Sign Arizona Banking Permission Slip Mobile

Industry sign banking arizona permission slip mobile

welcome to today's webinar this is a webinar on mobile and digital wallet and this is part two of a series and today's topic is going to be on secure technologies and approaches hi my name is Randy van der Hoff and I'm the director of the u.s. payments forum an affiliated organization under the secure technology Alliance organization and that was formerly known as the smart card Alliance a today's webinar is being recorded and will be available for playback along with the presentation deck after the webinar has concluded there will be time at the end of the webinar for questions so I encourage our listeners to submit their questions using the user dashboard on your screen I'll return at the end of the presentation to lead the QA and suggest that you submit questions while the speaker is presenting so we have time to organize them in advance and that way we can get to as many of them as we have time left in the hour so if we can go to our next slide for those of you who are not familiar with the u.s. payments forum here's a brief overview the forum is a cross industry body that's focused on supporting the introduction and implementation of EMV and other new and emerging technologies that protect the security and enhance opportunities for payment transactions within the United States we cover not only the what where and when of payments but more importantly the how about how these payment technologies are being implemented the focus of the organization in the last few years from its being singularly dedicated to EMV and its migration into the US market now as has a much broader focus on other technologies beyond the card and EMV transaction flow and our work supporting the continued adoption of EMV continues for late maturing segments of the retail market such as the petroleum industry transportation and hospitality merchants that are going through their own in the enablement issue also EMV contactless and mobile acceptance particularly around testing and certification is very important as these our issuer considerations for issuing new contact with EMV or dual interface cards and cards that support offline data authentication increased attention on education and addressing issues affecting payments that go beyond EMV like mobile payment and tokenization authentication biometrics future cardholder verification developments and emerging standards addressing ecommerce channels like 3d secure secure remote commerce and new fraud mitigation tools to combat card-not-present fraud are also very active issues that are being discussed within the forum because the next slide please the u.s. payments forum brings together in this open forum of equals across the payments ecosystem leading companies representing the Global payment brands financial payments issuers merchants processors debit networks mobile services providers and other industry suppliers integrators associations government and and transportation operators and it's through these organizations that we form collaborative groups to work on projects to develop resources to assist with the u.s. EMV migration and implementation of these other new and emerging payment technologies and we do this through a series of white papers and educational resources that are developed some of them are involved with formulating best practices and commenting on technical recommendations to help resolve issues that might be slowing down the implementation of some of the new specifications and standards that are coming into the market our educational focus for our members in the industry comes in the form of webinars workshops and forum member meetings and published resources in addition we provide communications to the marketplace through our our public relations presence and providing our resources that are free and available to the market to consume and then lastly one of the most important benefits of being in the u.s. payments forum is the opportunity to network with other industry stakeholders to interact with them on getting perspectives and issues resolved with regard to how payment technology is evolving in the US if you want more information and resources about the u.s. payments forum they're available on the US payments forum website which is listed here about can go to the next slide so this mobile and digital while at webinar series is a product of two of our working committees the mobile and contactless payments group and the communications and education group these groups have planned a series of four educational sessions on mobile and digital wallets as part of a Lunch and Learn webinar series today is the second of this series and we hope you will all be making plans to participate in all four of these webinars if you missed the first webinar in the series which was on mobile wireless security technologies and approaches that information that webinar is available for replay on the site which hosts all of these webinars that you will be receiving a link to after today's webinar is completed so as you can see today's webinar is going to be on mobile wallet security technologies and approaches and then following this we have another one scheduled for February 6 on strategic considerations for mobile and digital wallets from a merchants perspective and then lastly the fourth webinar will be on February 20th which will be strategic considerations for financial institutions so getting these very important stakeholder group perspectives in how mobile and contactless is evolving in the market is something that I think all of the industry would benefit from learning and hearing more about after today's webinar there's going to be an optional short five to ten minute online assessment test available to test your comprehension and retention of the material that's been presented today those who wish to participate in all four webinars and the assessment exams will receive a certificate of completion from the US payments forum if they gain a passing grade in all four exams so if we can go to the next slide now I'd like to introduce today's speaker Maryann Crowe is vice president of payment strategies at the Federal Reserve Bank of Boston she oversees industry analysis and applied research on digital and mobile retail payment standards and security initiatives and she leads the mobile payments industry workgroup representing a mobile payment stakeholders focused on eliminating barriers to successful adoption of mobile and digital retail payments in the u.s. I'm a proud member of that mobile payment work group organization she was a payment's lays on with the Federal Reserve's secure payments task force and currently provides support for the feds secure payments study and she's also an active member of the US payments forum so let's advance to the next slide and I'll turn things over to Maryann okay Thank You Randy and hello everybody thank you for joining this webinar this afternoon on mobile wallet security Kathy can we go to the next slide for the agenda please so I'm going to talk today to give you an overview of the different wallet models and how security approaches are used in the different models where there are some similarities and where some of the differences are and these will relate to the wallets that the other group talked about in the first webinar a couple of weeks ago this isn't intended to be a technical discussion but I will talk about some of the underlying components for security tools that support some of the different wallets just to give you a sense of what they mean but clearly if you need more information there are lots of experts in the industry who can go into more depth on some of these and how they work in detail but I am going to cover