The impact of HCE and Tokenisation on the US Payments Market

Host Card Emulation (HCE) and Payment Tokenisation (or Tokenization for readers in America) are two highly significant new developments from 2014 that have the potential to radically change the way online and mobile payments are carried out and address some of the issues regarding security and fraud. These are not just about technology but about creating shifts in the control of payments that could impact the business models of key players.

As part of our review of the key developments in payments over 2014, I had a really interesting discussion with Sai Casula, a payments expert and Banking, Cards & Payments Consultant for Tech Mahindra. Sai shared his thoughts on Digital Payments, Tokenisation and HCE: What these mean and how they may affect the US in particular, as well as other markets world-wide. Below I share highlights from our discussions, to offer a basic introduction to these two important areas that are poised to bring about big changes in the way we pay.


Sai Casula, thanks for your time today. Please could we start with a bit of background about yourself and your organisation, Tech Mahindra?

I work for Tech Mahindra where we support customers worldwide, and in particular I am engaged in key projects with MasterCard. With the acquisition of a majority stake in Comviva in 2012, Tech Mahindra gained a strong foothold in Digital Payments space including mobile wallet, mobile POS and Cloud Payments technology. Mahindra Comviva has over 120+ deployments across 55 countries. Our mobiquity® Wallet and mobiquity® Money platform supports 2 of the top 5 Mobile Money installations globally. mobiquity® Wallet supports NFC, QR Codes, BLE and other contemporary technologies to enable mobile commerce.


NFCPaymentsHCE is an important development going back to end-2013. Could you share a bit about what HCE is?

Host Card Emulation (HCE) was introduced by Google in November 2013 as part of their Android 4.4 KitKat update. It allows for cards to be issued from the cloud and used by mobile payment transactions anywhere. This was a highly significant move from Google, who had earlier faced a pushback from mobile operators in the US at the time of the launch of their Google Wallet in May 2011. It is significant because it for the first time created a level playing field for all to participate in NFC.

Prior to this it was mobile operators who could dictate terms, thanks to their control of the SIM and hence ability to own and control the Secure Element (SE) in the Universal Integrated Circuit Card (UICC) which is the smart card used in mobile phones.

With the introduction of HCE consumers with Android devices could make NFC payments using Visa or MasterCard cards provided by the consumer’s own banks. This gives banks the freedom to deploy mobile/digital payment systems everywhere.


Thanks for this background on HCE. Could you shed some light on tokenisation?

Historically there is too much fraud involved in online payments and card not present (CNP) scenarios. Consumer concerns of fraudsters stealing and using their cards online have historically inhibited people from fully enjoying online shopping.

Merchants and Card issuers in particular bear a high cost from fraud relating to payment cards. Apart from the online fraudulent transactions we also see large scale security breaches similar to Target and Neiman Marcus where the card numbers are stolen in millions and the card issuers incur an extremely high cost to replace all the cards.

Tokenisation is a model that stands to change this. Payment tokens are surrogate values that replace the Primary Account Number (PAN) with the alternate card number or “token” in the payments ecosystem. Tokens are mapped to the funding account, leveraging existing payments infrastructure and messaging formats for authorization and processing. Tokenisation reduces fraud for the entire digital payments ecosystem.


How is Tokenisation being received by the various players in the US payments ecosystem?

This brings advantages to a number of players across the ecosystem.

Firstly, the Bank Issuers really like this. When issuers provide a token to a consumer for the purpose of making a payment, this limits the use of that token to a single transaction or context, as appropriate. If there is a breach then, it is only that token that is compromised, and not the original payment card. This is also an opportunity to extend the existing card business in digital space, with more secure transactions and fewer chargebacks.

Secondly, The Networks also like this as it benefits their customers the Bank Issuers, and helps bring down the cost of fraud, within an established card scheme model.

Thirdly, any mobile wallet can accept a token, Itworks seamlessly with existing mobile payments systems and needs no changes to the Point of Sale (POS) Fourthly, merchants like this as the same token can be used on the internet as also across other channels such as mobile and POS. This brings the advantages of reduced chargebacks, faster checkout, more security and more payment options.

Last, but by no means least, consumers benefit due to better user experience and added peace of mind as they would be spared the anguish connected with a loss of a payment card or worse still the wider effects that this may have on their identity and credit history.

So there is an immediate business case and ROI for the key players through the potential reduction in fraud and the reduction of friction in Ecommerce.


What is the importance of HCE and Tokenisation in the US in particular?

Given the high-profile breaches suffered for instance by Target, Home Depot and Neiman Marcus in 2014, merchants are very concerned and anxious to reduce their exposure that comes from the existing card-on-file model. That is where Tokenisation has a welcome role to play.

