We recently invited HTC One owners to take part in testing NFC payments and now we want to thank everyone who got involved and contributed to the development of contactless payments in our country. Today, the “Wallet” application has already become available to all owners of HTC One and Philips Xenium W336 after a firmware update, and in the near future it will also be able to be used by owners of HTC One Dual SIM, HTC One Max, HTC One SV, HTC Desire 500, HTC Desire 600 and Philips Xenium W8555.
In the comments to the previous post and hubdialogues, there were many questions about how the “Wallet” works and what needs to be done to place a bank card or travel ticket in it without removing the back cover of the phone or using double-sided tape. In this post I will try to answer these questions and tell you how it works.
A bank or transport company purchases “blank” cards and writes their application with the client’s “payment data” onto them. This process, called personalization, is carried out in so-called personalization bureaus, which can be either internal divisions of service providers or individual companies on the market. During the personalization process, the data on the card is encrypted and locked with keys, making it impossible to change it. Moreover, the architecture of modern smart cards makes it possible at the hardware level to distinguish between their state before and after personalization, which completely eliminates the possibility of changing (falsifying), for example, your payment data after the card is issued.
The evolution of cards from magnetic stripe (MagStripe) to chip-based (EMV) and contactless interface (RFID) smart cards has meant that the card form factor no longer matters. This makes it possible to use any object as a “carrier” of the card: a plastic card, watch, bracelet, sticker, keychain and, of course, a smartphone.
At the same time, NFC is an extension of the existing standard for contactless smart cards ISO 14443, which, as we have already noted, is used in modern bank cards, office and parking passes, metro tickets, Troika cards and Podorozhnik cards. In other words, the NFC standard inherits the entire ISO 14443 standard, thereby ensuring 100% compatibility between NFC smartphones, contactless cards and existing reception infrastructure.
In an NFC-compatible phone, in order for it to be a full-fledged NFC device, in addition to the NFC antenna and NFC controller, it must have a so-called Secure Element - a separate microprocessor, similar to the one found in plastic cards. He will be responsible for the secure storage and execution of payment applications (for example, MasterCard Mobile PayPass). Secure Element can be built-in (installed on the phone's motherboard) or located on a detachable module: UICC SIM card or SD memory card.
The first attempt to place a card in a phone in the Russian Federation was made by mobile operators, for example, MTS and Russian Standard Bank, Megafon and a transport card in Yekaterinburg, Beeline and a transport card in Kazan, etc. To do this, they needed to purchase a batch of special UICC SIM cards with Secure Element, negotiate with a bank or transport company to pre-register a payment or transport application there, take the SIM cards to the security office to carry out the industry-standard “contact personalization” process, and then exchange Subscribers' old SIM cards are replaced with new ones at service centers.
Yes, you can put a card in your phone this way, and it works. But what if you need another bank? Or a transport company in another city? Or maybe in two cities? The SIM card will have to travel through all the authorities before it gets into your hands, and the mobile operator will have to negotiate with all these companies. However, to reissue a bank card, for example, due to expiration, the operation will have to be repeated.
Main functions of TSM:
Keys from Secure Element are stored on highly specialized HSM (Hardware Security Module) servers, which are an integral part of the TSM platform. Without the participation of the latter, it is impossible to gain access to the chip - this is exactly the same principle that the plastic card industry works on, only the keys are under the control of the bank or transport company that issued the card.
The user chooses which card to pay for the purchase through the “Wallet” application, which displays cards issued and available for issue, and also accepts applications for the issuance of new cards. The application is sent to the service provider, who, instead of recording payment data on a plastic card, transfers this data via TSM to the Secure Element of the phone.
In most cases, if the Wallet application uses the Secure Element built into phones, then there is often no point in putting it on Google.Play, since partnership with phone manufacturers provides an important advantage: the manufacturer pre-installs the user application into the phone along with the firmware, it is not needed promote, no need to download or install - it’s already on your phone - as native as Calculator.
Thus, it will not yet be possible to release any card for any phone, but movement in this direction is already underway, and it is obvious to all market participants that this is a natural evolutionary step. Both phone manufacturers are interested in this (new functionality that is cooler than an extra megapixel in the camera), and mobile operators (for approximately the same reason), and service providers (a new audience and sales channel with interactive interaction), and users (tired of many different plastic cards).