the with okay wallets as we know them Apple Google and Samsung as well as generally about some of the other digital wallets and cue are based wallets to give you some idea of what security components they use and will also cover them and show a little bit of differences between what's happening at the point of sale and in the digital environment as well so next slide please okay so before we start the discussion we're going to give you a polling question and basically just to say do you think mobile wallets mobile wallet payments are as secure as the chip cards now that we have those and are they do you think they're as secure do you think that mobile wallets are more secure or less secure and we'll ask you that now and then at the end of the session we will probably have another question for you develop this so give you a few seconds to answer this question and then we will move to the next slide but generally speaking there are a lot of different components in this landscape so it's not an easy answer and things are changing as we as we go every day something new comes out so I'm looking at the results right now and it looks about not quite half saying they are as secure as chip cards and maybe about almost 50% it looks like said that they're more secure and then maybe 15% I don't have percentage lines but I'm looking at the colors here saying that they're less secure so we'll go through this presentation and we'll see if you have changed your minds at all when we get to the end so next slide please Kathy okay so I'd like to start just by showing you when I look at you this current landscape of the different wallet models I'd like to present it in this kind of a format so that one of the things that we hear in the past is that the markets very fragmented there are too many different solutions out there to mobile and digital wallets we don't know how they work or how they fit together and so this chart just kind of gives you a sense of how they're somewhat connected and there are really relatively few wallet platforms and underlying security approaches in the u.s. for mobile and digital wallets and I think that we try to depict that here and to some degree they're connected by the channels in which they work or and/or the security technologies that they deploy so there is overlap there as well so if you look at that second layer the you see the security technology solutions that are cutting across different wallet platforms for example tokenization or risk-based authentication which right here it's just shown as 3d secure so I am going to talk about all of those things in a little bit more detail in the next few slides next slide please so one of the reasons why we need to do this and why this is important for everybody is that using mobile wallets they have lots of benefits and advantages they also have multiple points of vulnerability as are detected here so we're all concerned about payment security based on the effects of large-scale data breaches the theft of sensitive customer payment data credentials passwords things that can lead to account takeover or identity fraud and so you know now that payments are more payments are being made over the mobile and digital channels obviously these risks and concerns are increasing as well so this chart just shows one of the big barriers to achieving effective security is that there are so many different points of access and vulnerability into a mobile payment wallet and whether it's used in point of sale or card-not-present space and why is that well where I think we see here there are different platforms different processes different components different organizations building and developing those things we've got the physical device the mobile device that has to secure it on the phone the mobile apps have to be secured and that's not necessarily being done exactly the same way the consumers themselves play a role in protecting the physical mobile device as well as their apps from theft and loss and as well as bad code but they also are vulnerability in themselves as we all know there are different wallet platforms such as near-field communication or QR code they have some different risks and so they have some different security requirements and then we have different ways of storing the data as construed in the phone you store it in the cloud and the in traditional merchants files or card on file with providers or processors another key area is authentication of the user when that person is enrolling in a wallet the authentication methods vary they're not they're not consistent and it's another place a key place where payment credentials can be exposed if it's not being as it's not strong authentication then finally replacing the real payment account number or can with the token is is considered more secure but even tokens have to be secured themselves to make sure that they're effective and they're not being exposed either so we'll see how these things go as we move forward the next slide please so the first thing that you want to talk about is that to a point of sale to pay wallets again Apple Google and Samsung they do leverage some common security methods here and so you know first I'm going to show the items that on this slide that are features of all the payment wallets are deployed so first of all they all deployed EMV co-payment tokenization to protect the payment account number and so in the payment tokenization as most of you know it means the fee the payment token is replacing the real account number or the real payment credentials during the transaction that you're making over the phone either online or through point-of-sale and that chain is token is not mathematically related back to the pan so you can't easily change it into a pan but at the same time the token follows the same format as a real pin so for processing the transaction at least it's easier to go through the flow the same way the real can work process also pens are never shared or stored with the wallet provider or in the mobile phone when you're using one of these pay wallets secondly all the work with the issuers and the merchants to make sure that the customer is the owner of the card before it's provisioned is done through a process of what we're calling identity and verification or ID and Z and this is to perform during the enrollment before the issuer it provisions are token to the wallet another area they have in common is in doing user authentication they all enable the consumers to authenticate with some form of biometrics such as a fingerprint or maybe facial recognition or a passcode but that's pretty standard between the pay wallets as well and finally near-field communication as a protocol is something that they all use between the mobile device communicating between the mobile device and the merchant point-of-sale terminal or reader for point-of-sale transactions so as a baseline these things are common between all of them and they they're all providing some level of security to the process next slide please so here I just want to talk a little bit more about an overview of the payment tokenization process again very it's not the very high level because tokenization is not a new concept but the shift to mobile technology and the sophistication of the related payments fraud that we're seeing has really heightened the need to take that payment card credential out of the clear as we all hear people saying and away from the transaction so tokenization of the card data starting with the enrollment and then going all the way through the transaction with a couple of exceptions which I'll talk about later is one way to do that and then coupled with other kinds of security methods such as encryption and storing authentication you're really strengthening the security