Making payments even in a face-to-face environment is no longer just about using magnetic stripe or chip cards where the security, operating rules, and risks have been long established and well understood by all the actors involved. We are now living in a world where fundamentally different types of devices are being used to initiate payment transactions. This has created new complexities to manage and new forms of risk to mitigate.
In one of his recent blogs, ‘Establishing trust in mobile payments’, my colleague Jose Diaz discussed how the challenge is no longer just about encrypting data on the device itself, but rather more to do with establishing trust in the device through a ‘digital birth certificate’. This places stringent requirements on full lifecycle management of the ‘content’ that the issuer or service provider shares with the device and inherently involves multiple security considerations encompassing items such as keys, certificates, PINs/passcodes and other critical data. This represents a different proposition to securing cards, where strict controls are in place from the start (comprehensively specified by EMVCo for chip-based credit and debit cards) and where the consumer has little or no opportunity to directly or indirectly influence the overall system security. With non-card devices the consumer is effectively in control and significantly more effort is necessary to ‘trust’ what in reality starts off as an ‘untrusted consumer device’ before the ‘digital birth certificate’ is in place.
A platform approach, not a mix of piecemeal products
For issuers, the emergence of multiple alternative payment instruments is an opportunity rather than a threat. Offering customers the ability to utilize their credit or debit accounts to initiate payments on things as wide-ranging as smartphones, wearables, IoT and connected devices are important aspects of both customer retention and long term profitability for issuers. A common theme among the wide range of issuing solution or service providers, many of whom are part of the Thales ASAP technology partner program, is the ability to provide support for a broad (and constantly evolving) range of credential-issuing functionality for cards, mobile, IoT and emerging applications. This is what we would call a platform approach rather than a mix of disparate point products with no common lifecycle management.
Leading industry bodies who understand the need for high levels of security have published papers offering solution advice for non-card based payments. Two recent examples you may wish to review are ‘Implementation Considerations for Contactless Payment-Enabled Wearables’ from the Secure Technology Alliance or STA (formerly known as the Smart Card Alliance) and ‘MULTOS the platform for innovation’, which summarizes the areas where MULTOS chip technology can be used to secure a wide range of payment devices. Thales is an active participant in STA activities and is also a member of the MULTOS Consortium and has supplied its HSM devices as part of MULTOS-based issuance solutions for many years.
Hardened security to deliver trust
Building on its proven pedigree in the chip card issuance world since the introduction of EMV technology in the 1990’s, Thales has worked closely with both issuers and service providers to ensure that its HSMs deliver the specific functionality they need, especially:
- Easy integration through high level REST APIs
- Robust, scalable and high performance proven in service provider environments
- Cryptographic isolation for multiple applications and tenants
- Certification to the relevant global and regional industry security standards
The payShield 9000 HSM from Thales continues to evolve and provides the secure foundation that issuers and service providers need to support the issuance of a wide range of payment instruments today and for those yet to emerge in the future. Please click here to download a copy of our brochure to see how we offer issuers a one-stop-shop, simpler integration and lower operating costs for all their issuance needs.