SE in the Cloud: Bankinter Solution for Mobile Contactless Payments

[avatar user=”sirpa” size=”original” align=”left” link=”https://mobeyforum.org/dt_team/sirpa-nordlund/” target=”_blank”]
<h4>by Sirpa Nordlund</h4>
Executive Director at Mobey Forum
[/avatar]
I had the privilege of attending to a Mobey Forum member meeting in San Francisco last week with Bankinter as a keynote speaker. Everyone has been eager to hear more about Bankinter’s recent solution on its “EMV compatible Mobile Contactless Payment solution’ (which doesn’t use an SE), so Mobey Forum was delighted to provide the first public forum for Bankinter to speak about it.

This blog entry is to take a brief look at what it is, what it means and what benefits it will bring, together with the opportunities and risks involved. It does not include any of Mobey Forum’s opinions, nor has it been verified by Bankinter. It is merely my own personal interpretation of what is going on.

Let’s start by finding a name for the solution. In mobile contactless payments, we are used to talking about the Secure Element (SE), which is a piece of secure hardware somewhere in the phone that is connected to NFC module. This SE acts as Card Emulation for point of sale (POS) devices. In Bankinter’s solution (and yes, it really is Bankinter’s solution), there is a secure element that is not hardware, but software. This is why it is confusing, and is often referred to by various different names, for example ‘SE in the cloud’ or ‘Host Secure Element’ or ‘Software SE’. For the sake of simplicity I’ll stick to the first mentioned, which in this case is most relevant since it emphasizes the role of cloud, too.

Let’s start by analyzing *why* Bankinter has chosen to start a project using an SE in the cloud. They see that in current implementations of SE (embedded or in UICC), “the meaningful part of the issuer businesses and processes take place outside of the issuer domain.” It is about control, but also cost: the slow take-off of NFC contactless payments is not only because of lack of infrastructure support, but also because of its high cost: the value chain is simply too long. It is no longer a ‘four corner model’, but a seven or eight corner model with all the Trusted Service Managers (TSM), Mobile Network Operators (MNO) and other new players sharing the cake (which they assume consumer will want to pay for).

What does it do?

There are two important parts in Bankinter’s solution: the software component in the phone and a ‘black box’ that authenticates the one-time mobile virtual card created on the phone side.

The solution works both with NFC/contactless POS and with remote payments.

In NFC payments, the software on the phone creates a piece of software that acts as a one-time virtual card based on the PAN. This virtual card is valid for 60 seconds, in which time it will receive authentication from the back end server. If the server recognizes the virtual card, the payment is authorized. If not, it will be rejected and not allowed to try again.

In remote payments (internet web shops), the process is similar, but without POS: the user inserts a code (not a PIN code), which kicks off the process. The virtual card generated is valid for 5-10 minutes.

What are the benefits?

• No TSMs or SE provisioning.
• No MNOs, no SE issuer domain fees: Bank is the issuer.
• Multiple NFC wallets/payment methods can be in the phone without SE storage size or creation of Secure Issue domains.
• Possibility to build a consistent user experience across all bank-offered mobile services.
• Branding: brand of the bank can be made as good as the user experience and usability is.

Who does it?

This is Bankinter’s solution, but it is not alone. There are other, smaller companies in the market, who provide the same thing.

Threats, risks and limitations:

• No encryption for the data that is created on the application on the phone and goes to back-end server
• Even if the one-time mobile virtual card is valid only for 60 seconds, there can be also very fast man-in-the-middle: a sprinter!
• Currently it only works on Blackberry OS. Why? Because Blackberry is the only handset manufacturer who has decided to open the interface of its NFC chipset in such way that it can also talk to alternative SE form factors. Currently all other NFC chipsets in other mobile device OS are only permitted to talk to hardware-based SEs, not to the phone itself (this was, by the way, originally strongly required by MNOs and SE chip vendors). However, this open API is included in the NFC specifications, and it would only require a ‘switch-on’ from the phone vendor to chip manufacturer.
• This specific solution is Bankinter’s own which, of course,  is a limitation in itself. But as said, it is not the only one in the market.
• It lacks EMV certification. Bankinter says it is ‘EMV compatible’, which does not mean it is ‘EMV compliant’. However, it works well with the current infrastructure and they have received a Visa waiver. It is good to also remember that the ‘traditional’ NFC trials started with waivers: there was no certification in place for SEs on the phone some five years back!

Bankinter’s business model:

• They see this solution as a perfect solution for banks.
• Bankinter said at the recent Mobey Forum member meeting that they will make the solution ‘extremely price competitive, something like personalizing a contactless plastic card today’.
• They will license the front end software (for which they have a patent) and sell the back-end server module (the Issuer’s Black Box) either in SaaS model or in-house implementation.

What’s next

In my next blog entry, we’ll  have some fun predicting the future for this type of solution becoming more popular: what would various players in the market do and how would SE in the cloud affect their business models?