of these mobile transactions an EMV card developed a spec to remove the pan from the mobile transaction and prevent it from being stolen or cloned so in part one of this wallet webinar series a couple of weeks ago it covered the flow of the mobile wallet transaction and some of the new parties that are involved in the tokenization process in addition to the issuer acquire merchant and card network and they're there what I'm shown here the token service provider the token requester and so they each have different responsibilities that I just want to go over briefly but first of all the token service provider is the one that generates and provisions the payment tokens that are going to be provisioned to the customer wallet it manages the secure centralized token vault where are the tokens and the actual pins that they get mapped to are stored on behalf of the issuer and then it also is responsible for D tokenizing which means mapping the token back to the original pin when when in a couple of key places in the transaction flow the actual pin is needed for authorization with the issuer rather than the token and then the TSP also manages the token lifecycle the token requester is the one that wants the token and so that's an authorized entity that has to be registered with DMV Co and that entity is going to request and maintain the tokens from the token service provider and examples here would be a mobile wallet provider like one of the pay wallets or merchants or even a card and file system but they have to go through the process to be certified and approved through the the overall owner of this or EMV Coe so one thing you know may say well there are a lot of everybody can be a token requester and what would happen if we have lots of these out there in terms of security and managing this well it's a very high bar to become a token service provider through EMV code in the United States and I am focused on the USA are you understand there are some differences in other countries but it's a high bar here and so in today's environment primarily the payment networks are the tsps and that they were the first ones however they are starting to work with other organizations to become third-party tsps and for example like noted 3 here the Clearinghouse force data and PayPal so just looking at those organizations and the size and the breadth of their responsibilities and you'll see that it's not just anybody who can be a token service provider given the level of responsibility liability and security needed for managing all of these payment account numbers and tokens in any new token service provider also has to be registered by EMV code but then also approved and certified by the individual payment networks that they're going to work with the next slide please so here's one talk about how EMV and the payment tokenization process secure the credentials and there are multiple factors that work with the token to secure the credentials first there are our thing called domain restrictions and domain restrictions basically limit the use of the payment token either to a certain channel so maybe it can only be used that token can only be used online or only at the point of sale or limited to a specific merchant they can set dollar limits for the purchases maybe it's also limited that it can only be used in certain countries and even by type of purchase so these domain restrictions are set working you know by the token requester working with the TSP when the payment token is created and then if stored in the token vault and next as you'll see in a later slide tokens are only converted back to the original pan in the steps between the token service provider and the issuer for authorization so the token D mapping which is you know making it into the real pan really it requires keys that access the lookup table in the token involved that can match the token to the original value so again that's all very securely contained in the token vault for that process then the other critical component for tokenization here is the nyan vehicle tokens are enhanced for security with the cryptogram think of it as an algorithm or as a key it's generated to support dynamic authentication for each transaction it's unique to every payment transaction and that's whether it's an NFC mobile transaction or even in an EMV card and if it's mobile the cryptogram is generated in the phone or in the cloud depending on the pay wallet and again it's only valid someone that cryptogram is only valid for one transaction that the purpose of that cryptogram is to dedicate the transaction when it's validated by the token service provider function or the issuer depending on the key structure used to generate the cryptogram again using keys associated with the issue but the key thing here is that by removing the pins from the transaction data consumers and merchants are going to have a more secure mobile payment process and hopefully reducing the risk of potential compromise by not passing or start exposing the pan in the clear during the the more vulnerable spots in the transaction flow next slide please so just talking first about how is securing the credentials during the enrollment of a customer in one of the pay wallets what I want to do here is just talk about through provisioning which is very important to establishing a secure wallet relationship and just use the Apple wallet as an example here could be slightly different for a Samsung and Google but generally speaking the users going to enroll their payment card into it into the mobile phone and loading the card data into the device and then if it's Apple the mobile phone will send the card data to the apple server and it's going over a secure network so again there's security right away in terms of transmitting this data Apple is going to encrypt the data with the payment network key and send it to the issuing bank and that's where the identity and verification of the ID and Zhi process is going to take place the issue is going to upset use that information to authenticate the cardholder identity you know by looking at different data that's been provided about the user about that they know about the user with the goal of trying to establish confidence in the in the binding or the connecting of the payment token to the person is this the real person is this really their account before I assign this token to them and allow it to go into their wallet and so some of the ID and the methods that are included are account verification message a risk for based on their assessment of the pin power one-time password using a billing address device ID and location and you hire lots of other stuff they don't even talk about but there are many ways to try to help do this process so the issuer may approve the request without needing much more on customer authentication but if they are concerned that it's a high risk of they're suspicious they'll do something called step-up authentication for further verification and that could be an out-of-band authentication so sending a one-time password to the customer's phone that they have to respond to or even directing the customer to the call center to guarantee the customers good standing and even their the call center also has to have food controls in place that they're asking the right questions and they're making sure they're not helping the consumer answer the questions as you know things we saw a long time ago but it's just another level but they determine if they need that or not so once it's approved if something it is approved the pay wallet would contact the token service provider and request permission from the issuer to enable the pay wallet and so the issuer at that point will transmit the real payment account number to the token service provider where it will