1 / 22

mPayment and Security Challenges

mPayment and Security Challenges. Hassan Khan Head of Security Practice (MEA). Content. What are mobile payments. 1. How to exploit the opportunity. 2. How to secure the business. 3. Overall, the mobile payment market falls logically in four categories or domains. Mobile banking

sade-snyder
Download Presentation

mPayment and Security Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. mPayment and Security Challenges Hassan KhanHead of Security Practice (MEA)

  2. Content What are mobile payments 1 How to exploit the opportunity 2 How to secure the business 3

  3. Overall, the mobile payment market falls logically in four categories or domains • Mobile banking • Bank and credit card accounts • Account transfers • Bill payments • Stored-value account top-ups • Near Field • Communication • based payments • Credit/debit card embedded in NFC –enabled phone • ‘Touch and pay’ POS and vending • Money transfers • In developing • countries • Person-to-person • Payment of utilities and prepaid airtime • International remittances • Mobile commerce • strategies in retail • Shopping on mobile websites • Mobile coupons and loyalty cards • Mobile ticketing Source: Ovum, Mobile payments: progressing towards large-scale deployment, 10 March 2008

  4. End-user benefits e- and mBanking Anywhere, any time access to basic banking services Personal, interactive service On-the-spot handing of payments Mobile PoS / NFC Convenient, fast payment for public transport, parking, fast food, tickets No need for coins & cash Mobile terminal as an electronic wallet Consolidated management of cards, tickets, vouchers, rebates Electronic ID more secure than cards Benefits for merchant Payment solution suitable fordemanding environments (moving, outdoors, public spaces) 50% faster transaction than with debit cards Less cash -> increased security More efficient marketing and CRM In addition to money transfers, mobile channel benefits banking both in the developed markets…

  5. End-user benefits Low cost and fast money transfers(also fast response to emergency needs) Trustworthy and secure place to keep money Convenience of nearby prepaid merchantfor making deposits and withdrawals compared to long lines and poor serviceat distant retail bank branch Increased disposable income at receiving end Earn interest on deposits Access to financing at reasonable rates Convenient and fast payment of bills Benefits for merchant / prepaid agent More sales More customer visits to store Larger purchases – more money available Incremental revenue from transaction fees Long term: increased security as cash economy transitions to electronic funds … as well as in the developing markets

  6. Key success factors: trust/brand, network effects and effective partnering • Trust and brand • 1st mover often establishes a de facto payment platform • Leverage trusted provider position • Network effects • Enable as many connections between users as possible • Interoperability with other payment and banking systems • Good coverage of agent network, and retail POS • Partnering • To fill gaps in the value chain and to create successful ecosystem • For required financial services functions and processes • International retail channel • Training, motivation and management of retail partners

  7. Content What are mobile payments 1 How to exploit the opportunity 2 How to secure the business 3

  8. Ecosystem Regulation Opportunity space Service provider strengths Customer needs …The key is to identify the opportunities where communications service providers can excel Key questions and analyses • What will be allowed within existing license • Are banking licenses needed, can a communi-cations service provider hold one • Additional requirements & domestic vs international transactions • What roles and positions are available and attractive to a service provider • Who will drive the development, who are needed as partners • What needs are underserved or latent • Which segments to focus • What other requirements do they have • Where the service provider can be competitive in creating and capturing value • What to do itself, what to source or partner Technology platforms

  9. Required business components Retail agent / merchant / POS network Mobile payment platform operator Payment clearing / account settlement Account / stored value / billing relationship Cash management Mobile Payments opportunities arise from creating superior value to the transacting parties • Customer Needs • Lower cost of transaction • Wide reach through high mobile penetration • Easy access regardless of location and time • Low / no additional cost terminal • Reduced cash management needs • Communications service providers key strengths • Large base of capable terminals • Core infrastructure • Retail partners for distribution • Wide geographic reach • Credit rating for post paid subs • Elaborate value storing in pre paid • Customer care

  10. M-PESA Kenya– Money Transfers

  11. M-PESA Kenya Easy-to-use Mobile Money Transfer Service Safaricom launched its mobile money transfer service M-PESA in March 2007 Service Highlights Service Success • Enables users to transfer money through mobile • Targeted mainly at those without a bank account; offers an alternative method of money transfer • Users have to register for an M-PESA account to send money • Users can send approximately EUR 1 to EUR 360 worth money using the service • 20,000 registered customers within first month of launch; more than four million customers by October 2008 • No joining fee or minimum balance required; users pay commission on transactions Jun-2008 Jul-2007 Feb-2008 Mar-2008 Oct-2008 Service Offerings Approximately 2,500 users registered to the M-PESA service everyday in 2007. • M-PESA enables users to: • Deposit money • Transfer money • Withdraw money • Buy airtime • Check account information • M-PESA has facilitated approximately KES 9.4 billion (EUR 96 million) in person-to-person transactions by the end of March 2008 • Transactions worth KES 3 billion (EUR 30 million) in March 2008 Key Partners • Banks, Financial Institutions • More than 3,500 M-PESA agents across Kenya Young, Male, Urban migrant workers are the ‘Early Adopters’ of the service Source: Safaricom; Safaricom Annual Report 2008, CGAP; MIT Press Journals Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008

