Smart Card to the Cloud for Convenient, Secured NFC Payment

Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.

Smart Card to the Cloud for Convenient, Secured

NFC PaymentKONA I


Who We Are?

Sazzadur RahamanSoftware Engineer and Team Lead @ KONA SL

Image Source: http://the9gag.com/top-rated/4am-programmer-room-4440


Who We Are?

Md. Sanoar Hossain KhanSenior Software Engineer and Development Project Manager@ KONA SL


Outline

Payment Systems in Action: A Bird’s Eye View Moving Smart Cards to the Cloud: The Era of HCE Birth of Kona Pay: A New Payment Platform in Town A journey with Kona Pay: Joy of Smashing Challenges Kona Pay into the Wild: From Korea to USA Q/A


Payment Systems in Action: A Bird’s Eye View


acquirer

Payment System Overview

Payment Network Issuer

E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone


acquirer

Payment System Overview – Transaction Flow


E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone1

3

2

4

5


acquirer



E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile PhoneOut o

f the Sco

pe


acquirer



E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile PhoneOut o

f the Sco

pe


Smart card

Magnetic Cards vs Smart Cards

Smart card components

Secure IC Chip(SE)

Contactless Smart card

Secure IC Chip(SE)

Magnetic Stripe Card

Open magnetic stripe

Service

appletUser data

NFC radio

User data


Standard NFC Cards and Mobile-based Card

Same components in different form factor

Smart card

IC Chip(SE)

Service

appletUser data

SE

NFC

• SE Provider providing SEs (generally MNOs)

• Service Provider providing Services to the consumers (generally Banks)

SWP

End-User mobile

handset

Convenient than the other form factors


Need for Trusted Service Manager

oManages Secure ElementoArranges data exchange and

business relationships among stakeholders

oGenerates Security Domains (SDs). Manages Keys used in generating SDs. Service Providers can safely and independently manage their services.

oMakes service provisioning simpler. Therefore achieves services activation in a short period of timeTrusted

Service Manager

SE Provider

1SP 1

SE Provider

2

SE Provider

3

SP 2

SP 3

Service applet

User data

Service applet

User data

Service applet

User data

Still the ecosystem is more complex than previous


Moving Smart Cards to the Cloud: The Era of HCE


SE-less mobile card: Host Card Emulation

Concept of Host Card Emulation

Transaction processing before HCE

Additional Option with HCE

With Google Android 4.4 and above, the NFC controller communicates with host OS first, allowing it choose where to request applet and user data, and bypass the SE if required.

Service

appletUser data

Secure Element

Local storage

Internet

?


Security via Tokenization

Issuer (Bank)

Token ServerUser’s PAN, expiry date etc.

Token

Token Vault

Token Generator User

mobile

1. Static Parameters2. Dynamic Parameters


Security via Tokenization

Token’s use during transactions

Issuer (Bank)

Token Server

User mobile

User’s PAN, expiry date etc.

Token

Token Vault

Token Adapter

During a contactless payment transaction they travel through the POS to the Issuer system. The Issuer sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid, authorizes the transaction.

POS

Acquirer bank

Authorization6

1

2 3

45


Different flavors (models) of HCE

Mobile Device

Mobile OS

HCE APIs

Service applet (agent)

NFC Controller

User data

Model—1 • Applet in Cloud• User data and keys in Cloud

Model—2 • Applet in OS• User data and keys in OS

Model—3 • Applet in OS• User data in Cloud

Model—4• Applet in OS• User data in Cloud• Token downloaded to OS

Model—5 (SE-biased)• Applet in OS• User data in SE

Mobile Device

Mobile OS

HCE APIs


NFC Controller

User data

Mobile Device

Mobile OS

HCE APIs


NFC Controller

Mobile Device

Mobile OS

HCE APIs


NFC Controller

Token

Mobile Device

Mobile OS

HCE APIs


NFC Controller

SEUser

data

User

data

User data


Birth of Kona Pay: A New Payment Platform in Town


Issuer / Bank

In-store payment using plastic card

Online payment

Plastic card issuance

Tokenization

Mobile Card Issuance

In-store payment using Mobile card

In-App Payment

Multiple business and technical arrangements


Merchant: Online Fraud – Liability Shift

Fraud & Liability• Potential Data Breech

Phishing, Key logging, etc. Hacking Card on File (CoF) Transaction data modification or

interception

• Key Liability towards Merchant Need to secure e-Store, CoF and

Transaction

Online Shopping• Manually enter Card info

User inconvenient

• Store Card info in online account Merchant need to support Card on File

(CoF)

• Online Transaction Mag-stripe transaction


User

• Lots of Credit Card, ID Card, Coupons, etc…

• Different credit card, different PIN.

