How Thales helped a leading bank quickly and securely implement mobile wallet technology to secure cloud-based payments in the banking sector – ahead of its competitors.
The Challenge: Deploying the First Live Host card Emulation Solution in the Belarus Market
As one of the largest banks in the fast-growing economy of Belarus, MTBank wanted to enhance its leadership position by introducing mobile wallet services before any of its competitors.
Offering contactless mobile payments is difficult for banks – the need to support a broad range of phones owned by their customers, that not all phones have secure elements, and developing an in-house solution usually demands complex new skills.
Host card emulation (HCE) may help address some of these issues since it helps turn Android smartphones into contactless payment devices, allowing users to make payments at point-ofsale terminals using a smartphone instead of a payment card. Customers benefit from increased flexibility and convenience including the ability to consolidate multiple payment cards into a single mobile device if desired. Issuers typically see benefits in terms of easier provisioning, reduced ongoing maintenance costs and easy scalability – things that often have proved elusive with the secure element alternative. However additional security and risk management techniques are required to deliver such benefits.
Security is possibly the most critical hurdle when using HCE technology. The standards set by international payment networks require every HCE solution to implement cryptographic functions using hardware security modules (HSMs) for encryption key storage and management. To succeed in its goal of allowing more than 300,000 bank cardholders to use cloud-based payments – and do this as quickly as possible, before the competition – MTBank needed HCE technology with timetested and proven cryptographic hardware that could integrate into its existing IT infrastructure and a partner who could make it happen fast.
The Solution: an in-House HCE Solution With Built-in Tokenization and Authorization Services
MTBank chose D8 Corporation, a proven long-term partner that specializes in the development, integration and support of IT solutions for the banking and finance sectors, to implement this project.
D8’s HCE Payments platform integrates with Thales payShield 9000 HSM and its cloud-based payments functionality. The Thales HSM enhances the security of the critical tokenization solution – a process that substitutes the actual payment account data with encrypted surrogate values called ‘tokens’ that represent a fully functional digital copy of a payment ‘card account’ in the customer’s phone, without needing to store the actual data (that would be used for a companion chipbased credit or debit card) on the phone. The Thales solution securely stores the tokens and manages the separate set of keys for creating and validating token-based transactions. Thales payShield HSMs ensure that cryptographic keys are stored using a secure and tamper-resistant mechanism for maximum security, while satisfying requirements for obtaining MasterCard Cloud Based Payments (MCBP) certification.
Using Thales payShield HSMs enabled MTBank to implement its HCE payment platform quickly, as the solution required no changes to the bank’s existing processing infrastructure. It also ensured maximum security of all token-based transactions and full compliance with the requirements set by international payment networks. MTBank completed the project on schedule and became the first bank in Belarus to implement HCE technology, helping to earn a “Bank of the Year” award and strengthening its reputation as a key innovator in the region.
D8 evaluated several HSM manufacturers on behalf of MTBank and choose Thales for three critical reasons:
- Proven performance. With a very aggressive 90-day schedule for design and implementation, MTBank wanted a solution with an unmatched record of performance, as the bank could not afford any missteps or bugs with its HSM technology
- Product reputation. MTBank and D8 knew that Thales products had the highest reputation for quality and that payShield 9000 technology was used in roughly 80% of all payment transactions worldwide
- Exceptional support. D8 knew that the Thales customer support team could provide invaluable and highly responsive support, working quickly to fulfill requests and providing deep expertise in the implementation of HSMs in a wide variety of applications
About the Solution
Designed specifically for payments applications, payShield 9000 from Thales is a proven hardware security module (HSM) that performs tasks such as PIN protection and validation, transaction processing, payment card issuance, and key management. payShield 9000 is the most widely deployed payment HSM in the world, used in an estimated 80% of all payment card transactions. The payShield 9000 design benefits from over 25 years of Thales experience with payment system security, giving organizations confidence in a state-of-the-art solution that delivers an ideal combination of security and operational ease. The payShield 9000 device is deployed as an external peripheral for mainframes and servers running card issuing, mobile provisioning and payment processing software applications for the electronic payments industry—delivering high assurance protection for Automated Teller Machine (ATM) and Point of Sale (POS) credit and debit card and mobile transactions. The cryptographic functionality and management features of payShield 9000 meet or exceed the card application and security audit requirements of the major international card schemes, including American Express, Discover, JCB, MasterCard, UnionPay, and Visa. payShield 9000 is certified to FIPS 140-2 level 3 and is also available in configurations certified to the PCI HSM v1.0 specification as published by the PCI Security Standards Council.
- Achieve comprehensive, certified security with a solution specially designed for card issuing, mobile provisioning and payment processing
- Secure keys within carefully designed cryptographic boundaries with robust access control mechanisms, so keys are only used for their authorized purpose
- Ensure key availability with sophisticated management, storage, and redundancy features to guarantee keys are always accessible when needed by the HCE Payments server
- Prevent reverse engineering of cryptographic keys and algorithms
- Add additional encryption layer on top of the Token vault to ensure maximum safety of data from the real payment card
- Maximize business continuity with redundant hardware, field serviceable components, and support for clustering and failover
- Streamline deployment and maintenance and reduce the cost of compliance with a choice of software options tailored for issuers, processors, and acquirers
About Thales eSecurity
Thales eSecurity is a leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premises, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.
About D8 Corporation
D8 Corporation is an international company that specializes in the development, integration and support of IT solutions for banking and finance sectors. Their main business focus is the development and integration of payment and loyalty cards processing solutions, mobile payments systems, fraud prevention systems, AML/CTF process automation solutions, as well as associated post-project support and SLA.