Today, you can issue a TKS Bank bank card in Wallet, and by the end of the year, payment for travel on transport will also be available: the cities of Vologda and Cheboksary will start as a pilot zone. Next year there will be significantly more cards available for release. Contactless impressions to you!
(c) https://habr.com/ru/companies/ifree/articles/202738/
In the comments to the previous post and hubdialogues, there were many questions about how the “Wallet” works and what needs to be done to place a bank card or travel ticket in it without removing the back cover of the phone or using double-sided tape. In this post I will try to answer these questions and tell you how it works.
How payment cards work
A payment card (smart card) is a microprocessor placed in a piece of plastic of a standardized size, which, upon contact with the reader, receives sufficient power to operate and launches the operating system with the payment application installed in it (most often a Java applet in a *nix-like operating system system). Contactless smart cards, which have long been fare cards in public transport and are rapidly becoming bank cards (MasterCard PayPass, VISA PayWave), work on the same principle, only they receive power from the electromagnetic field of the reader at the cash register or turnstile. All contactless bank cards and the vast majority of transport cards are united by the ISO 14443 standard .A bank or transport company purchases “blank” cards and writes their application with the client’s “payment data” onto them. This process, called personalization, is carried out in so-called personalization bureaus, which can be either internal divisions of service providers or individual companies on the market. During the personalization process, the data on the card is encrypted and locked with keys, making it impossible to change it. Moreover, the architecture of modern smart cards makes it possible at the hardware level to distinguish between their state before and after personalization, which completely eliminates the possibility of changing (falsifying), for example, your payment data after the card is issued.
The evolution of cards from magnetic stripe (MagStripe) to chip-based (EMV) and contactless interface (RFID) smart cards has meant that the card form factor no longer matters. This makes it possible to use any object as a “carrier” of the card: a plastic card, watch, bracelet, sticker, keychain and, of course, a smartphone.
How NFC phones work
NFC is just a wireless data transfer technology. The same as Bluetooth or WiFi, it only works over a short distance and not a very high frequency (13.56 MHz), which is its advantage, since it eliminates the possibility of an “accidental” connection.At the same time, NFC is an extension of the existing standard for contactless smart cards ISO 14443, which, as we have already noted, is used in modern bank cards, office and parking passes, metro tickets, Troika cards and Podorozhnik cards. In other words, the NFC standard inherits the entire ISO 14443 standard, thereby ensuring 100% compatibility between NFC smartphones, contactless cards and existing reception infrastructure.
In an NFC-compatible phone, in order for it to be a full-fledged NFC device, in addition to the NFC antenna and NFC controller, it must have a so-called Secure Element - a separate microprocessor, similar to the one found in plastic cards. He will be responsible for the secure storage and execution of payment applications (for example, MasterCard Mobile PayPass). Secure Element can be built-in (installed on the phone's motherboard) or located on a detachable module: UICC SIM card or SD memory card.
Recording a payment card in your phone
If a phone with NFC support has the same microprocessor as in plastic cards, the conclusion suggests itself - the same payment applications can be written into the phone and the same contactless payments can be made by touching the phone to the reader.The first attempt to place a card in a phone in the Russian Federation was made by mobile operators, for example, MTS and Russian Standard Bank, Megafon and a transport card in Yekaterinburg, Beeline and a transport card in Kazan, etc. To do this, they needed to purchase a batch of special UICC SIM cards with Secure Element, negotiate with a bank or transport company to pre-register a payment or transport application there, take the SIM cards to the security office to carry out the industry-standard “contact personalization” process, and then exchange Subscribers' old SIM cards are replaced with new ones at service centers.
Yes, you can put a card in your phone this way, and it works. But what if you need another bank? Or a transport company in another city? Or maybe in two cities? The SIM card will have to travel through all the authorities before it gets into your hands, and the mobile operator will have to negotiate with all these companies. However, to reissue a bank card, for example, due to expiration, the operation will have to be repeated.
