Electronic payments and POS are the next big frontier for cloud based services. The infrastructure for these services is shaped by what is known as HCE. Host card emulation (HCE) is the on-device technology that permits a phone to perform card emulation on a near field communication enabled device without relying on access to a physical card. The combination of always online devices and cloud computing makes placing cards in the cloud, a viable option for more open and scalable mobile based commerce.
HCE services in the OS use the HCE client app to support multilevel security methods called for by the visa and MasterCard HCE specifications. Tokenization plays an important role in security against authorised card access in HCE.
Tokenization reduces the risk for banks by replacing the sensitive information by tokenized pseudo-information used in the payment systems. But tokenization raises some challenges:
- In the most secure instances, the original card is deemed necessary for tokenization. For this to happen, the confidential details of the original cardholder need to be protected before the tokenization can happen. All the payment card details in the form of tokens are stored in a secure, centralised vault that now becomes a target for hackers.
- Infrastructure requirement can be another issue. A new token is created each time a new merchant or customer signs up and provides you with their data. When a new transaction takes place, the information about the customer needs to be detokenized so that the payment processing system can authenticate the details and approve the transaction. The transaction fee that merchants pay to their card processing company includes the cost of tokenizing and detokenizing the card holder details. While minor, the infrastructure necessary to do this is still an added cost that merchants have to bear.
- Businesses tend to minimise the cost they need to bear concerning tokenization and detokenization by routeing all their transactions through one payment processor. But if this processor uses an in-house tokenization algorithm, it could lock your payments to this specific processor. The challenge then is to find a tokenization service that will work equally well with multiple payment processors. This way, merchants are not limited to using one or two specific payment processors.
- Other issues include the potential negative impact on the speed of transactions and the fact that data analysis cannot be performed on tokenized data since good tokens do not allow the initial data to be reconstituted just from the token itself.
[easy-tweet tweet=”The mobile payments market is taking a new step towards simpler and cost-effective solutions” hashtags=”Cloud, Mobile”]
Another aspect to look into, for making cloud based payments secure, is the security challenges posed in the Integration of NFC with the cloud for POS/m-POS transactions.
The mobile (m-) payments market is taking a new step towards simpler and cost-effective solutions. Recently introduced payment options using mobile phones integrate NFC technology with cloud-based systems. Security infrastructure for NFC payments is designed to be multi-layered with the customer’s account and card details being stored in the secure element within the device and be maintained in the cloud. The secure element might be directly embedded by the mobile device manufacturer in the phone body or offered by the payment service provider as a removable secure digital card. The use of secure physical element, as is the current industry trend, is vital because in its absence the exposure to risk is much higher. This multi-layered security infrastructure further poses the need of risk management apps in case of the device being stolen or lost. An easy to use mechanism for deactivating NFC services on such lost or stolen devices and reactivating them on another will help enhance security. Security service providers including ARM, Gemalto, and Giesecke & Devrient are working on the development of the trusted execution environment (TEE) as a security standard, but there is still some time before it is ready for production.
The successful combination of NFC and cloud will require solutions to help mitigate the security risks involved in data transmission. Despite constant monitoring and authentication checks that make the cloud itself secure, transmitting data over the air carries an element of risk. Payment information for individuals will be stored in the cloud, and it will be mapped individually to a person logging into an m-payment app. Therefore, data transferred between the cloud and the device initiating the transaction occurs over the air, putting the data at risk to exposure to parties capable of reading it during transmission.
A hybrid approach that combines NFC and cloud for m-payments, hence removing the need for secure physical elements on a mobile phone will make the application of NFC services simpler and cheaper. However, NFC with cloud based systems will still require additional solutions to mitigate the security risks involved in data transmission. This should be done in respect of international payment standards such as PCI DSS.
Many of the security considerations for conventional e-commerce also apply to mobile payments, for example, the provision of using public key cryptography to verify the integrity of endpoints during a transaction. The mobile payments field has a few more added concerns because of the introduction of new technologies, thus increasing the attack surface. Cloud based payments showcase the future of cardless and contactless transactions. But there is still time to see it working as the above-discussed challenges are still to overcome.
Christopher Low is a project manager and lead developer with Sherlock Software. He is also the founder and owner of MyTeamPlan, a desktop-based project management software tool that is targeted at small and medium businesses.