Thales launches cryptographic hardware security modules software for NFC mobile payments

Thales launches NFC cryptographic hardware security modules (HSMs) software for mobile payments OTA

Thales -eSecurity focuses on the encryption of data during the process of NFC mobile payments and has today released its software solution for secure elements or “Hardware Security Modules” that allows trusted service managers to deliver software and sensitive customer data more securely and efficiently over-the-air.

Thales has released its new crypto software solution to enhance its payShield 9000 security product line for provisioning services like trusted service managers (TSMs) to enable advanced security in NFC payments and transferring software on to secure elements housed within NFC phones. NFC as an industry is increasingly becoming riddled with acronyms and technical jargon and the Thales announcement is no exception. If you are in the industry, it’s not a problem but with so many consumers fearful about trusting NFC payments we wanted to break this new development down into layman terms so that consumers can learn just how much security is involved in NFC.

Quick glossary or NFC terms

HSM: Hardware Security Modules

The HSM is the physical chip, SIM or microSD area of your NFC phone that secures and holds NFC payment capable applications. They are generally tamper-proof, meaning that if anyone attempts to gain access to that information they automatically lock up and stop functioning.

OTA: Over-The-Air

Simply means that your data connection is used to download applications, updates or to transmit data for payments.

TSM: Trusted Service Manager

We wrote a whole post of what a trusted service manager is and their function, which you can find here. However, for the quick glossary of terms, a TSM is a service provider that site between your card issuer or bank and your phone. They work with your mobile network operator and ensure your account details are never exposed and provision services that allow you to download NFC payment apps. They basically manage all security and are the organization that has access to the secure element on your phone. TSM services are also referred to as provisioning services just to confuse you a little more.

Cryptographic

Cryptography is referred to as encryption, which is the process of converting ordinary information (called plaintext) into unintelligible gibberish (called ciphertext). Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms that create the encryption and the reversing decryption. Information is nigh on impossible to decrypt if you do not have the cipher and so protects your information when it is in transit between TSMs, MNOs and card issuers.

MNOs: Mobile Network Operators

The people you get your mobile and data services from; for example Vodafone, Verizon or T-Mobile.

SWP: Single-Wire Protocol

This is the protocol used to transmit data from an NFC phone over your MNOs network until it reaches your TSM and then on to your card issuers system. It’s a secure form of data transmission for payments.

Once you know the terms, understanding how a payment is processed and the levels of security that are in place becomes easy. Here is a simplified version of the process of an NFC payment. The numbers on the image above correspond with the list below.

1. You wave and pay for goods or services at a merchant. Your secure element, with security from a company like Thales, encrypts the data and gets ready to send it off.

1.5. Your mobile network operator probably uses SWP (single-wire protocol) to transfer the already encrypted data.

2. Your mobile network operator routes your transaction to the trusted service manager with a secure protocol.

3. Your encrypted transaction data gets passed over the MNO to the trusted service manager who provisions the transaction requests, unencrypts the data and passes it on to the card issuer or bank.

4. You card issuer or bank checks your balance and some security details, like perishable transaction ID’s and if everything goes through fine, it releases the funds and that data is then encrypted and sent back to your phone through all of the same mechanisms described above.

5. The funds are charged against your account. Your transaction is complete.

Okay, now you are caught up to speed on fancy words and the NFC payment process simplified, lets look at Thales new product that it is offering to TSMs.

What makes Thales announcement great for consumers financial information security if and when the use NFC mobile wallets

“GlobalPlatform is the international organization which standardizes the management of applications on secure chip technology, and has become the foundation for managing and personalizing payment applications on mobile phones”, says Kevin Gillick, Executive Director of GlobalPlatform.” Thales’s implementation of GlobalPlatform’s Specifications greatly simplifies the process required by mobile issuers to securely load mobile payment applications onto mobile devices.”

To a large degree, this announcement means that TSMs and provisioning services can run more efficiently with less overhead and more reliable software on their servers. One software solution is taking care of securing information and is also managing the OTA portion of the exchange. On another level by using Thales system TSMs now have the ability to house security applications within the secure element in NFC phones. This secures the information to a greater degree than older approaches and is the recommended approach to take by GlobalPlatform. Here is what Thales has to say about their new HSM.

“Payments applications can be secured on the phone in a Secure Element built into the phone, in the SIM, or in a Secure Micro SD Card, but securing the back-end issuing/provisioning of payments applications to the phone is equally important. By using Hardware Security Modules (HSMs) with dedicated GlobalPlatform functions to protect the provisioning process, many issuers and Trusted Service Managers are now finding they can greatly simplify the process as well as enhancing its security,” said Steve Brunswick, strategy manager at Thales.

“As a leading provider of issuing applications we are witnessing a significant increase in our customers’ requests to provide systems to issue payments applications to mobile phones”, says Patrick Regester, EVP Sales and Marketing at Aconite. “Using the specific card issuing and personalization cryptographic functions provided by Thales HSMs we will be able to respond rapidly to our customers’ needs with market leading, secure and efficient applications.”

“With the widespread adoption of smartphones consumers are increasingly looking for the freedom to make purchases from their mobile handsets,” says Franck Greverie, Thales vice president in charge of information technology security activities. “Thales is the largest supplier of payment HSMs, and our new dedicated cryptographic functions for mobile payment issuers have come at exactly the right time, enabling card personalisation providers, including Trusted Service Managers (TSMs), to simplify the secure implementation of payment applications and take advantage of the huge growth in mobile-based payments that is being widely predicted.”

In summary, what we as consumers can take from this development is that NFC payments have been secure for sometime now, but gradually any loopholes found are being tightened up and new developments, like the HSM from Thales, are allowing NFC mobile payments to become to most secure form of payments that we have ever had. Biometric sensors are the other area that needs more attention, but that is an issue to take up with NFC phone manufacturers and we expect to see more in this area within the next couple of years also. As a culture, we worry more now about our privacy and sensitive information than ever before, and we should. No machine data is ever 100% secure and that applies to credit cards also. However with developments of strong software like the Thales HSM which increasingly encrypts our data from multiple vectors, it is becoming that we as consumers are a far bigger security threat to our informational security than the systems we use to make payments are.