It has been some time since we last posted on mobile security standards (originally the topic surfaced here when Global Platform started working with the GSMA and EMVCo) but many industry players have announced updates in recent weeks that are worth digesting.
The rapid movement in this space brings us closer to a mobile ecosystem built on a set of security standards. It will of course take some time before these standards are widely adopted. The mobile payments market remains chaotic with many competitors vying for their piece of the pie, but at least they all have a set of standards they can potentially use.
So what is new?
- The SIM Alliance Open Mobile API – Apps which use the Secure Element to secure their critical operations (such as banking and payments, or transit), will almost certainly also have a component running in the phone’s operating system so the user can interact with the keyboard/touch screen (whenever they need to authenticate themselves, for example) and enjoy a rich graphical user experience. The SIM Alliance Open Mobile API enables apps developers to use the additional security of the Secure Element more easily (whether it is a UICC SIM, a dedicated Secure Element built into the phone, or a secure SD card) by providing a common means of interfacing with it.
- Trusted Execution Environment (TEE) – The Secure Element takes care of critical data on your mobile handset but it is not an environment that can host apps with a highly developed or cutting edge user interface. Apps that require complex user interactions must run in the operating system. The Trusted Execution Environment is designed to secure these apps and GlobalPlatform is leading the standardisation and interoperability in this area to ensure that data and apps are adequately protected. A payment app that runs its user interface in TEE and its transaction security in the Secure Element would have an extremely high level of security.
- Managing Mobile NFC Services – Arguably one of the most hotly contested roles in the mobile payments ecosystem at the moment, the Trusted Service Manager (TSM) acts as an intermediary between Mobile Network Operators (MNOs) and any third party that wishes to add a service to a mobile phone. But how do TSMs, MNOs and service providers interact to get services onto phones securely? This is where GlobalPlatform’s “System Messaging Specification for Management of Mobile-NFC Services” comes in , defining the messaging between each party to ensure secure provisioning of services to the phone.
Standardisation clearly brings significant time and resource benefits to the industry. And there are now a set of standards either developed or in development for the industry to use - some are already adopted, and others are still to be widely used. The standards provide a foundation for a secure ecosystem, but organisations still need to establish viable commercial relationships for the widespread roll-out of NFC mobile payments.
This space will continue to evolve at a rapid rate, making it certainly an area from which to expect big things in 2012. No doubt it will also be the focus for discussions at Cartes in Paris next month too.