Anyone bringing a Mobile Payment product to market needs to take security seriously. Organizations offering payment services put themselves at risk of fraud and serious reputational damage. Equally, consumers will not use a financial service that they perceive to be insecure.
Securing Mobile Payment applications requires a different mindset to securing card payments or protecting IT systems. The traditional security models are not available or simply do not work in this ecosystem. This means that the banks, their product teams and their security teams need to understand the paradigm shift of the new security models required to support mobile payments. These models are tailored to a software only solution and take advantage of the flexible nature of software and connected devices.
Typically, this new security mobile utilises tokenization to provide over the air update of payment credentials and WhiteBoxes to provide protection for cryptographic operations and data. These techniques are only part of the security model. A full solution will also require powerful software protection technologies, including anti-tamper, to defend the application, its WhiteBoxes and the Tokenization process. When combined together, a strong model is achieved for protecting Mobile Payments.
This paper uses Host Card Emulation (HCE) as an example of mobile payments but the principles discussed apply to any mobile payment product.