generate a token and then get that provisioned on behalf of the financial institution to the actual wallet at the same time the token service provider is assigning a value to what they call the token assurance value after the issuer completes the I DMV process and this is so that there's some level of confidence that the merchants can see in terms of you know how strong they think or how confident they can be that this token who can cardholder binding is good and I guess it can go from zero to ninety nine but and it's I'm not sure what the average number is I would hope it's close to the talk there but it is another measurement or a sense of confidence that they set they spent doing all this ID and be the enough this is a point also where the token service provider and the token requester will establish the domain restriction control and then the token service provider will then send the token to the token requester who will then provision it to the mobile wallet so again these are probably slight variations of this with the different paywalls but that's the general flow of this process next slide please the next slide shows the payment process for a pay wallet tokenized transaction at point-of-sale if you were on the earlier webinar a couple of weeks ago you saw this slide so I really don't want to go in any detail because you have already had that but what I really want to point out here is that if you look at it you see the places where you see the little lock where it says payment token and the gold and you see the orange that says pan to show you through the flow where the where you only are getting the token and the cryptogram and where in this process you're seeing the need to be tokenize it and actually have the real pan used for the authentication process so you know the person is tapping their phone at point-of-sale and initiating the transaction the message at that point is generated sending the payment token from the mobile device with the cryptogram that was generated in the phone to the merchant or the merchant acquirer and then they were going to send that to the payment network so up to that point that's all there is not one place where the pan is exposed there it's just the token in the cryptogram when the payment network gets it they have to request through the TSP to first validate that it's unique cryptogram because again it's only one four transaction so if a fraudster got it and tried to reuse it this is where the ESP would say you can't this isn't a valid transaction because this training this crypto room has been used before something it's not it's not unique so once they verify it the TST is going to D tokenize that token and actually send the railfan back to the payment network who can send it on to the issue of processor and then to the actual issuing bank so that they can do the authorization and complete that step so the issue is going to review it send the response back again with the real can to the processor in the network and then at that point again it's only still in that kind of circle on the right there the payment network is going to send it back to the emergent acquirer processor with the token not the pin so it stops right there where it began and all the way back through the flow back to the merchant acquirer and the merchant there is nowhere that that pan is exposed and this is what's critical to this whole tokenization process that we're not having that number in the clear other than at points where communicating between the network the token service provider or the issuer it's going over secured line in order to which they do today in order to authorize it and verify information so this is this is what's critical about this process and while there are some variations of the flow whether it's in after in the digital world the back end where you're doing the D tokenizing and validation with the issuer it's still the only place where the pan is exposed the next slide please so here I want to talk about the way the different payment wallets are storing some of them are storing the information so this slide shows some of the technical differences between the pay wallets and how each one of them handles storage and retrieval of payment tokens for using NFC with the communication protocol so first of all you've got NFC pay wallets they read you know one of the differences is they have different they reside on different mobile operating systems or they use different ones iOS for Apple or the Android operating system and then each of them stores and retrieves their payment tokens differently with that with Apple and I will go into these a little bit more detail but Apple is based on using a secure element Google is using host card emulation and Samsung pay is using host card emulation but also a trusted execution environment for the storage part and then they all have other controls unrelated to NFC but just other controls within the mobile environment to prevent downloading the wallet to a rooted or a jailbroken phone they have the ability to disable the app or shut down the device to block that or block malware prevent the device tampering so though there are other securities around that but the key areas that I want to cover are I'll be restoring and retrieving the tokens in the hits your way the next slide please so as I said Apple pay starts the payment token in the secure element which is a tamper resistant chip embedded into the mobile device when it's manufactured so it's not removable and it basically it securely hosts the applications and cryptographic data such as the wallet app payment pretend hills are static tokens cryptographic keys within it it's during the sensitive data via encryption to use which is how it's protecting it and secure elements have been around a long time long before mobile payments mobile phones existed used in other other use cases not related payments so it's a recognized security there's an established certification process it's considered highly can occur when it's used before I go into the other soul I wanted to mention the NFC controller which is used by all of these all the three payment wallets this is what's managing the traffic and the radio frequency signals between the mobile phone and the point-of-sale terminal reader to pass the token that it can change the built-in antenna that communicates between the mobile phone and the point-of-sale terminal so that you need that piece as well if you're using NFC for Apple pay specifically though the secure element not only does it perform card emulation for Apple pay it also is storing the token so it's doing both of those things and if the token is stored in the the mobile Apple wallet until it's needed to make a transaction so then when the customer taps at the point-of-sale reader it's signaling the mobile secure element to send the token to the point-of-sale and at that time the token will get moved to the secure element where the cryptogram will be generated and then both are sent to the point-of-sale terminal to process the transaction and apples unique also because they control they own all their own devices and they control they're able to control access to the secure element because of that which is one reason why it's harder for the other two pay wallets to try to use a secure element rather than something else like host card emulation so next slide please so as I saying so Google pay uses host card emulation with NFC and Android operating system phones whether they're Google or Samsung they can't use the secure element because they have multiple phone manufacturers they're you know a different mobile operating system and they can't really control everything that's stored and done in the secure element in any phone because they're different so Google pay uses host card