The implementation of Apple Pay is an interesting case of HCE principles and Tokenisation that come together to create a seamless payments experience.


How is all this likely to affect the adoption of NFC in the US over 2015?

NFC has had a good ride recently. After a slow and unsteady history over the last 10 years, Apple Pay has created a resurgent interest in NFC. The strong user experience with Apple Pay has also increased the adoption rate of Mobile Wallets in the US Market.

Of course, NFC has a number of uses beyond payments. For instance Apple’s new iOS 8.0 is geared to health care applications.

I think the biggest war in 2015 is going to be the tokenisation war.

The big questions are who will own the key positions in the newly developing value chain? Who will manage tokens? Who will issue them? So apart from the payment networks such as Visa and MasterCard, there are many more players lined up for this. The Clearing House – Secure Token Exchange, Mahindra Comviva, Gemalto, FIS, Fiserv and First Data are all keenly interested.

At Tech Mahindra we feel uniquely position to provide an “End-to-End Cloud Payments Solution” including Cloud Payment HCE/Module, Tokenization and Mobile Application Module. We believe that our expertise in Mobile Cloud Payments, out of the box solutions and Integration expertise can help Bank Issuers bring enhanced digital experience to their customers in short time span.


So all in all we agree this is a very important space to watch then! Thanks so much for sharing your very interesting thoughts with us and I wish you every success in the key projects you are managing this year.



Sai Casula is VP and Banking, Cards & Payments Consultant for Tech Mahindra, and is currently based in the Greater New York City Area.

Through years of experience in the banking, cards and payments industries, Sai has acquired a deep understanding across these connected areas, with strategic and operational working experience across several regions worldwide.

Charmaine Oak is Author of The Digital Money Game and co-author of Virtual Currencies – From Secrecy to Safety

viewport_china_2015Shift Thought is a UK-based consultancy that offers subscriptions to a unique, constantly updated portal that covers a set of 32-key services we include under Digital Money.

To commemorate Chinese New Year 2015 we have just released “Digital Money in China 2015”, a 380 page report that completely dissects the progress of money going digital in China, and the shadow this could cast on your plans, wherever you may be in the world today.

Contact us today at for details on our unique resources that you can leverage to stay ahead of competition in this important, fast moving industry.


Copyright © of Shift Thought Ltd. All rights reserved. Reproduction by any method is strictly prohibited

Passwordless Experience – The FIDO Standards behind this

As security breaches continued to grab headlines over 2014, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this is possible.

With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.

Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world of payments because of this.


Brett, I’ve heard so much about FIDO as the standard behind high profile launches of 2014, and am keen to understand more. Could you share a bit about yourself and your mission at FIDO?



I am currently the Executive Director of the FIDO (Fast IDentity Online) Alliance which I helped to found in July 2012, when I was the Head of Ecosystem Security at PayPal, to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. At the FIDO Alliance, we are changing the nature of online authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online and mobile services.

Previously I spent several years at PayPal where, as Head of Ecosystem Security, I was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and its customers. I spearheaded authentication strategy, including working with global policy makers to evolve best practices in strong authentication regulation. Prior to joining PayPal I spent several years as Executive Director of industry standards organizations, including Liberty Alliance and Kantara Initiative, which produced standards and accreditation programs in the field of digital identity.

At the FIDO Alliance, our mission is tightly scoped to producing open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a very privacy-respecting manner. We just released the final FIDO 1.0 specifications at the end of 2014.


Why did you feel standards were needed relating to strong authentication, and how does this differ from traditional authentication?


clip_image004So, “traditional” is an interesting word in the context of strong authentication, as the concept has not gotten a tremendous amount of adoption, especially not from consumers. Before FIDO authentication, if you were an online service provider, in order to authenticate your users, you would typically use username and password. If you wanted more security you had to add another authentication factor from a set of options that were not necessarily designed for ease-of-use. The “historic” approach to multi-factor authentication, or “strong authentication” as it is often called, combines “something you know” (like a password or other form of “shared secret”) with another factor, such as “something you are” (a biometric for instance) or “something you have” (such as a token or physical device). The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor, and the second factor, if there was one, was typically a 6-digit one-time-use passcode. You’d get the second factor through an SMS to your mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on your smartphone. This 6 digit number- the one-time password (OTP) - is called a security token.

The first problem with OTP -- and one of the many issues that FIDO authentication inherently addresses -- is usability. The first word in FIDO is fast, and it helps to explain why FIDO technologies became so disruptive so quickly. We are not about bolting on extra security that puts the burden on the user. We are about delivering an end-to-end innovative approach to authentication through a new, open, online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access.


