cloud to update
customer’s balance
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
11
NFC Cloud Wallet model – General idea
Additional Security (optional)
•
When NFC enabled phone sends a
request to the cloud provider to
get permission to make a
payment (step 1), the cloud
provider sends a SMS requesting
a PIN number to identify the user
of the phone
•
Customer sends the PIN back to
the cloud provider as an SMS –
Verification
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
12
Ecosystem scenarios: Direct Link between POS and
MNO
Extension to NFC cloud wallet model
Assumptions:
• The SE is part of the SIM (UICC)
• The cloud is part of the MNO
• The MNO manages the SE/SIM
(GSM)
• Banks, etc. are linked with the MNO
• MNO is the only party which
manages confidential data stored in
the cloud
• More info: Pourghomi, P., Saeed, M., Q.,
and Ghinea, G. A Proposed NFC Payment
Application, In International Journal of
Advanced Computer Science and Applications
(IJACSA), volume 4, Number 8/2013, pages
173-181. The Science and Information
Organization Ltd, 2013.
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
13
Ecosystem scenarios: Unlinked POS and MNO
Assumptions:
•
•
•
•
•
The main SE (virtual SE) is
part of cloud – managed by
MNO
A secure tamper resistant
component is in mobile
device used for
authentication (phone’s SE)
The MNO manages the
SE/SIM (UICC)
Banks, etc. have
connections with MNO
Vendor trusts MNO
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
14
The virtual SE V.S. phone’s SE
Virtual SE (stored in cloud):
Securely store personal data such as debit and credit card
information, user identification number, loyalty program data,
payment applications, PINs and networking contacts
Phone’s SE:
Stores authentication data such as keys, certificates, protocols and
cryptographic mechanisms
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
15
Research challenges
• Integration of financial institution(s) with MNO
• Integration of cloud with MNO
• Design secure transaction protocols according to payment
scenarios
• Further exploration of cloud architecture (SP perspective)
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
16
Thank you for your attention!
Question time
Contact: pardis.pourghomi@brunel .ac.uk
pardis.pourghomi@brunel.ac.uk - Brunel
University, UK
17
Download