Remote Personalization and TSM Platform
Fortunately, unlike a plastic card, a phone is an interactive device that is always connected (be it Wi-Fi or a cellular network), which means you can write cards into it, firstly, remotely, and secondly, only those service providers that are right for you. To implement this function, the role of TSM (Trusted Service Manager) was formulated - a trusted intermediary, uniting, on the one hand, service providers (banks, transport, etc.), and on the other, Secure Element chips in all their forms. We developed exactly this TSM platform at i-Free and certified it to comply with all necessary standards.Main functions of TSM:
- Aggregation of different service providers. A bank or other service provider connects to TSM using a standard protocol and gains access to multiple Secure Elements, i.e. gets the opportunity to issue cards for many users. At the same time, he does not need to negotiate separately with each mobile operator or with each telephone manufacturer. This part of the TSM is called SP TSM (Service Provider TSM).
- Aggregation of various Secure Elements. The owner of Secure Element (cellular operator or phone manufacturer) connects to TSM using a standard protocol and gets access to multiple service providers, i.e. gets the opportunity to provide its users with many services. At the same time, he does not need to negotiate separately with each service provider; he does not need to take into account the features of each service, hardware and system capabilities of different Secure Elements. This part of the TSM is called SEI TSM (Secure Element Issuer TSM).
How the TSM platform works
The TSM platform provides remote management of Secure Element chips in users' phones through a secure communication channel. At the direction of the service provider, TSM records (or deletes, for example, in the event of a smartphone loss) the personalization data of the card in the Secure Element of the phone, using the phone itself solely as a modem. In addition, the platform allows service providers to remotely “look” into the data of the cards they issue, for example, to conduct an audit or display on the phone screen the current balance for travel payment cards or loyalty cards (if the balance is stored on the card).
Keys from Secure Element are stored on highly specialized HSM (Hardware Security Module) servers, which are an integral part of the TSM platform. Without the participation of the latter, it is impossible to gain access to the chip - this is exactly the same principle that the plastic card industry works on, only the keys are under the control of the bank or transport company that issued the card.
The user chooses which card to pay for the purchase through the “Wallet” application, which displays cards issued and available for issue, and also accepts applications for the issuance of new cards. The application is sent to the service provider, who, instead of recording payment data on a plastic card, transfers this data via TSM to the Secure Element of the phone.
Custom Application
The Wallet application runs on the phone's operating system, which by definition is not secure, and, accordingly, the Wallet does not carry any security-related functions. The main role of the application, in addition to demonstrating issued and available cards, is to provide a communication channel between Secure Element and TSM, as well as providing the user with interactive interfaces to applications (cards) loaded into Secure Element.In most cases, if the Wallet application uses the Secure Element built into phones, then there is often no point in putting it on Google.Play, since partnership with phone manufacturers provides an important advantage: the manufacturer pre-installs the user application into the phone along with the firmware, it is not needed promote, no need to download or install - it’s already on your phone - as native as Calculator.
Any card in any phone
To turn a phone into a bank card, TSM must obtain access to Secure Element either from the manufacturer of this phone or from the owner of the SIM card (cellular operator). Since payment cards are not transferred to the phone and are not “linked” (otherwise they will be considered “duplicates”), but are issued anew, then in order to issue a bank card from a bank to the phone, this bank must connect to TSM.Thus, it will not yet be possible to release any card for any phone, but movement in this direction is already underway, and it is obvious to all market participants that this is a natural evolutionary step. Both phone manufacturers are interested in this (new functionality that is cooler than an extra megapixel in the camera), and mobile operators (for approximately the same reason), and service providers (a new audience and sales channel with interactive interaction), and users (tired of many different plastic cards).
Today, you can issue a TKS Bank bank card in Wallet, and by the end of the year, payment for travel on transport will also be available: the cities of Vologda and Cheboksary will start as a pilot zone. Next year there will be significantly more cards available for release. Contactless impressions to you!
Afterword
Many of the processes (both technological and business) described in this post are greatly simplified to make the whole picture easier to understand. Perhaps, in a sense, this text is even more suitable for the magazine “Peasant Woman” than for Habr, but such introductory material would not be enough for further publications concerning payment cards in the phone. Based on your questions and comments, we will gradually reveal individual parts of this large and, we hope, interesting topic.(c) https://habr.com/ru/companies/ifree/articles/202738/