How does the FIDO UAF Architecture enable online services and websites to leverage native security features of devices and what problem does this address?


From the payments perspective our standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. An example is, Samsung has enabled a number of payments applications using FIDO to allow a user to simply swipe a finger across a sensor on their smartphone or tablet. This is arguably easier than everything else in the market, certainly easier than passwords.

Although the concept of strong authentication has been around for a while and pretty well adopted by pockets of the enterprise market, it has not achieved widespread adoption beyond the enterprise because it has lacked the means to achieve interoperability among systems and devices; FIDO authentication standards enable any strong authentication method, what we call “authenticators”, to interoperate with any online service, independent of solution vendor or device.

Without interoperable strong authentication, you are left with the classic “token necklace” problem; wearing specialized security tokens, often around your neck with your security badge at work, for each online service that requires strong authentication because you cannot use any one of them to authentication into the other online applications. This is because “traditional” strong authentication relied on proprietary centralized servers (closed systems) connecting authenticators in the hands of users to proprietary server side functionality. Limited in both reach and function, strong authentication solutions have been neither open nor interoperable, until FIDO UAF and U2F 1.0 standards , which have opened the door for ubiquitous strong authentication through “net effects” that only emerge from an open ecosystem.


Is this interoperability issue something you address through UAF and U2F?


Yes, both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication. What the FIDO Alliance founders introduced first was the Universal Authentication Framework (UAF) protocol. This solves pain points around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices. In a FIDO ecosystem online service providers can easily achieve strong user authentication, and free users from creating and remembering more online credentials, simply by leveraging existing FIDO devices to authenticate at their sites and to use their services, such as mobile payments where UAF has seen early industry adoption.

If you are going to offer a replacement for passwords, you need a robust mechanism that isn’t based on the same “what you know” shared secret security design that has been the bane of password systems of late. We decided upon asymmetric public key cryptography, which uses a private key paired with a public key for each authenticator registration. However, we knew that putting the private key in the server could create vulnerability and undesired externalities in the case of a breach. We wanted to get to a model that would have no secrets on the server side. With FIDO authentication, the server holds a public key, but the private key is held only by the individual’s personal device, such as a mobile phone, and is never shared outside of that device. We saw the opportunity to make 1st factor authentication both easy & more secure by relying upon existing device-specific user verification methods being embedded in smartphones, tablets and PC’s. FIDO UAF then enables those local device authentication methods to be used securely online.

We found that before FIDO authentication, existing strong authentication options had very low user acceptance rates, sometimes less than 3% of users choosing to register for strong authentication when it was available as an option. The user acceptance of natural authentication methods that don’t tax the user’s memory or require extra steps in the process have been far more successful as seen by the increased number of people opting to lock their phone with gesture locks, 4 digit pin codes, and now biometric sensors like fingerprint sensors. However, under FIDO UAF, fingerprints are just one of many biometric options supported by the protocol- iris scanning, voice recognition, and behavioural sensors from wearable devices, are all supported in FIDO UAF.

We wanted a standard that could support any future authentication method, and support the industry in its drive to continuously innovate. Proprietary innovation happens between the device and user; this is where the industry can compete with differentiating solutions. FIDO standards come into play in the implementation between the device and the online service.

Another question is how online Payment Service Providers (PSPs) would know that the technique between device and user is trustworthy? FIDO standards incorporate the ability for online services like PSPs to set their own security policy defining the devices or device characteristics they want to trust. The members of the FIDO Alliance wanted a solution set that enabled trust between all devices and all services, but didn’t mandate it. They want a solution to be flexible enough to leave the trust decision in the hands of the online service provider who is in the position of making the risk decision related to any authenticated transaction.


We have discussed UAF in some detail. What then is U2F and where does it fit in the FIDO ecosystem?


FIDO U2F authentication addresses a totally different use case. FIDO UAF provides a simpler, stronger 1st factor authenticator where U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F has already been deployed by Google Accounts and now ships in all Google Chrome browsers.

So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future. What separates FIDO U2F security tokens from the OTP tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer. Another key differentiator is the phishing resistance inherent in the FIDO U2F standard. A FIDO U2F user cannot be tricked into giving a secret to a fraudster the way they can in a OTP use case.

Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot. NFC and BLE support for U2F tokens is coming soon and will accommodate U2F devices for use with devices that don’t have USB slots.

To learn more about all the UAF and U2F FIDO Ready™ implementations please visit our website where they are all listed along with the profiles they support.


This is very interesting and thanks for helping to make our online experiences easier as well as more secure. Do you have any final message for us?