  12. Agent User Family User SMS Instruction SMS Instruction Send money to family Withdraw money from agent SMS Notice Mobile Network SMS Instruction Mobile Network Send money to user Money received M-PESA M-PESA M-PESA Account Manager moves the money between customers in response to SMS instructions M-PESA Account Manager M-PESA Account Manager M-PESA Kenya Moving the Money Around Using M-PESA M-PESA offers an easy registration process to the users; Cash transfer and withdrawal are SMS-based User goes to M-PESA agent Upgrades the SIM for free, if required Provides details such as name, DOB, phone number and ID Registers for M-PESA Activates M-PESA menu phone No additional bank account details are required for registration Money deposited by users is held safely in a bank account run by M-PESA on their behalf Depositing money using M-PESA User goes to M-PESA agent Provides details such as phone number, amount and ID M-PESA agent deposits money using their mobile Sending Money Using M-PESA Withdrawing Money Using M-PESA Registered M-PESA customers have a ‘virtual money’ account attached to their Safaricom mobile phone number, backed up by an equal amount of money held in a Kenyan bank Source: Safaricom; Safaricom Annual Report 2008 Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008

  13. Transaction Type Transaction Range (KES) Consumer Charge (KES) Deposit cash 100 – 35,000 0 Send money to M-PESA user 100 – 35,000 30 Send money to non M-PESA user 100 – 35,000 75 – 400* Withdraw cash by non M-PESA user 100 – 35,000 25 – 170* Receive money 100 – 35,000 0 M-PESA Kenya M-PESA Customer Charge Rates Users are charged a commission of up to KES 170 (EUR 1.7) for sending or withdrawing money in the range of KES 100 – KES 35,000 (EUR 1 – EUR 360) Buy airtime (for self or other) 20 – 10,000 0 * Note: Consumer charges vary depending upon the actual amount of money sent or withdrawn • Customers are only charged for the transactions they initiate; services such as SIM swap are free • All charges are deducted from the user’s M-PESA account • Customers do not pay any charges to the M-PESA agents for transactions • All SMS sent to and from M-PESA are free to the users • A non M-PESA customer can also receive money through M-PESA Source: Safaricom; Safaricom Annual Report 2008

  14. Content What are mobile payments 1 How to exploit the opportunity 2 How to secure the business 3

  15. Why Protection:Theft of 100 Million Credit card records. • The Washington Post is reporting this afternoon that a security breach at the payment processor Heartland Payment Systems of Princeton, New Jersey late last year may have resulted in the theft of 100 million credit and debit card accounts. • According to Heartland's website, "Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide." • In a company press release today, Heartland's president and chief financial officer Robert H.B. Baldwin, Jr., said, "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice." • "No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms." • The Post story said that Heartland "began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments... 40 percent of transactions the company processes are from small to mid-sized restaurants across the country." • The Post noted that many IT security folks are curious (as am I) as to why the announcement was made today - the day where 99% of the news is about the US inauguration. • More than a bit suspicious, I think, and it makes you wonder if there is more to the story than what Heartland is disclosing, or whether their public relation's department is tone deaf. We will keep a close eye on this - given the history of large scale data breaches, other shoes will be dropping shortly.

  16. music IPTV WapGW SIEM email OSS FW portal VAS FW Corporate PDN Other PLMN Other PLMN GRX network Corporate PDN GI FW GGSN DPI GI DNS IMS VAS Domain SGSN SGSN Charging/Supporting Services Domain AAA DHCP CGW DCS Protect the network from attacks:Perimeter security and Deep Packet Inspection mPayment NOC SOC MMSC OSS Center IMS FW GN/GP Domain GN DNS GI Domain BGW GI GN GP FW OBS FW GP DNS BGW

  17. Application Traffic Database Traffic OAM Traffic Subscriber data is your most important asset: How to protect and provide confidentiality Challenges Solution • Clear security domain concept • Layered defense • Customer data are highly protected • Clear access control between domains • Dedicated protection of publicly reachable services interfaces • Blocking of manipulation of subscriber data • Prevention of eavesdropping during transmission • Central view of security incidences • Main interfaces are exposed to outside • Integrity and confidentiality of subscriber data not granted • Attacks from internal and external sources against services and infrastructure • Service outages lead to loss of revenue and reputation CSDB: Common Subscriber Data Base

  18. Professional Security Operation Center to ensure high availability and compliance Security Operation Center (SOC) is a system that includes facilities, technology, process and persons in order to protect information assets: • Detection and Reaction • Incident Management • Infrastructure Management • Centralized auditing functions (vulnerability scanning, SLA monitoring, compliance monitoring…)

  19. Nokia Siemens Networks has proven its extensive security experience in more than 130 customer projects Real security from Nokia Siemens Networks More than 130 commercial contracts closed A worldwide network of security experts supports the success Covering the full lifecycle fromsecurity consulting to support Competitive advantage through combination of extensive telco -, IT- and security knowledge Satisfied customers: … One-stop-shopping throughstrong ecosystem of best-of-breed partners

  20. Inspired thinking, innovative solutions

  21. Back-up – mPayment

  22. Technical solutions supporting Mobile Payments are widely available… USSDGWY SMSGWY RN RN Subs d-base mPayment application Prepaid Agent Agent Optional ISO8583 PoS, ATM Bank InternetBanking

More Related