Mobile Cloud-based Payment Security Evaluation

Overview

A new possibility to perform NFC card emulation without a Secure Element (SE) in mobile devices opened up when Blackberry released its OS7 in 2011 which was called Virtual Target Emulation. Google re-introduced the technology on its Android 4.4 “KitKat” operating system by the end of 2013 and called it Host-based Card Emulation (HCE).

HCE has clearly accelerated the introduction of the NFC services variety, by providing an optional more simple, but in principle, less secure way to provide a NFC card emulation service. This option is optimal for service providers to quickly create their own solutions however, they need to be fully aware of the security risks caused by the lack of hardware-based security as provided by the SE.

In the Mobile Payment arena, payment schemes such as Visa, MasterCard and Amex have created Cloud-based Payment specifications leveraging on HCE technology over the last years, and Issuing Banks are broadly adopting HCE technology to provide new and convenient ways to pay to their customers.

In order to increase the security of Cloud Mobile Payment Applications (CMPAs), the above stated payment schemes have created security guidelines for MPAs bank issuers and Software Development Kits (SDKs) developers. In addition, they have in place security evaluation processes for third party laboratories to assess such security solutions in an effective and consistent way.

Definition

UL is recognized by payment schemes to perform Mobile Cloud-based Payment security evaluations for Visa, MasterCard and American Express.

 

UL will assess SDKs and MPAs security to the payment schemes security requirements.

 

SDKs are mandated to go through security evaluation, CMPAs are in some cases not mandatory.

Benefits

At the moment, mobile devices are not providing a high level of security measures on their default features. This implies that any valuable asset could be stolen or corrupted by an attacker. UL recognized experts will help SDKs and MPAs developers to meet payment schemes security requirements.

  • Visa Ready Program for Cloud-based Payments Process
  • MasterCard Mobile Partner Program Cloud-based Payments
  • American Express Cloud-based Payments

DELIVERABLES

Report to get certification


ULSecurityEvaluation@ul.com


PRODUCTS THIS SERVICE APPLIES TO

  • Software Development Kits – SDKs
  • Mobile Payment Applications - MPAs

APPLICABLE STANDARDS

Visa, MasterCard and Amex HCE/Mobile Cloud-based payment specifications.

RELATED INDUSTRIES AND SOLUTIONS