One thing I’d like to emphasize is the relationship between authentication and payments. Payments is just another application that requires strong user authentication. FIDO standards can be used for a whole variety of use cases that require strong online authentication… for healthcare applications, airline bookings, gaming, banking, enterprise use cases and anything that requires a user to authenticate online. The reason we saw the first adoption in mobile payments is because that industry segment had the greatest amount of pent-up demand for faster, easier strong authentication from mobile devices where typing passwords was the least convenient option.

The second topic I would like to emphasize is the relationship between FIDO standards and government regulation around strong authentication. Sticking with the payments example, you recently asked me about how FIDO UAF could be used to meet the criteria developed by regulatory regimes such as the EBA Guidelines. Though an analysis of exactly how a FIDO UAF implementation could meet the requirements of this specific regulation is beyond the scope of this interview, most multi-factor regulatory regimes are looking for two or more of a “what you know”, “what you are”, or “what you have” authentication factors. In just the example we see in the market already on Samsung Galaxy® devices, it may appear there is only a single “what you are” factor being offered by the fingerprint sensor, but there is also a “what you have” factor due to the secure protection of the private keys on the device, resulting in a multi-factor authentication event from a single user gesture. The Privacy and Public Policy Working Group in FIDO Alliance is going to make a concerted effort to educate regulators across various industries and geographical regions in 2015 to help them understand how to apply FIDO authentication to the markets they oversee.


Thanks Brett and I wish you the very best for all the further innovation that you plan in this very important space!


Brett McDowell currently serves as Executive Director of the Fast IDentity Online (FIDO) Alliance, the organization Brett helped establish in 2012 to remove the world's dependency on passwords through open standards for strong authentication. Brett is also an advisor to Agari and the Bitcoin Foundation.

Previously, Brett spent several years at PayPal where, as Head of Ecosystem Security, he was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and their customers.


Charmaine Oak

Author of The Digital Money Game, co-author Virtual Currencies – From Secrecy to Safety


Join me on Twitter @ShiftThoughtDM and The Digital Money Group on LinkedIn

Researchers claim potentially serious flaw in Visa contactless payments cards in the UK


This morning a BBC report showed researcher claims of a potentially very serious vulnerability in Visa contactless payments. It is still not clear enough to what extent this could open the door for fraudsters around the world to use the flaw but from what was presented it seems this could be an expensive problem, most unwelcome at this time.



Contactless payments cards allow people to make purchases below a certain value by just touching the card against a Point of Sale (POS) terminal. People do not need to enter a PIN except when prompted, after a certain number of transactions.Visa and MasterCard have been active in rolling out these cards across the UK, and indeed world-wide this trend has progressed strongly this year.


Spend on contactless cards in the UK is expected to rise to £6.4 million a week in 2014, up from £3.2 million in 2013. UK is a leader in contactless payments world-wide, making the latest discovery a point for people around the world to consider and take into account in their own projects and testing involving contactless payments.


Today, a demonstration on BBC showed a mobile based contactless payment card meant to block transactions higher than £20 actually allowed an amount of $ 999999.99 to be put through as it was in a foreign currency. The claim was that the flaw is with Visa contactless cards, and not just payment via mobile phones, although the demonstration was of a mobile initiated transaction. Prof AAD Van Moorsel of Newcastle University made a statement about the research and vulnerabilities they found.


Due to the widespread roll out of these cards in the UK, it is possible that people have these cards without being aware of it. There are 48 million contactless cards in the UK today.




Visa Europe responded to the BBC on this to say the research does not take into account the multiple safeguards put into place and in practice it would be difficult to complete such a transaction. Of course, the amount would go through only if the account had the money. They were already updating their system anyway to make this kind of attack difficult.



This could be a potentially very big issue, but found by researchers before it was exploited by criminals.  BBC states that so far in the UK contactless card fraud was only £51,000  in the first half of 2014, but then most people have not actually begun to use the contactless functionality on the  cards.

This is an unfortunate setback at a time when contactless payments was at last set to take off. In the UK, with new rules having come into effect in July 2014, contactless cards were to be the mainstay of payments on London buses where cash is no longer accepted.


The question this raises for me is to what extent this flaw may be present in other cases of  contactless payments in Europe and world-wide. The reports so far do not make it conclusively clear at what level this flaw exists – whether only for dematerialised cards on mobile phones or for all Visa contactless payments cards.


The White House announces BuySecure initiative to address payments security concerns



Over the years, the fact that Americans had not switched to Chip and PIN impacted both US customers and the world. Now as part of a BuySecure initiative, President Barack Obama has signed an Executive Order yesterday to attempt to improve security for digital money. Implications from associated regulations and new spend must be considered to inform project priorities both in America and world-wide.


