Software-based mobile payments join EMV family
EMVCo launched the Security Evaluation Process for Software-Based Mobile Payments (SBMP) on Dec. 18, 2018, adding software-based payments to its growing EMV Specification suite and list of technical outputs . The global technical body, jointly owned by American Express Co., Discover Financial Services, JCB, Mastercard, UnionPay and Visa, said it established the process to provide an efficient, flexible offering for product providers and promote a robust security foundation for SBMP solutions.
"There are an increasing number of solutions being deployed that use software applications to store and perform payment transactions on mobile devices," EMVCo wrote. "As SBMP applications must operate in the more vulnerable consumer device environment, solutions often [utilize] a layered security approach incorporating various device and software components to help with combating the potential threats."
EMVCo said the SBMP Security Evaluation Process employs component and integration models. Solutions can be evaluated as independent components or as fully integrated systems to validate their security. Individual components are tested by their Trusted Execution Environment (TEE) and Consumer Device Cardholder Verification Method.
Four-step testing process
EMV Specifications and certification processes are designed to promote a unified international payments framework and diversified range of payment methods, technologies and acceptance environments. The EMV technology toolbox is continually updated to enhance security in face-to-face and online environments.
Product providers must perform the following steps to certify SBMP solutions and components:
- Registration: submit completed SBMP registration questionnaire to SBMP Security Evaluation Secretariat.
- Registration Review: EMVCo reviews the registration questionnaire and invoices the product provider.
- Payment & Lab Report Submission: Upon receipt of the product provider’s paid invoice, the laboratory evaluates security and sends a security evaluation report to the Security Evaluation Secretariat.
- Evaluation Report Review: EMVCo reviews the security evaluation report. Product providers with satisfactory reports receive a product Evaluation Certificate with a unique number. Certified product providers can have their certificates published on EMVCo’s list of approved products. Product providers who do not pass evaluation can continue to work with EMVCo until their products meet all requirements.
Virtual trusted execution environment
Sam Shawki, CEO at MagicCube, said his company’s virtual TEE (vTEE) was designed to meet EMVCo specifications and provides hardware-grade security without relying on hardware. He cited the following additional benefits of the platform:
- Consumer security: vTEEs can be monitored remotely for suspicious activity and can push updates or disable devices when attacked.
- Device flexibility: vTEE solutions are easier to deploy and manage than hardware devices.
- Device isolation: vTEEs create an emulated device within an application, similar to isolated hardware solutions. Unlike hardware, their feedback loops and remote administration services monitor and push updates to the vTEE, even if host devices and OSs are not being updated by vendors or hardware manufacturers.
- Reduced costs: Reducing costs of financial applications by not being device dependent.
"MagicCube’s sTEE platform eliminates the need for a special chip or chip partition and the platform has a wide range of uses," Shawki said. "Next-generation vTEEs and SBMP solutions protect mobile and IoT devices that can’t be secured through legacy solutions."
Editor's Note: Editor's note: This story, originally posted Dec. 21, 2018, was revised slightly on Jan. 14, 2019, to more accurately describe SBMP and EMVCo's work.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.