emulation software in the secure elements to emulate the SI NFC card and then stores the payment credentials and tokens in a different way there's a master key that represents the pan and it's stored in the cloud or the Google server and that master key is generating the dynamic token keys it can be limited or one-time use again I think that berries by wallet and so when that happens a small number of those dynamic token keys are downloaded and stored in a secure area of the mobile phone operating system and that happens each time the user connects to the network by storing a few of these dynamic keys on the mobile device one if you're only serving a few it limits your risk and it also enables the transactions to occur if you don't have any network connectivity and then when you connect again you get more tokens but this is very different than the way apple does it so when a customer is ready to pay the host card emulation enables the NFC controller which is coordinating between the point-of-sale terminal and the mobile wallet to get one of those dynamic tokens out of the phone for the transaction and that's when the token there - will generate the cryptogram and will be tasked with the token to the point-of-sale terminal and the process follows along the same way after that so the others also did for secure reasons dynamic token keys are restricted and they usually expire quickly so that they minimal value to thrusters even i some reason they were able to get out them but since the wallet for Google pay resides in the mobile operating system it is considered somewhat less secure than a secure element so in order to make it more secure it just requires additional software base security something like white box cryptography which is going to hide the key or prevent it within the host card emulation application so that a fraudster it would be hard for us to find it and be able to reverse-engineer it and then and use it so they've got they add other layers of security to compensate for not being able to use the secure and next slide please so samsung pay is even a little bit different further along here as I said this isn't intended to be really technical season search for me this is more understanding from a business perspective but there are some components I think that might be a little bit technical but Samsung Samsung pay uses host card emulation as well to communicate with NFC but they store the tokens in the trusted execution environment which is in the phone considered a secure area of the main processor within the mobile phone and it can change something called trusted applications that manage user authentication the data encryption keys and key management and it communicates with the payment networks so this trusted execution environment segregate segregate these trusted applications for many other non secure type operations or other user installed apps that might be running in the operating system in the phone and it does that by using some kind of combination of hardware and software with cryptography to isolate that t'ee environment and ensure the security of the storage and the data in the Samsung pay situation is stored static payment tokens and the associated keys that they use to generate the dynamic cryptogram for each of the transactions so it's considered more secure probably than just the basic mobile operating system because it's in an isolated secure area but still considered a little less secure than a secure element because it doesn't have that tamper resistant chip there now I mentioned just briefly here the Samsung pay MST or magnetic secure transaction I mean transmission which is what they use for phones that don't have NFC enabled in them and it's using underlying technology that's like swiping your magnetic stripe card so it's basically just a different way of communicating or transmitting the ear the token from your phone to the and terminal so you can pay with your phone even if you don't have NFC but that's that's that's just sort of out just throwing it in because people ask about this mention but it's not it's not an NFC type of transaction however it does have the same tokenization behind the scenes based on when that of the card number is provisioned to the phone next slide please so moving to the digital channel we're seeing obviously that using Walton the Cardinal present channel has created some new risk we know that the volume just in general of card-not-present payment initiated from a mobile phone whether it's your app or your mobile browser if this growing has been growing for the past few years is expected to continue growing at a rapid pace and just for one stat here that the Fed study that was published last year showed that the EMV chip migration shifted fraud from card present to card not present transactions again we knew that but that it represented 61% of the u.s. card fraud value in 2016 up from 48 percent in 2015 now I know we're already into 2019 we'll hopefully get more information when they do their next study and I would expect it's going to be up even higher at that point but just to show you the increase in the percentage in terms of card fraud it is a big number in big dollars so card-not-present payments are riskier because the mobile device and the owner on physically present particularly if it's abrazo transaction the browser's may not be as secure if a customer has to enter his or her payment credentials in the clear each time they're making a payment or buying something and even if they're not in their stored on file or the card on file model it's still at risk of being breached if they're not if they've got the pans Jordan there and they're not tokenizing them in the card and file systems and then because it's a card not present transactions once a fraud to get a pin they can quickly use it to make other purchases even before a customer knows about it so these you know there are a lot of different risks in this area that needed attention and we needed him tools to authenticate the user and to protect the sensitive payment data and here again there are tools out there but the card not present security tools they vary in sophistication they vary in coverage in terms of what they cover what they focus on and I think there needs to be more work that's done there as well so on next slide please so looking at the flow for the in-app transactions in addition to securing payment credentials at the point-of-sale tokenization is also becoming more important as a strong security tool to address the increasing mobile e-commerce volume and the shift in fraud but for card-not-present transactions using tokenization it's a slightly different process than making purchases using NFC at point-of-sale to generate and pass the token and the cryptogram so you're not tapping so there's no way to just say okay tap and let's signal it and I'm going to send the token and the cryptogram over to the merchants terminal you don't have that option so instead the mobile Wallet app so whether it's you know Google Apple or Samsung pay it's going to interact with an API to initiate the payment with the card network of the of the token that I selected the card that's in my wallet and then and the consumer will verify the amount and then once they do that it's the mobile wallet it's going to authenticate the user using your biometric fingerprint or your PIN and then here they're going to return an encrypted payment token with the cryptogram to the mobile app which is then sent to the merchant acquirer and then they route it to the payment network which is similar to what we saw on the point-of-sale flow and then again it's going to get to the token service provider to verify the cryptogram then here again they're going to be tokenize it so that they can send me the