HCE Service launches EU PSD2 compliant mobile payments solution

The EU (European Union) PSD2 (Payment Services Directive 2), which will apply from January 2018, aims in particular at ensuring that all payment services offered electronically are carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud.

HCE Service announces the launch of its PKI (Public Key Infrastructure) based “SWIM” (software wireless identity module) platform which ensures the highest degree of security and safety in terms of authentication, while enabling user-friendly, convenient one-click NFC/In- App/Web payments. SWIM already complies to the PSD2 Regulatory Technical Standards requirements of Strong (2-Factor) Customer Authentication (SCA)!

With the open and insecure mobile Internet, higher levels of security, other than simple password and ID presentation, have to be introduced to limit payment fraud. PSD2 mandates Regulatory Technical Standards (RTS) on authentication and communication (Article 98):

  • Ensuring the safety of users’ funds and personal data;
  • Allowing for the development of user-friendly, accessible and innovative payments.

RTS specifies that strong customer authentication must use two of the three factors:

  • Knowledge (something only the user knows),
  • Possession (something only the user possesses), and
  • Inherence (something the user is).

Article 97(1) of PSD2 requires that payment service providers apply strong customer authentication where the payer:

  • Accesses its payment account online;
  • Initiates an electronic payment transaction;
  • Carries out any action through a remote channel with potential fraud risk.

“The launch of our SWIM solution leverages proven secure technologies to be PSD2 compliant no matter what the application, account to account faster payments, use of blockchain technology in payments, and of course HCE mobile payments which are growing rapidly”, said Dr. Chandra Patni, CEO, Founder and Director of HCE Service Limited. He added, “SWIM delivers HCE EMV mobile payments and other value-added services to banks and wallet providers, at the lowest possible costs.”

The SWIM platform uses PKI (Public Key Infrastructure) security measures to protect the confidentiality and the integrity of the Payment Service Users’ (PSU) personalised security credentials as well as ensuring secure communication. “Host Card Emulation” (HCE) tokenised cards are securely delivered to mobile devices using public/private key pair digital identities. Hence public key cryptography within secure software whiteboxes on mobile devices ensures user and tokenised card data integrity.

SWIM protects the confidentiality and integrity of users’ personalised security credentials:

  • Data on personalised security credentials are masked when displayed and not readable in their full extent.
  • Personalised security credentials data as well as encryption cryptographic keys are not stored in plain text and can only be used in tamper resistant whiteboxed cryptographic processing environments.

SWIM security measures prevent unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying. SWIM ensures:

  • Secure bilateral identification when communicating between user’s device and the tokenisation host.
  • Protection against misdirection of communication to unauthorised third parties.
  • All payment transactions and other interactions with the user are traceable, with post event audit.
  • All communication session use unique identifiers, log transactions and are network timestamped.