Bankinter circumvents secure element hassle for mobile NFC payments

Spain's Bankinter is prepping a contactless mobile payments service that does not require a secure element within the handset.

  8 8 comments

Bankinter circumvents secure element hassle for mobile NFC payments

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

From this summer, Bankinter customers will be able to download an app to their NFC-enabled phone, register the product through the bank's Web site and start making contactless payments within minutes.

Instead of using a secure element from a handset manufacturer or network operator, the customer will temporarily download virtual one-time use replicas of their physical credit or debit card every time they make a payment.

The service, developed with Visa Europe, Net1 UEPS and Seglan, does not require any changes to the existing infrastructure, working with any contactless POS terminals, and is fully EMV compliant.

Because registered cards can be updated via a remote management system controlled by Bankinter, the approach means that the bank can "autonomously define its own business model and brand image" rather than having to strike deals with telcos and handset manufacturers to gain access to the secure element.

Jacobo Díaz, director, innovation, products, markets and quality, Bankinter, says: "The Mobile Virtual Card solution eliminates the main difficulties that today are slowing the commercial launch of NFC payments and make it in compatibility with the standards of the financial industry, helping to avoid market fragmentation that in no way benefits the final consumer."

Sponsored [On-Demand Webinar] Global Workforce Payments: Mastering a world of complexity

Comments: (8)

A Finextra member 

Questions keep exploding in my head like those famous music fireworks held in Côte d'Azur every summer.

Tokenization is a cute concept. Especially if Bankinter can tell me how I can use their service in places with no online connectivity. Like London Undeground...

When banks cannot (or cannot be bothered) to strike a deal with mobile operators or owners of operator-agnostic secure elements, they start re-inventing the wheel. That leads to security breaches.

And then things start getting "interesting": 84% of financial organizations were notified of security breach by external entities. Attackers had an average of 174 days (!!) within the victim's environment before detection occured.

 

Aaron McPherson

Aaron McPherson Consulant at Independent

The comment about lack of connectivity in the London Underground is a good one, but couldn't you just download a token in advance?  Not ideal, but not a showstopper either.  And most other places, it's not an issue.

As for the security point, I don't get that at all.  How can a one-use token lead to any sort of bank breach?  It's actually safer than passing a real card number through a terminal.

With regard to the inability of banks and carriers to come together on mobile payments, my hope is that ideas like this will persuade the carriers that they cannot control the handset, and therefore must negotiate with the banks if they don't want to be irrelevant.

A Finextra member 

Aaron,

Downloads to a smartphone require at least GPRS connection. There are many places, outside such "extreme" examples as London Underground, where GSM data connectivity cannot be guaranteed - some shopping malls, car parks, trains, airplanes, taxis, etc. Think of ubiquity.

As for the security: lack of secure element means that the target phone cannot be identified with a 100% certainty. Hence, there is a scope for that one-time token to be downloaded (or diverted) to the attacker's phone - not hard to implement, in fact.

Who said BANKS are relevant to payments?.. Just ask Amazon, PayPal, Apple, etc. Tokenization, in fact, is one of the latest fabs via which banks hope to avoid being used as dumb pipes. However, they need to deliver value, instead of control, to remain relevant.

A Finextra member 

Or we can praise Bankinter, a mid-size spanish bank, for being innovative and dare to challenge the NFC mobile payment value chain status quo, in a tough environment for banks in Spain

A Finextra member 

There are other examples, where mobile payments are securely executed using an online device without a secure element. Wywallet is currently running with more than 600k users in Sweden and an eastern european bank will launch this week with 5 M users and 30k POS. By storing private keys on the phone, you achieve 2 factor PKI authentication, independent of device and network.

 

A Finextra member 

I always question the motives behind any decision: is that THE best and most appropriate solution or is it just a "forced" "good enough" alternative to the former...

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Kudos to Bankinter for showing that Banks Have Nothing To Fear From TELCOs.

[Webinar] Unifying Card Programmes: The cost-reduction imperativeFinextra Promoted[Webinar] Unifying Card Programmes: The cost-reduction imperative