Why now?

uschipandpinAfter the recent breaches there have been renewed calls for the Congress to act on Data Breach Legislation.

  • What remedial measures can consumers expect in case of data breach?
  • What steps should companies take to notify customers?

Cybersecurity Legislation is also required, to protect Federal networks and balance the need for sharing with the right for privacy and personal liberties.


What’s proposed?

The President has outlined a raft of initiatives including his Cybersecurity Legislative Proposal.  His executive order requires US federal government to use Chip and PIN on all its cards, and the government is to begin replacement in January 2015.

The Private sector has been commended to take steps including the following:

  • American Express to launch $10 m program to help in MSME POS upgrade
  • Home Depot to transition 85,000 POS to support Chip and PIN.
  • Target has completed Chip and PIN for all 1,801 stores and from 2015 will reissue over 20 million Target-brand cards, and enable PIN acceptance
  • Visa is to invest over $20 m to educate consumers and merchants on Chip and PIN
  • Walgreens has converted all 8,200 that begin C&P acceptance by 2015
  • Walmart’s 5000 stores will have been upgraded by end of month.

Why the difference between the US and Europe?

The Economist puts forward two main reasons for America being slower to adopt EMV than Europe:

(1) During the 1990s American card companies grew better at managing POS fraud than European counterparts

However, my thoughts on this are that as Visa and Europe operate across both territories, surely learnings cross the Atlantic fairly well.

(2) Regulatory : European Card companies pay most of the cost of fraud while American ones pass off the cost to retailers and even consumers.

This may explain some of it but I think the reasons are more complex and this justifies a more detailed post that discusses the nuances of payments in the two regions. Would love to hear from experts on either side of the Atlantic, to add to the findings from own discussions with payments experts – What do you feel caused this great divide? Do add your thoughts on this in our discussion at LinkedIn.


Who benefits?

As identity theft becomes America’s fastest growing crime, these moves are directed towards protecting American consumers and their financial data. However, the need to manage payments for American customers who had not yet adopted Chip and PIN has also caused problems in Europe and elsewhere around the world, where systems had to have exceptional processes to cater to less secure magstripe card payments.

The NRF, the world’s largest retail trade association, applauded the announcements within the BuySecure initiative and has pledged to work closely with merchants to support this.

The announcements made yesterday and the initiatives from CFPB and across the American ecosystem are likely to increase spend in the US and could be good news for the European Security and Payments industry as well as providers around the world.


What’s the knock-on impact on digital money projects underway?

Payments projects involve a long gestation period. Now changes in legislation and newly proposed payments priorities will affect spend priorities for the US as well as providers around the world.

Now that the long overdue Chip and PIN issues has been resolved, and some dent has been made on this across the major retailers in the US, we expect a lot of focus and investment can now be placed on downstream security initiatives and set the scene for innovations that can cross the major international markets.

For a full analysis of the entire background, regulations, players and the over 232 initiatives we currently monitor in the US, and how your business is likely to be affected drop us a line at and we’ll let you know more about how you can gain instant online connected and contextual knowledge on all of this, as well as our soon to be published “Digital Money in USA 2015” Viewport.


Insights on how to succeed in Mobile Money from Gemalto, a world leader in digital security


Today I have great pleasure in speaking with Naomi Lurie, Director of Marketing for Mobile Financial Services (MFS) at Gemalto. From this key position at the world’s leader in digital security, Naomi is very well placed to share with us about GMPP (Gemalto’s mobile payments platform) and the work Gemalto is doing around the world in the extremely fast moving payments arena, both in developed and developing countries. Naomi shares with us some of the key initiatives in which Gemalto has been involved, and explains the importance of perseverance in achieving mobile money adoption goals.


Naomi could you kindly set the context for us, with a bit background on Gemalto and your leadership position in mobile financial services?

Gemalto OfficeGemalto is a leader in digital security, and a technology enabler for mobile network operators, banks, governments, enterprises and retailers. We work behind the scenes to ensure that each time their customers, employees and citizens want to transact, connect or identify themselves, they can do it safely and easily. You may not realise it, but if you put your hand in your pocket and take out your wallet or mobile phone, chances are it has a Gemalto security component – in your SIM card, your bank card, your driver’s license or your government ID.

One of our important growth areas is mobile payment services, and I look after Marketing for these solutions. Specifically I’m responsible for our Mobile Money and Cloud Based Payments offers. In our Mobile Financial Services marketing team we also offer Trusted Services solutions, including TSM and a Trusted Services Hub business service, and we are NFC experts. It’s exciting work in exciting times, especially as we are a global player with 44 sites and customers in 190 countries.