real or the clear payment account number to the payment network and to the issuer in order to do the authorization and approve this for payment so you know what's going back there the same process but the key here again is that still at that same section where you see the big kind of square up there with the card networks in it the token service provider linking to the payment network and the issuer on the right that's the only place where that real account number is I only wants to expose because it's protected but there's no token everywhere else again through the in-app transaction flow you're seeing at oceans rather than a payment account and then similarly in the next slide if we look at the flow where the networked cloud-based digital Checkout wallets so here we're talking about Napster card master pass and ex check Express Checkout discover and I want to make one note that since these is not noted here because I guess it's not considered or real it's not a cloud-based wallet and so it's not depicted but they've got a similar solution these digital check out wallets are used to pay for secure online and card-not-present purchases from mobile apps or from the browser in order to can help to decrease fraud and cart abandonment so it's another wallet type here and in this case with the deceased wallet so these check out wallets as we call them the online merchants would sign up to accept the wallet and then consumers can enroll their card information and they might be enrolled automatically through their online banking system or they could enroll through the wallet the digital check out wallet itself but they need to be enrolled and registered to participate and then from a security perspective the card network is here going to store the payment and shipping information so that means the merchants themselves don't have to store these payment account numbers and there's this you know so they're not going to be exposed if there's any kind of a breach so the payment token here is generated but as I said the process to get the token is different than for the point-of-sale wallets with NFC once the cardholder logs in with their addictive a username and password or could be a phone number in their password to their wallet they want to be here they're going to be redirected to the cloud wallet server to authenticate and then when they want them when they're ready to pay the cardholder will verify the amount and select the token and get redirected back to the mobile app or to the web and this is where there's something new here when they're redirected back there a payment transaction ID has been generated it's a unique number that's tied to that specific customer transaction that they've just purchased but it's not not the token or the cryptogram it's separate it's basically passing back to the merchant so that that merchant can use that payment transaction ID in order to request the tow in the cryptogram and once they get the token in the cryptogram the rest of the flow going to the payment network and the token service provider and the issuer is the same as everything else but because we're dealing with online mobile or digital payments here they need another way to actually request the token and so that's why this payment transaction ID was developed for the prospect so probably a little too much detail there but the point is that these digital wallets are another way of being able to do secure purchases online through your mobile phone and not having to expose not exposing the card numbers the next slide please and so the other cloud-based digital also just want to mention or can be either large payment service providers or even large merchants but one of the things that they've been doing for a while is having to address account takeover fraud and we know that's one of the largest growing attacks becoming an increasingly prevalent type of online threat and really impacting ecommerce wallets in general so account takeover occurs at a concretions where card-not-present comes our most vulnerable and it happens when the user enrolls their payment credentials and then they log in with their username and password which obviously you know it's very commonly stolen and so with that if the fraudsters get that information they guess they can get the bank account number or the credit card number debit card number or other personal information email password username and even social security number in some cases but once they get that information it allows them to take control of an existing account or even establish a new account and then use that account to create unauthorized fraudulent payment transaction and depending on how quick it takes you to figure it out that it happened to you they can do a lot of damage so the larger merchants and the payment service providers and I'm just using PayPal and Amazon as examples here they've been doing this stuff for a long time and they've got very sophisticated and in most cases proprietary risk engines and modeling tools to mitigate fraud related to account takeover which is why they have very very low fraud rate so they've performed behavioral analytics and transaction monitoring they look at behavior patterns spending patterns and trends they look at a lot of other customer profile data that they've had as they you know as the customers use if they build on it and then they've developers or so that they can quickly accept or decline transaction and then you know right away whether or not they're good or bad they use iterative processes so they're continuously monitoring and adding to data and updating their rules and files with information in order to keep on top of all this so you know that that's what the big guys do but some merchants who maybe don't have that opportunity or it's not something that they can manage on their own they're looking now at possibly tokenizing their own card on file systems that payment credentials so just you know if there's a big merchants out there are you that you purchase through online and you've given them your card number once and you notice you don't have to retype it every time you go in if you've got an account username and password well they're there most likely in many cases storing that live payment account number in your file which means that they get breached these fraudsters are going to get your real numbers so what's recently happening is that working with the card networks they're starting to look at possibly tokenizing all these card numbers that are in the card and file systems but doing it through the network and that way once those card numbers are tokenized even when the customer goes in to make a purchase the card numbers are no longer in that file there's a token developed similarly to what we're just talking about that is there instead and that's going to protect them and it's going to protect the merchants because they're no longer storing these card numbers so I think this is relatively new the only one that we've heard about that is has been either starting door to looking at doing it is Netflix but this is something that potentially other online merchants could consider doing down the road as this evolved in order to really protect the the data in the file and you no longer storing the card numbers on file use during tokens on file on next slide please so another security feature it related to card not present security but I want to talk about his risk-based authentication everyone I'm sure has heard about a lot about the EMV code 3d secure protocol for card-not-present authentication which enables consumers to authenticate themselves with their card issuer and making card-not-present transactions and when the merchants implemented the liability for fraud or fraudulent transactions shifts to the issuer