Sie sind auf Seite 1von 17

Ecosystem Scenarios for Cloudbased NFC Payments

Pardis Pourghomi and George Ghinea


School of Information Systems, Computing and Mathematics
Brunel University
London, UK
UB8 3PH
pardis.pourghomi@brunel.ac.uk

Introduction to NFC

NFC is designed for short distance wireless communication

NFC is complementary to Bluetooth and 802.11 with their


long distance capabilities

Easy and simple connection method

Enables the exchange of data between devices over the


distance of up to 20 centimetres

Provides communication method to non-self powered


devices

pardis.pourghomi@brunel.ac.uk Brunel University, UK

Examples of using NFC enabled mobile phones

Download music or video from a smart poster

Exchange business cards, Pay bus or train fair, Parking


tickets, Pay at Kiosks, Pay and purchase at Point of Sale
Terminals

Access controls in office, hotels, airports, print receipts to


printer

pardis.pourghomi@brunel.ac.uk Brunel University, UK

What is a Secure Element (SE)?

SE is intended as an attack resistant microcontroller

Combination of hardware, software, interfaces and


protocols embedded in a mobile handset that enable secure
storage

Provides a secure area for the execution of the applications


and protection of the payment assets (i.e. payment keys,
application codes, payment data)

Can also be involved in authentication process

pardis.pourghomi@brunel.ac.uk Brunel University, UK

What is a Secure Element (SE)?

Operating system running on the SE must be able to install,


personalize and manage multiple applications

The SE is essential in NFC transactions and


ownership/control of it may yield commercial or strategic

advantage
SE types: Stickers, removable Secure Memory Card (SMC),
Universal Integrated Circuit Card is (UICC), Embedded SE
(eSE)

pardis.pourghomi@brunel.ac.uk Brunel University, UK

NFC ecosystem players

Consumer: is the party that is considered as the end user


in an NFC ecosystem.
Merchant: is considered as the consumer matching part.
Secure Element issuer (SEI): is the party that issues the
SE in an NFC ecosystem. It is also controlling the SE in
which it decides how the storage of an SE should be used.
Secure Element provider: SE provider is the
manufacturer of the SE. It has a direct relationship with SE
issuer and service provider.
Service Provider (SP): is the party that issues the
payment application and deploys data element to
consumer. SP is also responsible for managing the payment
application which is stored in SE.

pardis.pourghomi@brunel.ac.uk Brunel University, UK

NFC ecosystem players

Mobile Network Operator (MNO): is responsible for


providing the GSM network for data transmission. In our
case, the MNO is the SE issuer (SE in the form of UICC).

Trusted Service Manager (TSM): The role of TSM is to


integrate several SEs and SPs.

Acquirer: The main role of the acquirer is handling


financial payments by clearing and settling transactions
through the financial institutions.

pardis.pourghomi@brunel.ac.uk Brunel University, UK

SE management

SE management in a mobile multi-application environment


is very challenging

SP and SE issuers have n to n active relationship

Partners may have limited control over the service


environment

Current card issuance models cannot support the dynamic


post issuance personalization process (lack of SPs control
on SE)

pardis.pourghomi@brunel.ac.uk Brunel University, UK

Mobile wallet + Cloud computing

Is there a need for cloud?

Would NFC do the job on its own?

There is a need for a clear right to go market strategy for


mobile payments

There is not much agreement in the minds of mobile wallet


stakeholders

Which technology will finally get accepted by consumers and


merchants?

PayPal, Telefonica/O2, and Best Buy have announced wallets


that are using cloud technology cloud wallets
pardis.pourghomi@brunel.ac.uk Brunel University, UK

NFC wallet & Cloud wallet


NFC Wallet

Cloud Wallet

A chip is required stored in the


phone

A mobile app is required


Logging

A mobile app is required


Logging

Client registers with the SP


(cloud)

Phone can be scanned on the POS Registered info are stored in an


offline database
Beneficial for busy environments
e.g. train stations

Pre-paid account is required

Improves the loyalty experience


of clients

Required info (e.g. credit card


details) is pulled out from the
database when client aims to
make a payment

Different apps can be integrated


into a single app

Beneficial for merchants no


need to change their current POS
terminals

pardis.pourghomi@brunel.ac.uk Brunel University, UK

10

NFC Cloud Wallet model Overview


1) Customer scans his NFC enabled phone on the POS to
make the payment
2) The payment application is downloaded into customers
mobile phone SE
3) The POS communicates with the cloud provider to check
whether the customer has enough credit
4) Cloud provider transfers the required information to the
POS
5) The merchant either authorizes the transaction or rejects
customers request
6) The merchant communicates with the cloud to update
customers balance

pardis.pourghomi@brunel.ac.uk Brunel University, UK

11

NFC Cloud Wallet model General idea


Additional Security (optional)

When NFC enabled phone sends a


request to the cloud provider to
get permission to make a payment
(step 1), the cloud provider sends
a SMS requesting a PIN number to
identify the user of the phone

Customer sends the PIN back to


the cloud provider as an SMS
Verification

pardis.pourghomi@brunel.ac.uk Brunel University, UK

12

Ecosystem scenarios: Direct Link between POS and MNO


Extension to NFC cloud wallet model
Assumptions:
The SE is part of the SIM (UICC)
The cloud is part of the MNO
The MNO manages the SE/SIM
(GSM)
Banks, etc. are linked with the MNO
MNO is the only party which
manages confidential data stored in
the cloud
More info: Pourghomi, P., Saeed, M., Q.,
and Ghinea, G. A Proposed NFC Payment
Application, In International Journal of
Advanced Computer Science and Applications
(IJACSA), volume 4, Number 8/2013, pages
173-181. The Science and Information
Organization Ltd, 2013.

pardis.pourghomi@brunel.ac.uk Brunel University, UK

13

Ecosystem scenarios: Unlinked POS and MNO


Assumptions:

The main SE (virtual SE) is


part of cloud managed by
MNO
A secure tamper resistant
component is in mobile
device used for
authentication (phones SE)
The MNO manages the
SE/SIM (UICC)
Banks, etc. have
connections with MNO
Vendor trusts MNO

pardis.pourghomi@brunel.ac.uk Brunel University, UK

14

The virtual SE V.S. phones SE


Virtual SE (stored in cloud):
Securely store personal data such as debit and credit card
information, user identification number, loyalty program data,
payment applications, PINs and networking contacts

Phones SE:
Stores authentication data such as keys, certificates, protocols and
cryptographic mechanisms

pardis.pourghomi@brunel.ac.uk Brunel University, UK

15

Research challenges

Integration of financial institution(s) with MNO

Integration of cloud with MNO

Design secure transaction protocols according to payment


scenarios

Further exploration of cloud architecture (SP perspective)

pardis.pourghomi@brunel.ac.uk Brunel University, UK

16

Thank you for your attention!


Question time
Contact: pardis.pourghomi@brunel .ac.uk

pardis.pourghomi@brunel.ac.uk Brunel University, UK

17