2008, 2009, 2010 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the
EMV Specifications (Materials) shall be permitted only pursuant to the terms and
conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.cfm.
Contents
1
Scope
1.1
Audience
References
2.1
2.2
1
2
EMV Documents
External References
2
2
Definitions
4.1
Abbreviations
Architecture
6.1
System Architecture
6.2
Architectural Zones
6.2.1
Definition of Architectural Zones
6.2.2
EMVCo Role
6.3
Handset Physical Architecture
6.4
Secure Element Architecture
8
10
10
12
13
14
Application Choice
16
19
20
10
Security
22
Summary
22
23
24
24
24
25
25
25
26
Page ii
Scope
1.1 Audience
This document is intended for all interested stakeholders in the mobile payment
ecosystem including but not limited to:
Page 1
References
The following documents are referenced in this document. The latest version
shall apply unless a publication date is explicitly stated.
2.1
EMV Documents
[ROLE]
[CCPS]
2.2
External References
[102588]
[14443]
[18092]
[7816]
[GPCS]
[HCI]
[SWP]
Page 2
Definitions
Confirmation Code
Contactless Mobile
Payment
Contactless Mobile
Payment
Application
Contactless Module
Contactless
Payment Terminal
EMV
EMVCo
Page 3
Handset
Man Machine
Interface
Mobile Device
Mobile Handset
A handset.
Near Field
Communications
SECM
Secure Element
SIM
SWP
UICC
User Interface
Page 4
June 2010
4
4.1
7816
AAUI
ADF
AID
Application Identifier
APDU
CMP
CRS
ETSI
GP
GlobalPlatform
GSMA
HCI
I2C
MMC
MultiMediaCard
MMI
Man-Machine Interface
NCI
NFC
OTA
PAN
PDA
PIN
PPSE
S2C
Page 5
SCP
SCWS
SD
SE
Secure Element
SECM
SWP
UI
User Interface
UICC
Page 6
June 2010
Contactless payment functionality has been mainly deployed in the form of ID-1
form factor cards. However, as contactless payment acceptance is not constrained
to a particular physical shape, and as cardholder convenience may benefit from
the integration of contactless payment in devices other than cards, alternative
contactless-enabled devices have been developed, for instance key fobs or mobile
handsets.
Mobile devices, in particular mobile handsets, are especially suitable devices for
hosting contactless payment functionality, since:
They typically offer embedded secure storage and processing units, such as
the UICC cards used by some mobile telephony technologies, or other kinds of
embedded secure modules.
Their widespread ownership and use is of great help in solving the cost and
distribution issues traditionally associated with any mass rollout of new
application-specific tokens or hardware devices, e.g., smart cards and smart
card readers.
Their relatively modest cost and their pervasive nature make them very
attractive to consumers.
Page 7
Architecture
6.1
System Architecture
Mobile Device
Personalisation
and provisioning
server
User
Interface
Wide area
modem
Application
Environment
Update
Server
Payment
application
Payment
application
issuer
Secure
Element
Secure
Element
Secure
Element
Router
Contactless module
(NFC Controller)
Contactless
Payment
Terminal
Payment
system
network
Page 8
June 2010
The CMP capable mobile device has a number of logical components 1, including:
A user interface (UI), also known as a Man-Machine Interface (MMI). The UI,
e.g. a display area and key pad, displays necessary information and provides
the input mechanism for user selection and payment functions.
One or more secure elements. A secure element hosts one or more EMV based
contactless mobile payment applications, and may also host other non-EMV
contactless applications;
A wide area modem 4 which provides network connectivity for both the
application environment, and for provisioning and personalization of payment
application onto a Secure Element 5.
1 The components described in this section are logical components, and do not necessarily
have a one-to-one correspondence with physical components.
Note that the contactless module may support contactless protocols other than just
CCPS, for example, it may support MiFare, FeliCa or NFC [18092].
2
3 Where a mobile device supports only a single secure element, or allows only one secure
element to be active at a time, the routing capability may operate as a switch, rather than
having dynamic routing capability.
For a mobile handset, the wide area modem is typically a cellular modem, but the wide
area modem includes WiFi or other local area network interfaces which are connected via
a gateway to a wide area network.
4
Note that while Figure 3 shows a direct connection between the secure element and the
wide area modem this may be implemented through the mobile device OS, or via an
application which acts as a relay between the SE and the wide area modem.
