Integrating NFC with cloud-based solutions challenges payment security

Recently introduced payment options using mobile phones integrate near-field communication (NFC) technology with a cloud-based system. With this approach, cardholders’ account details will no longer be stored on a secure element within a mobile phone, but will instead be maintained in the cloud. Frost & Sullivan believes that successful combinations of NFC and cloud will require solutions to help mitigate the security risks involved in data transmission. “M-payments that use contactless technologies, such as NFC, are an emerging global trend,” says Frost & Sullivan Research Analyst Shuba Ramkumar. “Important market players like Google, Isis and Microsoft have created some of the currently available mobile wallet apps using NFC technology.” Security infrastructure for NFC payments is multi-layered. The customer’s account and card details are stored in a secure element within the device used for the payment. The secure element might be directly embedded by the mobile device manufacturer or offered by a payment service provider as a removable Secure Digital (SD) card. The use of a physical secure element, as is the current industry trend, is vital because in its absence the exposure to risk is much higher. Nevertheless, security solution providers including ARM, Gemalto, and Giesecke & Devrient, are also working on the development of the trusted execution environment (TEE) as a security standard. “Implementing additional security – for instance, a personal identification number (PIN) for access – can help mitigate financial losses. An easy-to-use mechanism for deactivating NFC services on a misplaced or stolen device and reactivating them on another will also enhance security,” adds Ramkumar. A cloud-based m-payment solution involves the use of a mobile app, such as PayPal, that requires an individual’s authentication prior to connecting with the account details stored in a cloud to process the transaction. The biggest advantage of using this payment solution over NFC is that the transaction can be carried out using any device with network connectivity. Further, in a cloud-based solution, data is stored virtually and is not easy to access or track — assuming the cloud provider offers appropriate protection. “Despite constant monitoring and authentication checks that make the cloud itself secure, transmitting data over the air carries an element of risk,” cautions Ramkumar. “Payment information for many individuals is stored in the cloud, and it is mapped individually to a person logging into an m-payment app. Therefore, data transferred between the cloud and the device initiating the transaction occurs over the air, putting the data at risk to exposure to parties capable of reading it during transmission.” A hybrid approach that combines NFC and cloud for m-payments, hence removing the need for the physical secure element on a mobile phone, will make the application of NFC services simpler and cheaper. However, integrating NFC with cloud-based systems will still require additional solutions to mitigate the security risks involved in data transmission. “This should be done in respect of international payment standards such as PCI DSS in order to protect personal data during data transfer. At the moment, the security used for cloud based solutions is mostly the same as the one for e-commerce, so digital certificates features. This is probably a first step to accelerate cloud based payment solutions, but at the end, a higher level of security will probably be needed,” summarises Ramkumar.