so this protects the merchants from exposure to fraud related charge bags and improves online transaction security and it really you know if it works well it's going to encourage growth in e-commerce payments but the first version of 3d secure version 1 dou dou which was developed several years ago by the card networks was done even before mobile payments existed and it really only works for PC browser and e-commerce transactions it didn't work for mobile payments and version 1 was not really popular around share I guess it required enrollment of all customers if the merchants had signed up it was knowledge-based meaning that you know we would ask for secret questions or information that nobody ever remembered the answers to and it also required interaction with the customer for every transaction they made if 3ds was being used not only in addition to remembering what the answers to the questions might be so I'm not surprisingly this caused high customer abandonment a lot of friction merchants frustration and as a result low us adoption of 3ds version 1 so we have the code developed working with the networks of version 2 which is a secure messaging authentication protocol that enables risk-based real-time cardholder authentication directly from the card issuer during online transactions and it's expected to start rolling out I think into production sometime this year is my understanding so next slide please so just a little bit more about some of the differences in the benefits of version 2 of 3ds it's much more customer and friendly and the ones that one big thing it's as I said it's a risk-based decision process so it only authenticates when the risk determine it's a predetermined level and the merchants in issue is basically exchanged more data than they could in the old version they can exchange a lot more data to determine the risk back and forth so the device ID geolocation phone number email address lots of other things that they themselves can determine and then using that information the issuers going to determine the need for additional authentication on higher-risk transaction so t of I talked about before the identity and verification and maybe a stepped-up level of authentication to see if they need to verify a customer they might consider high-risk but they only will do that the averages from what we've heard of says you know it only impacts about 5% of customer transactions where you need to there's parent to them and even there if the merchant decides well I really know this customer based on information I have are my experience with the customer I don't even think you need to go to that higher level or stepped-up authentication for a customer the merchant can say they can opt out of that so it's definitely very low friction in terms of any customer impacts participating customers are automatically enrolled it's extended so it does support multiple channels it supports the mobile browser mobile app as well as the PC browser and it really doesn't have to take the customer away or interrupt the customer from the merchants checkout page to do the issuer verification unless they have to do that stepped up process where again they might have to say I'm going to send you a one-time password or something else in order to verify that extra level and again this is this would occur at a very low percentage of the customers so much less disruptive and this picture on the right the only point that it's in there is just showing that these three domains the three domains secure you know one area is where the customers the customer transaction is authenticated in the issuer domain the 3ds transaction is initiated in the middle and the interoperability domain and then that that third column where it says acquirer it's where the transactions for 3ds are switched between the issuer and the acquirer and again this is much more interactive with their passing data and information back and forth with each other in order to get the best information they can to make a decision without bothering the customer and also doing it very quickly and efficiently with them with better information so you know this is expected to be I think a very positive tool as we go forward in the card-not-present world and as organizations and merchants have this set to roll it out this year we'll all be looking closely to see how well this is working next slide please so the last one that I want to talk about is put on QR quick response codes as we all familiar with those in general they they're also used in some of the wallets as well not not near field communication but they also store you know they use a QR code putting the pan exposed when you're making a transaction and it's not stored on the phone they also can use pass codes and fingerprints to to lock them and prevent fraudulent access to the device of the phone and anything they're doing like that is going to help with PCI requirements because they're still protecting the card number so a couple of examples I'm going to jump down because I realize just what time it is but in Vico introduced specs last year I think just try to standardize the consistency of QR codes that are generated or captured on their mobile phone for consumers and there are two models one is the merchant presented QR code model and this is where the consumers use their mobile app to scan a merchant presented QR code and initiate a payment transaction and this one it might be example of what the Walmart model might be the other model here for Ian because the consumer presented QR code and this one I equate to Dunkin Donuts because that's where I use this consumers with select a QR option for payment in their mobile app and then display it display the code and then the merchant would scan it with their scanner to pay for a purchase and so these are also they have you know different kinds of security than the NFC wallets but obviously with the passcode protection they're not using the real payment account number when you're paying you're using a QR code and so you've got some level of security there and we're seeing you know more a lot of different merchants and others using these as an alternative to any state so next slide please just in summary here you know there are lots of layers of security it's not one size fits all there's no one method is going to protect everything but there but there are a lot of good options that work in certain situations that I think everyone needs to be familiar with and then make the best decisions on what they're using to protect their own either wallets or their own data as they go through this mobile and digital wallet process next IP and and just in summary you know we know that mobile wallets leverage security provided by the mobile device and the a mobile operating system and a mobile mobile app and if it's used appropriately both the physical logical components can be protected and mobile wallets can effectively be secure but broad use of effective and multi-layered security approaches for all wallets models is still lacking so it's being used but the key is the broad use of it effectively across the board we still need to be still in the industry have work to do to improve that and you know one ways to increased awareness and education across stakeholders excuse me as well as working groups like we have with them than you what's the payments form and others to really figure out how to bring all this together so that we can expand the use of the security that's available for our mobile and digital wallets and so with that I'm going to turn to the next slide and we're going to if you're asking the same question again now that you've heard these presentation slides what do you think have you changed your mind or you still see that there is secure more secure or