And with the coming of tokenisation there is yet more work for you?

Yes, certainly. As the leading TSM provider, we’ve been provisioning credit cards onto the mobile device for the largest mobile payments initiatives in the world. Emerging standards for cloud-based payments and tokenization require secure provisioning services for cards, tokens and keys. So, our assets and expertise in provisioning, mobile security, and authentication all come into play.

We’ve recently announced our Trusted Services Hub, a turnkey business service that enables issuers, enterprises, transport operators and digital service providers to easily deploy their value-added and mobile payment services across smartphones and mobile networks around the world. So with one connection to the Hub they gain access to over 1.5 billion mobile users worldwide already covered by our solutions.

Please give us some background on the Gemalto Mobile Payment Platform (GMPP)

GMPP is our comprehensive, field-proven, secure, flexible platform for issuers, mobile operators, retailers and banks that wish to launch mobile payment services. It supports emerging market use cases including stored value accounts, agent networks, P2P transfers, bill payment, airtime top-up, merchant payments, government payments and more. GMPP also powers developed and semi-developed market use cases relating to payments, usually from smartphone devices, such as in-store and online payments, loyalty and couponing.

We work across many different channels: USSD, STK, mobile apps, web and more, and we offer strong security across all these. We authenticate customers and manage risks relating to repudiation, fraud and more. We integrate into mobile operator, issuer and retailer environments and manage diverse requirements based on the nature of the ecosystem, which ranges from simple to very complex.

How has GMPP been used around the world?

Our platform is deployed around the globe. In Europe we work with Telefonica Spain and Telecom Italia.

India Post

India PostThe Gemalto Mobile Payment Platform is running in India with India Post for domestic remittance, since November 2012. India Post’s domestic money transfer service was a traditional paper-based service that took around 5 days to arrive at the destination. India Post wanted to modernise the service, to compete with the new mobile money systems coming from new entrants such as mobile operators. Since India Post has close to 90% of their branches in rural areas, they decided to modernize their money transfer service using mobile. It’s an interesting over-the-counter service. The agents at the post office are equipped with a mobile device that runs an app that collects information about the sender and recipient, amount and pickup location. Immediately both sender and receiver get SMS notifications about the transfer and how to pick it up. And the transfer happens in minutes!


Transfer in Mexico

Transfer1In Mexico, the GMPP is at the heart of the Transfer Service, which is brought to market by Banamex (Citi’s Mexican subsidiary), Telcel (America Movil’s Mexican mobile phone subsidiary) and Banco Inbursa. Telcel provides the channels: SMS, USSD and CRM. The banks hold the accounts and create the use cases, as well as manage network integration with Point of Sale and ATM networks. In Transfer users can get a companion card as well, to access the balance in the prepaid stored value account for POS payments. GMPP hosts all transactions and the customer wallet. The service went live in April 2012.

GMPP is also installed with NetOne in Zimbabwe, for their OneWallet mobile money service. This is your classic service, with P2P, cash in, cash out, airtime top-up and bill payment.

Gemalto provides the SIM Toolkit (STK) and Secure Access Gateway for MTN Group in Africa, Vodafone Qatar and elsewhere.

GMPP obviously solves some key needs for the unbanked. Could you please tell us what makes your implementation uniquely compelling?

I think what’s unique is the way we can address a very broad spectrum of use cases in a highly secure manner.

If we rewind to 5 years ago we thought we knew the recipe for mobile money. Just provide the standard set of expected services, follow the formula and deploy. However services have gotten more diverse. There are specific needs and requirements when we deploy in semi-developed markets. And emerging markets also have diverse customers – some with smartphones and others with very basic phones. Take Mexico for instance, the aspiration is to bank the unbanked and offer a new kind of account to the masses, but they must also appeal to urban users. There is a need for a combination of scenarios. We therefore feel well placed as we can offer the limitless combinations, while maintaining security across all the channels. That’s the strength Gemalto has.

Also we build our platforms to scale. We see mobile money as mission-critical services and can affordably scale up and ramp up as the usage grows.

What do you see as some of the challenges faced in bringing services to market?

There is no magic. You can’t just deploy technology and expect the service to be a success. It has to have all the right elements – in go-to-market, organization, and budget. You really must do your homework and take care of buyer personas, marketing strategy and back office support. You need a lot of CXO attention and need to continuously attract investment and management attention.

I think it is really important to be able to correct yourself. Of the over two hundred mobile money deployments, only a few have reached scale. If you give up and just let the offer die down, that is a waste. As in case of any product launch, it’s important to be able to correct yourself.