Page 9
6.2
6.2.1
Architectural Zones
Definition of Architectural Zones
Page 10
June 2010
Personalisation
backend
D
Mobile Device
Personalisation
and provisioning
server
User
Interface
Wide area
modem
Application
Environment
ASecure
Update
Server
Element
Secure
Element
Secure
Element
Payment
application
issuer
Router
Contactless module
(NFC Controller)
C
F Contactless
Payment
Terminal
Payment
system
network
Description
CMP related
Contributing
Page 11
organisations
A
EMVCo, GSMA
Payment systems
EMVCo, Payment
systems
EMVCo, GSMA,
Payment systems
EMVCo, Payment
systems
6.2.2
EMVCo Role
Page 12
June 2010
2. Profiles and usage guidelines: CMP applications will make use of general
purpose architectural elements defined by other organisations. EMVCo
will liaise with these other organisations to communicate the
requirements that CMP places on such elements. EMVCo will also publish
profiles and guidelines on how such elements are to be used in the context
of CMP in order to promote interoperability.
3. Requirements: There are areas in which there are no existing standards,
and these areas may extend beyond only contactless mobile payment. In
such cases, EMVCo will gather together the requirements that contactless
mobile payments place on these areas, and publish these requirements to
assist the wider mobile industry in developing products and systems
which are suitable for supporting contactless mobile payment.
4. Certification and type approval processes: In support of the above
mentioned deliverables, EMVCo will also develop processes to determine
the level of conformance of implementations to these specifications,
profiles and requirements. The certification and type approval processes
may make use of industry testing and conformance procedures, or where
appropriate, EMVCo may develop its own processes for testing.
6.3
Page 13
ISO 7816
interface
with
baseband
Removable
card, e.g.
SD/MMC
cards
M
e
m
Handset
Connection
to Secure
Element
(e.g. SWP,
ISO7816,
S2C etc)
UICC Card
SE
Contactless
Module
(NFC
Controller)
Cntl
Communication link
between the UICC and
contactless module (e.g.
SWP, HCI)
SE
Contactless
antenna
SD/MMC
Interface
Baseband
and
Application
Processor
Communication link
between the
Application processor
and the contactless
module, (e.g. NCI)
6.4
Page 14
June 2010
SECM
Device interface
Antenna interface
Figure 4 Secure Element Logical Architecture
From a logical point of view, an SE has the following parts:
1. An operating system which supports the secure execution of applications
and secure storage of application data. The operating system may also
support the secure loading of applications.
2. A device interface which enables commands and responses to be
exchanged with the mobile device. The device interface allows the mobile
device to communicate with applications in the SE and the SECM.
3. An antenna interface which enables the exchange of commands and
responses between an application in the SE and a contactless terminal via
the contactless module of the mobile device.
4. Secure Element Contactless Management (SECM) The SECM 6 is
responsible for maintaining a list of contactless applications on the secure
element, the status of the applications, and data associated with the
application. The status of the application indicates if the application is
available for selection on the contactless interface. Information associated
with the application includes Application Definition File (ADF) Name, the
application lifecycle state and the application priority.
Page 15
Application Choice
Page 16
June 2010
Application
Application
Activation
ActivationUser
User
Interface
Interface
SECM
App
App
Secure Element
SECM
PPSE
Routing
Table
Router
App
App
Secure Element
SECM
App
App
Contactless module
(NFC Controller)
Page 17
The application activation user interface: This is the element with which
the user interacts to perform application selection. There may be more
than one AAUI on a mobile device, however at any one time only one
AAUI is active.
The Application Activation User Interface (AAUI) is the element with which the
user interacts. The AAUI presents the list of available applications to the user,
allowing the user to activate, deactivate and prioritise the applications. The
AAUI is also responsible for detecting and resolving (possibly through interaction
with the user) conflicts between applications which the user wishes to have
simultaneously active. In order to be able to present the list of applications to the
user, the AAUI must interact with the SECM on each of the secure elements to
gather the list of available applications and their status. The AAUI is also
responsible for updating the SECM if the user makes any changes to the
activation state or priority of an application.
Once the user has chosen the activation state and priority order of the available
applications, the AAUI is responsible for populating the PPSE. The PPSE
contains a list of the active contactless payment (and possibly other) applications,
each with an associated priority.
The AAUI is also responsible for updating the routing table so that
communications sent and received through the contactless antenna are routed to
the correct SE or the device host.
9 Note that the PPSE is a shared application which will be used by all CMP applications
on the mobile device.
Page 18
June 2010
Personalisation
backend
Mobile Device
Personalisation
and provisioning
server
User
Interface
Wide area
modem
Application
Environment
Secure
Element
Secure
Element
Secure
Element
Router
Contactless module
(NFC Controller)
10 Note that for some types of SE it may be possible to provision and personalise the
payment application before distribution of the SE. It is also possible to perform the
provisioning and personalisation over the contactless interface. These options are valid,
but are not the focus of the work in EMVCo.
