Since HCE first became available in Android handsets, card issuers have been using it to deliver mobile payment solutions to the customers. With scheme specifications and the arrival of tokenization there has been an increasing rate of adoption. Now, with a growing number of payment options becoming available from the 'X-Pays' and a growing convergence between on-line, in-store and in-app transactions, what is the future for cloud based payments? Or why not listen to the webcast https://www.thales-esecurity.com/knowledge-base/webcasts/cloud-based-payments-the-future-of-mobile-payments

1. www.thales-esecurity.com OPEN
Cloud Based Payments: the
future of Mobile Payments?
SIMON KEATES, THALES E-SECURITY
ROB MACMILLAN, PROXAMA

2. 2 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
NFC Mobile Payments Evolution
▌ Why are NFC payments growing?
Global Smartphone adoption + consumers use for a range of purposes
Mandated contactless POS rollout worldwide – convenience and speed
Financial Institutions and Merchants driving mobile engagement
▌ Mobile Payments Evolution
▌ Where does this leave the issuer?
With a potentially confusing and rapidly changing environment
Opportunities and strategic choices

3. 3 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
▌ Apple Pay, a Game Changer?
Oct 2014 launch brought NFC payments to
iPhones
Simple consumer enrolment
New commercial model (15 bps to Apple)
Big marketing campaign and rollout
Apple in control – even had logo on POS
▌ Collaborating rather than disrupting
Uses existing payment card rails
Uses established technology – EMV, NFC
Drove card schemes to launch tokenisation
services
▌ X-Pays are following
Samsung Pay, Android Pay, etc.
But it’s still early days
Apple Pay

4. 4 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
▌ What is Tokenisation?
Protects cardholder by replacing the PAN with a
‘surrogate’ account number, a Token PAN
Transactions still pass through terminals, acquirers and
networks
Token PAN domain controls restrict use
EMV Co published global framework in Mar 2014
▌ Tokenisation scope
Token generation
Token provisioning (with payment data) to phone
Storing Token/PAN map
De-tokenisation for authorisations and clearing
▌ Wider use of Tokenisation
Mobile, Card on File, in-App purchases
Protecting other forms of data, e.g. healthcare
Tokenisation

5. 5 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
HCE and Cloud Based Payments (CBP)
▌ Host Card Emulation (HCE)
Technology added in Android 4.4 in 2013
Provides choice SE/TSM or HCE
Enables an app to use NFC for payment
But data and processing now in software
▌ Cloud Based Payment (CBP)
Initial deployments proprietary
Schemes introduced standards for operation
and security in 2014
Transactions are EMV contactless, no
changes to POS or networks
▌ Consumer Experience
Issuers can add payment to existing mobile
banking apps
Consumer uses something that is familiar
Provisioning through simple option to add an
existing card to the banking app

6. 6 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
CBP layered security
▌ Dynamic keys
New keys dedicated to CBP transactions
Single or limited use keys, issuer controls key replenishment
All transactions online
▌ Tokenisation
Token PAN used instead of Card PAN to protect cardholder data
Token PANs only useable within ‘Domains’
▌ Secure communications with mobile phone
Key exchange with mobile phone
All critical keys and data supplied to phone in encrypted format
▌ Application security
Tools for tamper resistance and whitebox cryptography
Certification and penetration testing of apps

7. 7 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
CBP deployments are spreading
Selected examples
RBC, Canada
BBVA, Spain
Capital One, USA
QIWI, Russia
Tinkoff, Russia
Barclays, UK

8. 8 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
Cloud Based Payment future
▌ Value Added Services
Payment on its own won’t drive adoption – consumers need incentives
Issuers can add mobile banking services, loyalty and marketing programmes
▌ New types of issuers
Other issuers can adopt CBP solutions, e.g. merchant closed loop cards, transit, loyalty
Payment capability could be added to existing apps, especially where issuer has control of the
infrastructure
▌ Convergence between in-store, on-line and in-app payment
Payment credentials on the phone can be used for more than in-store
CBP credentials can support payments from other apps on the mobile, e.g. enabling
merchants to ‘payment enable’ their apps
CBP credentials can be used for online ecommerce transactions simplifying and adding extra
security

9. 9 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
Issuer Choice: CBP and X-Pays
▌ X-Pays
▌ Pros
Supports a range of handsets (where service
is available)
Could provide value added services in future
Could leverage scheme tokenisation for
multiple X-Pays
▌ Cons
Consumer experience controlled by X-Pay
Future development controlled by X-Pay
Tokenisation service controlled by scheme,
no ‘on-us’ transactions and possible future
charges
▌ Cloud Based Payments
▌ Pros
Issuer retains branding and control of consumer
relationship
Issuer can add services and customise
consumer experience
Issuer can implement in-house solution and
continue on-us processing
▌ Cons
CBP not available on Apple devices
May require more up front investment depending
on solution

10. 10 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
Conclusion
▌ Mobile payments market is growing
Driven by consumer demand, NFC smartphones and acceptance infrastructure
X-Pays and schemes recognise this and are competing for control
▌ Issuers have choice
Adopt X-Pays and/or CBP
Select scheme tokenisation and/or implement in-house
▌ CBP puts issuers in control
Branding and customising consumer experience
Provision of in-house solutions
▌ CBP is the future
An increasing number of issuers are deploying solutions
CBP supports value added services and payment convergence

11. 11 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or
disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.
Contacts
▌ Contact us via the website
https://www.thales-esecurity.com
▌ Or contact me:
simon.keates@thales-esecurity.com
▌ Contact us via the website
http://www.proxama.com
▌ Or contact me:
rob.macmillan@proxama.com