Another challenge can be regulation, meaning what type of services the regulator allows and what kind of limiting factors will the regulator impose. Often you need a strong lobby on both aspects.

When you look at mobile driven and bank driven initiatives which of these have a better chance of succeeding?

It seems that mobile operators (MNOs) have been more successful, but this is quite dependant on the region. MNOs seem to have the lion’s share of deployments quantitatively, but we do observe a trend for more issuer-led services.

MNOs seem to have an advantage on the marketing side; they know how to market to the unbanked masses, while banks are more comfortable marketing to their traditional clients. To launch a service for the unbanked requires a real transformation for the banks. However, in semi-developed and developed markets where most of the population is banked, the banks are at an advantage.

What are the major changes you’ve seen in the last year?

One change in the emerging market space is the launch of more consortium-led initiatives, and also Central Bank led initiatives. There are some new models coming up along these lines, with an attempt to put the entire set of domestic transactions on a single platform. Within that setup, individual service providers can offer branded services and compete with each other. These types of initiatives aim to address the question of interoperability from day one.

We also observe a much higher interest in enabling payments – in-store and POS payments in addition to mobile P2P between buyer and seller.

What major goals do you look forward to in terms of 2015?

Our goal is to continue to be the trusted partner of our clients and to help them operate successful mobile payment services. We aim to help our clients bring their mobile business strategy to life, while providing all parties confidence in the robustness and security of the service. It promises to be quite an exciting year with the advent of emerging tokenization standards, the new Gemalto Trusted Services Hub, the launch of major new initiatives, and the evolution of existing services.

Naomi thanks for sharing the very interesting work you do around the world and I wish you and Gemalto the very best of success for the future!



Naomi has a proven record of driving product and market excellence for products in the mobile, financial, retail and enterprise sectors.

Naomi joined Gemalto in 2010, where she drives marketing and strategy for the company’s mobile payment and mobile wallet solutions. She is an expert on the mobile money use cases emerging across the globe and is involved in some of the most ambitious and large-scale mCommerce services in both developed and developing markets.

Previously, Naomi was a product manager at Verint, which specializes in enterprise and security intelligence. Naomi was responsible for the global introduction of analytic software solutions for workforce-enterprise optimization, as well as the execution of product launch and rollout plans to sales, support and professional services.

A new resource for safety in online payment, as scams straddle online-offline domains


As money goes digital, new threats and challenges arise as scam-artists seek new ways to profit at the cost of innocent victims. Charmaine Oak (CO) was curious to understand about the so-called “Ukash Virus” and interviewed David Cox (DC) of Ukash to find out about the origin of this term, the newly launched “AvoidOnlineScams” site and the investment that Ukash is making towards the safety of their customers.


CO: David, could you please tell us a bit about Ukash, and the origin of the term “Ukash Virus” ?

DC: Ukash was created to provide a safe and secure payment method for consumers to spend their cash online and we want to maintain this. However, to rip-off innocent consumers, criminals have begun to request payment by Ukash and other online payment methods, in their scams.

David Cox Ukash

David Cox is Head of Customer Experience, Ukash.  Helping customers to use their cash online, safely and securely, has been David’s primary objective since joining Ukash in 2006. This extends to providing practical advice and assistance to avoid online scams. David works closely with the Ukash security team, and liaises with law enforcement and consumer protection agencies, to promote online payments best practice.

One of the most common and quickly spreading scams we are seeing, using Ukash as a payment method, is malware demanding payment of a fine, seemingly sent from the local police authority. Ukash is widely available and is the brand leader in e-money, so unfortunately some have referred to this ‘Reveton’ ransomware strain as the ‘Ukash Virus’.

Malware scams generally take the form of a Trojan, typically picked up from malicious online adverts or from file-sharing sites, which locks the infected computer and then demands a fine or ‘ransom’ for unlocking - this is known as ‘ransomware’. This malware often displays a message that claims to be from the police, saying the computer has been targeted for legal reasons.

Payment by online cash is then requested, and even if payment is made the computer remains infected. Ransomware will use alarming messages and scare tactics to frighten internet users into paying the fine, something that we see as a growing problem. Of course no genuine law enforcement agency operates online fines without evidence or a right to appeal, and the on-screen messages are very badly written, so unlikely to be genuine.

CO: I recall similar “offline scam” cases (not virus associated) under which victims receive requests to pay, using Western Union for example ..

DC: Yes, criminals target consumers via ‘offline’ methods and often use traditional methods of communication to do so. For instance the prominence of the miss-sold payment protection insurance scandal in the UK has led some criminals to create a new telephone scam, targeting vulnerable groups such as the elderly. These victims are asked to pay an advance fee, via Ukash or another payment method perceived as being untraceable, in return for a much bigger pay-out, even if they have never had a product with PPI.

