Slovakia-based Regional Card Processing Centre, s.r.o. (RPC) is a member of Raiffeisen International A.G., a leading banking group in the central and eastern European region. RPC’s team handles credit and debit card issuing and processing, merchant sign-up, and fraud risk monitoring for the group, earning the company $17M in revenue. RPC’s clients include Tatra Bank as well as Raiffeisen Banks from Albania, Bulgaria, Czech Republic, Croatia, Romania, Serbia and Kosovo.
RPC wanted to extend its services portfolio to provide cardholders with the option to perform in-store purchases using a smartphone. Ľudovít Kuruc, RPC’s project manager, described, “We wanted to offer the convenience of smartphone transactions but had to ensure that we had end-to-end security to protect the sensitive data at all times. Additionally, because the market is evolving extremely quickly and is so unpredictable, the greatest challenge was to select a security solution that was flexible, scalable and offered long-term viability.”
The RPC infrastructure is very complex, spanning four countries and involving banks, card processing centers, and provisioning service vendors. “Our primary technical requirements were to provide security, high availability, and interoperability across our diverse environment,” recounted Kuruc. “We became very interested in Host Card Emulation (HCE), an alternative approach to mobile payment security.”
HCE is expected to deliver a simplified, lower cost approach for contactless mobile payments and digital secure remote e-commerce payments over the internet, removing much of the technical and business complexity associated with the alternative secure element implementation model. However, HCE introduces new security challenges and risk models that mean banks require security enhancements to their existing card issuing and transaction processing infrastructures. Limited-use credentials are delivered to the phone in advance to enable contactless transactions to take place. Although this method enables banks to maintain control, it has a different profile of security and risk challenges that need to be addressed, resulting in numerous technical approaches that can be taken.
RPC moved forward with the development of its digital payment application that enables contactless mobile payments via HCEprepped Android smartphones at point of sale terminals. “Given the criticality of this offering to RPC, my team was focused on finding the optimal HCE security solution in the shortest possible timeframe,” Kuruc recalled.
RPC has been utilizing Thales hardware security modules (HSMs) in its main data centers for some years. However, Thales HSMs also can be used to secure HCE-based solutions: payment credentials are securely generated by the issuer and stored centrally using HSMs. As an integral part of the overall risk profile, the card issuers also have the flexibility to decide how many keys are saved on each phone to cover situations where authorization without handset data connectivity is needed. This exactly matched RPC’s requirements.
Kuruc observed, “In our evaluation of possible HCE security solutions we found all other vendors were quickly excluded once we learned that the Thales payShield 9000 HSM had the required critical functionality – such as industry-compliant cryptography, key management and transaction processing – already integrated into the module and was already proven in the field with leading mobile payment solution providers. The alternatives would have added unnecessary complexity to an already very complicated project.”
He added, “The integration of payShield 9000 was very smooth; the HSM worked exactly as described in the preliminary specifications we received, complying with all of the various payment card scheme specifications we needed to meet.”
Thales has been at the forefront of offering HCE support in its HSM software, working closely with the major card schemes since the initial HCE proprietary specifications were first made available to the vendor community in 2014 and therefore RPC was able to quickly benefit from this expertise. The payShield 9000 HSMs already deployed by RPC only needed software license upgrades (which can be performed remotely using the payShield Manager remote management tool) to support HCE. This was more cost effective than having to buy additional HSMs or being forced to migrate to a totally different HSM model.
Thales has more than 25 years of experience with payment system security solutions. The payShield 9000 is the most widely implemented payment HSM in the world, used in an estimated 80% of all payment card transactions.
Despite its sophistication, the solution is extremely easy to use: RPC customers simply install the application from Google Play Store, enroll, and are then completely ready to make purchases. Behind the scenes, the payShield 9000 HSM keeps transactions protected.
Kuruc noted, “When we compared the price of another vendor’s device – plus its maintenance fees, hosting, testing and upgrades, implementation of new interfaces, and the extra networking complexity, etc. – it would have added in the order of €50,000- 100,000. In comparison, the Thales solution is very compelling and enabled us to standardize on payShield 9000 throughout our infrastructure!”
Comprehensive, certified, cost-effective security from Thales
- Deliver a secure smartphone-based payment offering to customers
- Identify security solution capable of supporting quickly evolving and unpredictable market
- Optimize security while minimizing operational complexity and cost
- Limit reliance on phone-based credentials
- payShield 9000 hardware security module from Thales
- Efficient enablement of HCE-based security for a digital payment application
- Transaction protection that meets or exceeds major international payment card compliance mandates
- Flexible, scalable and secure architecture supports dynamic market demands
The Perfect Security Solution
Kuruc summarized, “payShield 9000 has proven to be the perfect match for our digital payment application requirements because it is robust, reliable, rich in functionality, and complies with all the payments regulations, including the independent PCI HSM certification, reinforcing its security pedigree.”
About Thales Cloud Protection & Licensing
Today’s enterprises depend on the cloud, data and software in order to make decisive decisions. That’s why the most respected brands and largest organizations in the world rely on Thales to help them protect and secure access to their most sensitive information and software wherever it is created, shared or stored – from the cloud and data centers to devices and across networks. Our solutions enable organizations to move to the cloud securely, achieve compliance with confidence, and create more value from their software in devices and services used by millions of consumers every day.