According to the Nielsen Digital Consumer Report, two-thirds of U.S. consumers own a smartphone. People are now using mobile devices for just about everything, and their expectations are high. A report by IBM revealed that consumers expect transactions to be easier on mobile devices than they are offline or on a desktop computer. This creates great opportunity for credit unions to engage with members, increase loyalty and build their brand.
In the payment card world, all but the very largest credit unions typically outsource their card issuing and transaction processing requirements to third-party service providers or processors – due to their relatively small size, it is not practical or financially viable to perform these tasks in-house in the manner adopted by most issuing banks. The mobile channel brings new challenges and risks, but also a significant opportunity for credit unions to take control and perhaps consider performing some tasks in-house. They can create a more responsive environment using proven off-the-shelf packages that the vendor community is already supplying to issuing banks to facilitate mobile payments.
Recommended For You
In the popular approaches to mobile discussed here, hardware security modules play a significant role. They overcome the security vulnerabilities and performance challenges typically associated with software-only cryptography. The following sections describe each solution, demonstrating how credit unions can use an HSM infrastructure to deliver secure offerings for each while managing risk, helping to reduce fraud and, most significantly, overcoming any inherent weakness of standard mobile devices.
The Secure Element Approach to Mobile Payments
The Secure Element approach typically can take one of three form factors: Embedded (owned by the handset manufacturer), UICC (owned by the mobile network operator) or MicroSD (owned by the credit union). This approach to contactless mobile payments is essentially putting a payment chip card inside a mobile phone. The option with most industry collaborative activity currently is the UICC model, which has comprehensive GlobalPlatform specification support and an associated formal testing and certification infrastructure. Apple Pay is a specific implementation introduced in the Apple iPhone 6 device that employs an embedded Secure Element (eSE) under Apple control.
SEs are implemented so no operating system application running on the phone is able to access the SE and its contents. The SE is connected to the NFC controller by a special secure channel called the single wire protocol. Providing the phone is not rooted or jail broken, there is no way for any application to legitimately intercept the data to or from the SE. This makes the SE behave just like a contactless chip card. The security of the solution is therefore reliant on the secure provisioning of the SE that for most credit unions will involve the use of a Trusted Service Manager.
In order for a credit union to be able to support SEs, it would need infrastructure that includes HSMs to securely manage keys and payment credentials together with the interface to the TSM. The token management system that the credit union is likely to adopt will have the added advantage of being able to manage cards as well as the SEs, offering better control and potential cost savings in terms of efficiency.
The Host Card Emulation Approach
A different approach is host card emulation. This approach became a viable option for contactless mobile payments via Google in late 2013 with the Android 4.4 operating system release, codenamed KitKat. This enabled apps on phones for the first time to communicate directly with the NFC controller and hence interact with a contactless POS terminal. For any credit union already offering mobile banking solutions, there is an opportunity to build on their existing mobile banking platform expertise and/or harness the app developer community expertise. It suddenly looks a lot easier for credit unions to introduce phone payments at POS that deliver transaction fee income similar to card payments. Since credit unions do not control what types of phones their cardholders purchase, it is imperative that their contactless mobile payment offerings cover the widest possible audience.
Supporting HCE payments requires three important security processes, which credit unions are very well placed to deliver and are based on proven processes that involve HSMs today in the card world.
The security steps are:
- Creating a trust environment, which includes a combination of encryption, user authentication and secure messaging support to enable secure storage of critical keys and payment credentials at the data center or in the private cloud;
- Protecting the master keys required to manage the HCE portfolios; and
- Generating all limited-use keys – no other entity (including the mobile device) can generate keys that are used to create the cryptogram for the transaction.
A Secure Future in Payments
The advent of mobile devices has opened up a whole new world of on-the-go, 24/7 possibilities, including financial transactions for credit union members. Offering these payment options provides convenience and, in most cases, additional revenue. The traditional experience for credit unions with card payments is one involving an outsourcing model where there is little or no in-house requirement for HSMs. Mobile payments offer credit unions the ability to take a fresh look at things that they could not easily bring back in-house. This will mean they can now employ HSMs as a unifying mobile platform. HSMs authenticate users, help prevent fraud and protect secure keys and sensitive data. The two mobile payment options described above can be delivered with high security, increased member confidence and loyalty, and use the same proven technology already deployed by banks. Perhaps the time is now right for credit unions to take a different approach and control more of their own destinies.
Ian Hermon is product marketing manager at Thales e-Security. He can be reached at 831-440-2414 or [email protected].
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