Other scams have involved individuals handing over Ukash codes as advance fees for loans and job applications. Every Ukash receipt has clear warnings printed against never giving codes to anyone and only using Ukash online and at genuine merchants, but unfortunately not everyone heeds the advice.

CO: Has this changed in recent times causing scams to be online as well as offline?

DC: With the advances in technology and the increased use of the internet, these traditional ‘confidence tricks’ have gone from offline to online. The ease of the technology also means that more people, of all ages and abilities are using the internet and can ultimately put their details online and become a target for fraudsters.

But the criminals are exploiting their victims in imaginative ways, such as encouraging non-internet users to use an online-only payment scheme such as Ukash, as in the PPI scam. Despite the warnings to only use Ukash online, the majority of victims do not perform any research or ask advice before handing over the Ukash code, as the criminal has created a level of trust where their instructions are followed without question.

The developers of the Reveton Trojan use the internet to distribute the malware as if it was a legitimate software product and even provide technical support! It is attractive to low-level criminals as they can buy at low cost the code to infect the sites where large numbers of internet users will visit, and then receive payment from those that fall for the scam, making it scalable and profitable.

CO: How have producers of viruses sought to monetise through the development of new payment services? How are they seeking to “Get credibility” by using trusted brands (Metro police & yourselves)?

DC: The original malware developers are running a business distributing the trojan code. They’ve designed the malware to use popular payment brands, such as Ukash and Moneypak, to make getting payments as easy as possible. The wide availability and consistent branding of the payment options is intended to make the ‘lock screen’ appear genuine.

CO: Could you tell us a bit more about Ukash, what it is used for, and in which countries and partnerships?

DC: Ukash is the global online cash payments provider and internationally recognised e-commerce cash payment method that enables consumers around the world to use cash to shop, pay and play online safely, securely and conveniently. This secure payment method was developed to protect personal identity and financial information when making online transactions, reducing the threat of credit and debit card fraud for consumers and repudiations and charge-backs for retailers.

At the heart of the Ukash vision is creating a truly global solution that holds no barriers or boundaries for consumers to access the burgeoning ecommerce marketplace. Since launch in 2005 Ukash has expanded into countries on every continent. Significant investment in back-end technology and front-end customer service has enabled Ukash to achieve a 65% growth year on year, with 91% of global customers saying they would recommend Ukash to friends or family.

Ukash codes are purchased with cash in retail outlets such as shops, petrol stations and kiosks. The unique 19 digit code can then be used to pay directly on any of the thousands of websites that accept Ukash transactions worldwide, or loaded onto prepaid cards and e-wallets.

Ukash is regulated by the UK Financial Conduct Authority (FCA). The maximum single value allowed is £200/€250 or equivalent in other currencies, and the maximum amount that can be held by an individual customer is £1,000/€1,250 or equivalent in other currencies.

CO: I was interested to see your recently launched website. Why did Ukash take this initiative and how do you hope to help?

DC: Ukash joined forces with leading police authorities and anti-malware partners to create, an online resource to offer internet users up-to-date news, tips and advice on the latest online scams. This includes links to instructions and free software to remove ransomware.

imageWe want to remind consumers that Ukash must only be used to pay online and at genuine websites, never to pay fines or advance fees. One of the reasons we launched was to protect consumers from these fraudsters and stop criminals in their tracks. Individuals can protect themselves online if they have access to knowledge and advice.

Most of the individuals falling victim to these scams are in vulnerable groups and not previously familiar with Ukash. We are therefore working to educate these groups in order to help them protect themselves and beat the fraudsters, including clear warnings on the Ukash receipts and initiatives with the retailers that issue Ukash.

CO: David, so what is your main advice to your customers?

DC: We advise consumers to visit to learn how to remove the malware and keep themselves safe online.

Anyone who has used Ukash to pay a fine, or for any other suspicious payment, should contact Ukash immediately on 00800 247 85274, and we will attempt to block the Ukash code before it is used. It’s also vital that they report the crime to Action Fraud UK on 0300 123 2040.

We have a dedicated team working to provide intelligence, to the law enforcement agencies, on any reported crimes that use Ukash as a method of payment. This has resulted in several high-profile arrests of international criminal gangs suspected of involvement in ransomware and advance fee fraud.

Ukash is the safe way to pay, when used online at genuine merchants. But we advise that anyone unfamiliar with a payment scheme finds out how it works before they use their own money.

CO: Thanks very much David, I learnt a lot and am glad to hear about this initiative. Sounds like very useful advice.