Thales Enables Rpc’s New Mobile Payment Application
Slovakia - based Regional Card Processing Centre, s.r.o. (RPC) is a member of Raiffeisen International A.G., a leading banking group in the central and eastern European region. RPC’s team handles credit and debit card issuing and processing, merchant sign - up, and fraud risk monitoring for the group, earning the company $17M in revenue. RPC’s clients include Tatra Bank as well as Raiffeisen Banks from Albania, Bulgaria, Czech Republic, Croatia, Romania, Serbia and Kosovo.
RPC wanted to extend its services portfolio to provide cardholders with the option to perform in-store purchases using a smartphone. Ľudovít Kuruc, RPC’s project manager, described, “We wanted to offer the convenience of smartphone transactions but had to ensure that we had end-to-end security to protect the sensitive data at all times. Additionally, because the market is evolving extremely quickly and is so unpredictable, the greatest challenge was to select a security solution that was flexible, scalable and offered long-term viability.”
The RPC infrastructure is very complex, spanning four countries and involving banks, card processing centers, and provisioning service vendors. “Our primary technical requirements were to provide security, high availability, and interoperability across our diverse environment,” recounted Kuruc. “We became very interested in Host Card Emulation (HCE), an alternative approach to mobile payment security.”
HCE is expected to deliver a simplified, lower cost approach for contactless mobile payments and digital secure remote e-commerce payments over the internet, removing much of the technical and business complexity associated with the alternative secure element implementation model. However, HCE introduces new security challenges and risk models that mean banks require security enhancements to their existing card issuing and transaction processing infrastructures. Limited-use credentials are delivered to the phone in advance to enable contactless transactions to take place. Although this method enables banks to maintain control, it has a different profile of security and risk challenges that need to be addressed, resulting in numerous technical approaches that can be taken.
RPC moved forward with the development of its digital payment application that enables contactless mobile payments via HCEprepped Android smartphones at point of sale terminals. “Given the criticality of this offering to RPC, my team was focused on finding the optimal HCE security solution in the shortest possible timeframe,” Kuruc recalled.
RPC has been utilizing Thales hardware security modules (HSMs) in its main data centers for some years. However, Thales HSMs also can be used to secure HCE-based solutions: payment credentials are securely generated by the issuer and stored centrally using HSMs. As an integral part of the overall risk profile, the card issuers also have the flexibility to decide how many keys are saved on each phone to cover situations where authorization without handset data connectivity is needed. This exactly matched RPC’s requirements.
Kuruc observed, “In our evaluation of possible HCE security solutions we found all other vendors were quickly excluded once we learned that the Thales payShield 9000 HSM had the required critical functionality – such as industry-compliant cryptography, key management and transaction processing – already integrated into the module and was already proven in the field with leading mobile payment solution providers. The alternatives would have added unnecessary complexity to an already very complicated project.”
He added, “The integration of payShield 9000 was very smooth; the HSM worked exactly as described in the preliminary specifications we received, complying with all of the various payment card scheme specifications we needed to meet.”
Thales has been at the forefront of offering HCE support in its HSM software, working closely with the major card schemes since the initial HCE proprietary specifications were first made available to the vendor community in 2014 and therefore RPC was able to quickly benefit from this expertise. The payShield 9000 HSMs already deployed by RPC only needed software license upgrades (which can be performed remotely using the payShield Manager remote management tool) to support HCE. This was more cost effective than having to buy additional HSMs or being forced to migrate to a totally different HSM model.
Thales has more than 25 years of experience with payment system security solutions. The payShield 9000 is the most widely implemented payment HSM in the world, used in an estimated 80% of all payment card transactions.
Despite its sophistication, the solution is extremely easy to use: RPC customers simply install the application from Google Play Store, enroll, and are then completely ready to make purchases. Behind the scenes, the payShield 9000 HSM keeps transactions protected.
Kuruc noted, “When we compared the price of another vendor’s device – plus its maintenance fees, hosting, testing and upgrades, implementation of new interfaces, and the extra networking complexity, etc. – it would have added in the order of €50,000-100,000. In comparison, the Thales solution is very compelling and enabled us to standardize on payShield 9000 throughout our infrastructure!”
The Perfect Security Solution
Kuruc summarized, “payShield9000 has proven to be the perfect match for our digital payment application requirements because it is robust, reliable, rich in functionality, and complies with all the payments regulations, including the independent PCI HSM certification, reinforcing its security pedigree.”
About Thales eSecurity
Thales eSecurity is a leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.