• Input credit card information manually

• Trust Merchants with Credit Card Info

• Insecure online transactions.

• Multiple vouchers, coupons, gift cards, etc.

• Need to carry those around physically.

• Longer card delivery time.

• Card cloning.• Constantly check for

suspicious transactions, notify the bank.

• Hassle to block the card and get a new one, also the reimbursement of the money from bank.


Converging Factors

Single Payment Platform

ALLForm Factors

ALLProvisioning Modes

ALLPayment Modes

ALLSecurity Measures

Plastic contact card Plastic contactless

card N Card SE (UICC, mSD, eSE) Host card emulation

Central mass perso Instant perso SE/HCE OTI or OTA SE/HCE (post) issuance

OTI/OTA

In-store: plastic cards In-store: SE/HCE

mobile In-app: SE/HCE

mobile In-app/remote: plastic

contactless using NFC

EMV Tokenized plastic

card Whitebox crypto,

LDE PKI FIDO, TEE (in roadmap)

* N Card is dual interface plastic card, supports both contact and contactless, can store multiple credit cards, gift/loyalty/coupons, transport card, etc., can be (post) personalized using mobile wallet and used to make in-store as well as in-app transaction using NFC between the card and mobile.

** Tokenized plastic card does not store the original PAN inside, rather an alternate PAN which generates cryptogram for the issuer to verify.


Converging Factors

Single Wallet

N Card SE (UICC, mSD, eSE) Remote Payment HCE

• N Card is dual interface plastic card• Supports both contact and contactless • Can store multiple credit cards, gift/loyalty/coupons, transport

card, etc., • Post personalized using mobile wallet • Supports in-store and in-app transaction using NFC between

the card and mobile.


Payment Network

Acquirer

User

POSRemote Payment

Gateway

Mobile Application

TSM

Mobile Application Platform Cloud Platform

Voucher Issuance System Card Issuance System

Token Service Provider

Transaction Management System

Issuer CMS

Card

Components of Kona Pay

Service Manager


Personalization Flow

Issuer Authorization

System

Service Manager

Card Issuance System (Data

Prep)

Raw Data

Issuer

Perso Machine

• Plastic Cards


Perso)

P3 data




System

Service Manager


Prep)

Raw Data

Issuer

Perso Machine


Secure Server

Tokenized Plastic Cards


Perso)

P3 data



Mobile Application


System

Cloud Platform

Service Manager

MAPCard Issuance System (Data

Prep)

Raw DataP3 data

HCE applet

Issuer

Mobile


Secure Server

Internet



Mobile Application

TSM


System

SE

Cloud Platform

Service Manager


Prep)

Raw DataP3 data

Issuer

Mobile


Secure Server

Mobile App Platform



Mobile Application

TSM


System

Cloud Platform

Service Manager

MAP Card Issuance System (Data

Prep)

Raw DataP3 data

Issuer

Dual Interface Card

Mobile


Secure Server



Mobile Application

TSM


System

SE

Cloud Platform

Service Manager

MAPCard Issuance System (Data

Prep)

Raw DataP3 data

HCE applet

Issuer

Dual Interface Card

Mobile

Perso Machine


Secure Server

• Plastic Cards • Tokenized Plastic Cards


Perso)

Internet

P3 data


Transaction Flow

Mobile Application

TMS


System

SE

Service Manager Perso Machine

HCE applet

Issuer

Dual Interface Card

Mobile

POS

Transactionupdate

Acquirer Payment NetworkIn-store

purchases

POS

TSP

Cloud Paltform

TSM

MAP


Prep)

Secure Server


Transaction Flow

Mobile Application

TMS


System

SE

Service Manager Perso Machine

HCE applet

Issuer

Dual Interface Card

Mobile

Transactionupdate

Acquirer Payment Network

Remote Payment Gateway

In-app purchases

TSP

Cloud Paltform

TSM

MAP


Prep)