less secure than the chip card and see if that changed at all sure if we in the differences yet here we want to go there we go um actually it looks about the same as the beginning and the end so you had your opinions all set before we heard the presentation but generally it's over half it looks like I can't quite see looks about 65% that are saying it's more secure than ship cards and about 30 something as secure and somewhere between between 10 and 20 percent it's cut off that are saying less secure but I would say it's closer to 10 so that's good because I think there's a lot of good opportunity and tools and approaches out there that can make sure we have secure mobile payments with that I'm gonna turn it back to Randy thank you thank you Mary Ann and your voice actually made it almost to the very end that was a really terrific session and I realized that we are at the top of the hour and some of you may have to leave us but we're going to stay with you for another 5 or 10 minutes or so to take some of your questions if you have the opportunity to stay with us so before we actually get into the QA if we just go to the next slide I wanted to mention as I said in my opening remarks that we have prepared an online assessment quiz for each of the webinars and each quiz is multiple-choice and there's less than ten questions for quiz so if you want to participate in this here's the link at the bottom where the assessment will be held but you also get this link in the email that will follow up today's sessions so if we go to the next slide I also wanted to point out two additional resources for people who are interested in discussions on mobile wallets and digital payment the first is that the we go to the next slide please the first resource is the u.s. payments forum member meeting and the payment summit which is being held in Phoenix Arizona March 11th through the 14 and information is available on us payments forum website about registration and the agenda and I suggest you take a look at that also there's an additional white paper that's available for free online about considerations for mobile wallets for merchants and financial institutions and you can read that white paper and share that with your colleagues as well now if we can go to the last slide there we'll just leave this up for our contact information and we'll take a couple of questions here from from the audience let's see the first question to you Maryann is I've heard about Fitbit pay and where do you see this sitting in the context of the wallets landscapes that you had in one of your earlier slides well I think that depends on if it's if it's like they pay wallets and like the watches and things like that and I think it would still it would fit in with that category if there's tokenization involved I think the same kind of process would work for that type of a device so much of the watches right so the the Fitbit would be provisioned from the issuer so the Fitbit is actually the token requester in this case and the customer would store a tokenized version of their payment credential on the device that would then be used to complete a payment transaction and following the same tokenized rules as as before next question is it has to do with some card-not-present transactions on what can consumers do to protect themselves from fraud with card-not-present transactions I think this question relates to your last slide about the 3ds other technologies to protect against fraud but maybe you can talk a little bit about you know how the consumers would benefit from that technology sure you know I think as a consumer one of the first things that I do when I go on a website is to look at what my options are for paying and to be honest if I have to put my account number in there and just key it in once I'll look for other options so does that does the website or the merchants offer one of the checkout choices you know whether it's master pass or one of the others who are you know is something like a Pay Pal button or something that is a known reputable provider in the middle there or or one of the paywall options obviously but I think it's important for them to know where they're buying things from and where they're actually putting their their account information so if they're keying it in and it's being stored on file what kind of a company is it do we know if they're doing any tokenization in the background it I think it's important for consumers to do some of their own research and also take advantage of what the banks and the issuers are providing through some of these tools for them if they're available yeah thank you Mary Ann I also would I add to that to that answer that if you're using a mobile phone and a mobile wallet to buy online that you know has the added security of the transaction being fully tokenized and so your payment credential isn't exposed as opposed to if you're working from a desktop or a tablet that you are keying in your your payment information so in a way card-not-present transactions have a different definition when used on a mobile device from a security perspective okay I think we can take one more question here see we got a bunch of them I'm trying to find one that it's relevant here so since this subject is this webinar is about security you talked about the secure element as a part of the hardware security of a mobile device Marianne can you explain or I can help with this why a secure element is secure like what makes the secure element the most secure way to store that payment credential on the phone well there really I'll give my little surgeon and you can certainly elaborate and I understand because of one that it's actually a physical chip in the card that you can't get at the information that's in there it that's a level of protection that the the software or the other models don't have and it's something that's been around for years and years and the way it's manufactured in a way it's shipped from one place to another is fought with the keys involved in it to protect any information is highly secure but that's a level of my ability to answer that so feel free to add to that no actually you answered that very well Mary and the the the hardware security is always going to be a step more secure than software security of cloud-based security because the manufacturers of those chips have built-in defenses to prevent someone from being able to penetrate without proper access the secure information that's stored in the chip and for criminals it would only be able to steal information from one card from one account holder and it really is going to be a much bigger effort to try to crack the security of the secure element to access that one credential than it would be to find other ways to commit fraud or or steal payment credentials so that's why it has been kind of the gold standard and mobile okay I think we will we will end there I want to again thank you all for your participation today for those of you who were able to stay on a little longer with us special thanks to Mary Ann our presenter for done a terrific job in articulating all of the aspects of security and mobile and mobile payments and if anyone wants to follow up with any questions that weren't answered in today's webinar they can send an email to us and we'll try to respond to those questions and a reminder that today's webinar has been recorded and will be available for playback along with the presentation deck after the webinar has concluded you will receive an email with the link to where you can listen to the recording and download the presentation and please feel free to share this information within your organization to others who could not participate in today's webinar so this concludes today's webinar thank you and have a great day