Page 19
As shown in Figure 6 the mobile device communicates with the provisioning and
personalisation server via the wide area (e.g. cellular) modem. The
personalisation and provisioning server is responsible for transferring the
application and personalisation data to the secure element. This includes
providing the necessary cryptographic material required by the secure element or
application in order to allow installation or personalisation.
The personalisation backend provides the connectivity to the issuer, or the
issuers agent, for the initial generation of the personalisation data. It is also
responsible for providing a chain of trust between the issuer and the secure
element, including appropriate logging to assist in audit, repudiation and
forensics.
Page 20
June 2010
Mobile Device
User
Interface
Wide area
modem
Application
Environment
Update
Server
Payment
application
issuer
Secure
Element
Secure
Element
Secure
Element
Router
Contactless module
(NFC Controller)
Contactless
Payment
Terminal
Payment
system
network
Page 21
Specific to CMP is that it can make use of the wide area network channel
(typically a cellular channel) that the mobile device has available. In this case, a
link is set up between the payment application and the issuer. In Figure 7 this is
shown as a link via the Update server. The processing of scripts and updates
may be synchronous or asynchronous with the transaction. It should be noted
that the wide area network may not always be available at the time of the
transaction. For this option, EMVCo will consider the mechanism by which the
update server establishes a link with the contactless mobile payment application
and elaborate on the elements of the issuer cloud shown in Figure 7.
The update and reset system is in Zone H.
10 Security
This section provides an overview of the security objectives for the contactless
mobile payment system, and where the security functions reside.
Four main factors are likely to differentiate CMP from other contactless payment
devices:
The use of mobile device features and components to support the contactless
payment functionality. Part of, or all of, contactless payment functionality
may be implemented using, for instance, the Secure Element, the application
processor, the keyboard or the wide area communication components.
Page 22
June 2010
The device ownership model. Unlike traditional bank cards, the mobile
devices - or at least the control of their security-sensitive components - are
normally not owned by a card issuer. Depending on the business model and
underlying technical design constraints, ownership and control may lie with
the end-consumer, a mobile network operator, the mobile device
manufacturer, or a combination of these.
10.1.2
The factors listed above directly impact the CMP security architecture, as
follows:
The use of mobile devices may introduce new threats to the payment
application assets when compared to a chip card, because of both their
physical characteristics and their logical characteristics.
The use of mobile devices may allow the implementation of new security
mechanisms. For instance, one might take advantage of the mobile device
keyboard to implement Confirmation Code functionality. The Confirmation
Code is entered by the cardholder on the mobile device keypad and verified
(typically by an embedded secure module) before enabling the contactless
payment functionality for one transaction, for several transactions or for a
pre-defined time.
The use of mobile devices may introduce the need for new processes. For
instance, the fact that CMP is fully integrated into a mobile device may raise
issues about the decommissioning of the device, e.g., when the mobile device
is sold or given away. First, there could be a misperception by the cardholder
of the security sensitivity of such actions. There will be a clear need for
cardholder education. Second, an explicit decommissioning of the payment
functionality of the mobile device should be foreseen. This would involve
removing any CMP applications and associated Confirmation Codes to enable
the next owner to add new CMP applications.
Page 23
10.1.3
Remote Personalization
10.2
Security objectives.
Page 24
June 2010
Assumptions
10.4.2
Main Objectives
These security functions are performed by the secure element, in Zone A and the
provisioning and personalisation system, in Zone G.
10.4.2.3
Security of Assets of Other Payment Applications
Typical assets to be protected in terms of confidentiality and integrity include:
Confirmation codes and application keys, when shared with other payment
applications
Page 25
These security functions are performed in the secure element, in Zone A, and to
an extent in the mobile platform in Zone D, where sensitive information such as
confirmation codes are entered.
10.4.2.4
Evidence of Cardholder Participation
If a suitable Confirmation Code verification has to be successfully performed
before generating contactless payment transaction data, conducting a successful
transaction implies cardholder participation.
The evidence of cardholder participation depends on:
These security functions are carried out in the contactless mobile payment
application (Zone E) and the mobile platform (Zone D).
11 Summary
This document has provided an architectural overview of Contactless Mobile
Payment for the purposes of the work of EMVCo. The document covers the
system architecture, the definition of zones within the system, and more detail
on the architectures of handsets and secure elements.
The document further provides the high level architectures for specific areas of
interest to EMVCo, namely, Application Choice, Provisioning and
Personalisation, Parameter update and counter reset, and high level security
considerations. These areas will be developed further in additional EMVCo
Contactless Mobile Payment documentation.
Page 26
June 2010