Secure Server


Issuer / Bank

N Card• Soft card• SE-based

card

Single wallet

In-app and online payment

Voucher redemption

One platform supports all form-factors and channels

In-store payment


Merchant: No Liability | No PCI-DSS | Higher Conversion

Merchant

TOKEN

NO NEED

No more Liability• Card on File

Does not store real PAN Only store Token (alternate PAN)

• Manual Entry No need to enter Card info

manually Token will be used on entire

ecosystem

• Transaction Security EMV transaction instead on

Magstripe Highly secure – impossible to break

No more PCI-DSS• Cost Saver

Does not need Certification Issuance / Renewal

Less administrative cost on Infrastructure

Higher Conversion

• User Experience Secured and hassle free Shopping Increase conversion rate


User

N Card

One PIN

Single wallet

Secure transactions

Convenient voucher redemption

Single click transaction


A journey with Kona Pay: Joy of Smashing Challenges


Challenges - Development with the Spec ReleasesHost Card Emulation is a relatively (in payment industry terms) recent idea. However the major brands have rapidly endorsed and developed specifications to help vendors.

VCP-CSo Compatible with EMV

tokenization speco Defined components of HCE eco-

system: for provisioning, tokenization, verification, lifecycle management etc.—with general responsibilities

o Behavior guidance for application in mobile. Compatible with VCPS

Q1 Q2 Q3 Q4

Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Android 4.4 mobile OS platform with HCE support

VCP-CS (VISA Cloud-based Payments - Contactless Specifications) 1.0

EMV Payment Tokenization Specification 1.0

VCP-CS 1.1

VCP-CS 1.2

MasterCard Cloud-Based Payments Specification 1.0

Draft AmEx specifications

Cartes

2014

2014

EMV Tokenization Specificationso PAN, expiry date, cardholder

name, cryptographic keys to be tokenized

o Tokens have similar format to original data

o Token ranges different from original PAN ranges etc.

o Different business models—digitized card in mobile, card-on-file online etc.

MasterCard CBPo Compatible with EMV

tokenization speco Defined components of

HCE eco-system—with specific responsibilities and actions

o Defined specific behavior for application in mobile in detail.


Challenges - Development with the Spec Releases

• Had to adapt lots of changes within short time– Had to try different business models to fit in

• Hard Deadline to stay ahead of the market competitors

• We had to forecast different behaviors for MasterCard CBPS Specs– Sometimes it worked and sometimes it didn’t


Challenges We Faced

• Maintaining Effective Peer Code Review, under Serious Deadlines• Automated Test Coverage• Scrum Practice in Distributed Teams• Testing while development

– Mocking the dependency– Implement the skeleton first from top to bottom.


Challenges We Faced

• Effective Team Collaboration while doing, webservices – Dependency Analysis before planning a sprint is very vital

Image Source: http://wonderfulengineering.com


People behind Kona Pay

• Total Developers: 22• Total QAs: 7• Scrum Teams: 5


Scrum Meeting


Lessons to make scrum successful


Technologies Used for Kona Pay

Mobile App•Host Card Emulation•Smart Card Service•PKI middleware•White Box Cryptography•ActiveAndroid•Dagger•ButterKnife•Retrofit•Eventbus

Web Applicaton

•Spring Framework•Spring MVC•Spring Integration•JPA•Hibernate•Jboss AS

Other Tools

•RabbitMQ (MQTT)•HornetQ•Memcached•Infinspan•OpenSSO•ElasticSearch-Logstash-Kibana

Database

•Oracle•MySql


Technologies Used for Kona Pay

Testing•Jbehave•Gatling•Jmeter•Collis

Environment

•Eclipse•Gradle•Jrebel•Git•Jenkins

Review & Issue Tracking

•reviewboard•Redmine


Kona Pay into the Wild: From Korea to The World


Kona Pay was Unveiled in South Korea for Korean Market


Kona Pay in Outside Korea

• Kona Pay is unveiled in Money20/20 2015 for US Market

• Kona Pay will be unveiled in Cartes-2015 for Europe Market


Q/A


Thanks

Technology

Smart Card to the Cloud for Convenient, Secured NFC Payment