Blog

Mcommerce and the TEE: A perfect match?


By Neil Garner, Chief Executive and Founder, Proxama




Mobile commerce (mcommerce) is growing, and not just in the traditional sense of using a mobile device to go online and make a purchase. Today, mcommerce incorporates a vast range of financial services including mobile wallets, peer-to-peer payments, contactless payments and using a mobile device as a point of sale (POS) terminal.


As mcommerce evolves and new stakeholders engage in the market, there is a need for stronger, more standardized security on the mobile device. We must remember that mobile phones were never designed for the range of services they offer today. The technology that enables these services such as near field communication (NFC), secure elements (SE) and the trusted execution environment (TEE), needs to be deployed to ensure the device is secure and that a consumer can carry out any financial transaction in a safe and trusted environment.


Card present vs. card not present
Security is one of the biggest concerns when it comes to using a mobile device to make a payment. The traditional 'card present' transaction, i.e. an end user has the card at the POS and enters a PIN, is considered to be more secure than a 'card not present' transaction, i.e. when the end user is not physically presenting the card to the retailer at the time of the transaction such as during an online or mobile transaction. So where does a mobile NFC payment sit?


A mobile wallet i.e. storing payment cards on a mobile device, will essentially enable a customer to make a 'card present' transaction using their mobile device. To achieve this there needs to be a balance between payment functionality, security and usability. Currently payment and ID credentials on a mobile device are stored within the tamper resistant environment of an SE. Despite its high level of security, the SE has low levels of functionality meaning end user authentication options are limited. However the TEE can provide this level of authentication and functionality, while offering more security than the rich operating system (rich OS).


Security OR functionality? That is not the question
The role of the TEE is not to replace the SE but enhance it. It offers a safe and trusted user interface (UI) to empower authentication on a mobile device. For example, the trusted UI is able to check that the information comes from an approved trusted application and is isolated from the rich OS, where malicious malware may be located, essentially creating a secure communication channel between the SE and the end user. It does this by asking the user to enter a password or PIN in the secure UI. The TEE will then encrypt the password / PIN and send it to the payment card stored in the SE: the equivalent of a card present transaction.


Aside from offering consumers a quicker and more efficient way to pay for goods and services, the driving force behind mass market adoption of mcommerce will be the value added services such as marketing promotions that are offered to consumers. Once again, the TEE plays a key role here. Aside from enabling authentication, the TEE is an ideal environment to store loyalty and coupon applications, which don't require the same high levels of security as payment cards, but still require protection from applications stored in the rich OS.


Future options
It's my view that mcommerce will go one of two ways:
   1. It will continue in the same vein as ecommerce i.e. solely used to make online purchases.
   2. Or (and hopefully) mcommerce will open up the physical world of commerce on a mobile device, offering consumers a wide variety of value added services, thereby driving widespread uptake of mobile financial services.


 

 

FEE TO ATTEND
Welcome coffee, lunch and the cocktail reception are included in the below fees.

GlobalPlatform Members

  • Members can send up to 3 employees to the event for free.
  • US$99 (700 CNY) for each additional member.

Non-members:

Registration fee is:

US$299
(2100 CNY)




TEE TRAINING REGISTRATION
A TEE instructor-led training session is available 13-14 September. The course, given in English language, is open to both GlobalPlatform members and non-members. It is designed to improve knowledge of the TEE specifications, efficient implementation, and effective use a TEE environment.  Learn more

 




Quick Links
Connect With Us
 

Become a member of GlobalPlatform. Influence the future direction of TEE Specifications, learn and discuss mobile security best practice solutions, enhance your global positioning within the TEE ecosystem. Join now.

Privacy / Use Policy | Copyright © 2017 GlobalPlatform. All Rights Reserved