Software Wireless Identity Modules (SWIM)
SWIM mobile platform delivers EMV tokenised mobile payments based on Host Card Emulation (HCE) standards.
SWIM (Software Wireless Identity Module) Apps downloaded on NFC smartphones can securely store HCE-EMV card tokens which consumers use to make card payments at conventional contactless EMV payment terminals – without requiring hardware secure elements in their smartphones!
SWIM WPKI Mobile Payments Platform
HCE Service has designed SWIM, a Wireless Public Key Infrastructure (WPKI) secured mobile payments platform, which complies with Visa and MasterCard standards and does not require hardware secure elements in the mobile devices. HCE Service provides not only the product but also the service including a hosted Issuing infrastructure with a global cloud service centre.
HCE (Host Card Emulation) standards compliant card tokenisation mechanism enables payments to be made from NFC enabled mobile devices interacting with standard EMV contactless POS (Points Of Sale) terminals.
HCE Service “tokenisation” design utilises a dual token security model: Two tokens, SWIM (Software Wireless Identity Module) and HCE-EMV tokens, are both separately secured using software WPKI cryptographic Whiteboxes. HCE-EMV payment tokens are securely delivered and stored on the mobile devices using SWIM user tokens. SWIM tokens are WPKI enabled and are used to provide user and device authentication as well as secure HCE-EMV token message delivery to the smartphones. HCE-EMV tokens provide the EMV contactless payments mechanism via the smartphone’s NFC interface.
HCE-EMV tokens are generated and distributed from the cloud hosted SWIM platform: Thus card data exposure security risk is mitigated by the use of these software tokens containing encrypted private and secret keys.
Has developed cloud hosted Token issuing infrastructure
Is in line with current Issuer requirements
Has built its first global cloud SWIM service centre
Connects to consumers, Issuers, Acquirers and corporates
SWIM is suitable in underground locations, or in areas where there is no mobile network coverage. The Android-SWIM App performs software card emulation circumventing any secure element on the mobile device, which appears to the contactless POS terminals as a standard ISO14443 EMV contactless card.
Using host card emulation means card personalisation data can be managed within the application layer using software cryptographic Whiteboxes, which in turn simplifies the issuance process. The issuance of the SWIM dual tokens remains under the control of the financial institution, which retains complete control of the mobile SWIM payment wallet, the card and its life cycle.
By using a tokenised based transaction together with WPKI based user and device authentication, the risk model is fundamentally changed and payment fraud risk dramatically mitigated. This dual HCE-EMV and SWIM tokenisation, coupled with their use within SWIM cryptographic Whiteboxes mean that it is extremely difficult if not almost impossible to steal useful payment data.
HCE-EMV tokens are generated in advance, bound to an individual card account and applied to a single or limited number of transactions. These tokens are encrypted and stored within the mobile device. They allow the cardholder to make payments even when the phone does not have connectivity, for instance, in a tube station or whilst in transit.
The Android-SWIM wallet app on the mobile handset uses HCE-EMV and SWIM tokens to interact with standard EMV contactless POS terminals, which can perform online authorisation. The Issuer system interacts with the HCE-Payments Authorisation System to perform cryptographic validation of the transaction data, with the verification process remaining the sole responsibility of the issuer transaction processor, as in a conventional transaction.
HCE SWIM benefits over secure element:
SWIM completely eliminates MNO (Mobile Network Operator) and TSM (Trusted Service Manager) business models from mobile issuance and payment processes. Hence card issuers become independent and have complete control over their existing card holder relationship, together with minimising mobile issuance costs. Loyalty and integration with mobile banking applications are natural additional benefits.
Google Play Application Deployment
No specific hardware deployment process is required such as a new SIM and the card issuer SWIM Wallet App can be simply downloaded from the Google Play store. Users can download a single HCE SWIM Wallet App, which once authenticated with the cloud SWIM servers, can be configured on the fly with their payment HCE-EMV tokens. From an issuer’s perspective, SWIM apps can be integrated with any other mobile application using a standard End User Client Application Program Interface (EUC-API).
HCE mobile payments are totally compatible with existing EMV contactless payment terminals as there is no difference between an HCE contactless payment and a secure-element based EMV payment at the point of sale.
MC & Visa Payment Scheme Agnostic
SWIM is compliant to both MasterCard and VISA, and in the future with other payment schemes that adopt HCE standards.
No Mobile Network required for Payments
HCE-EMV tokens are secured using software cryptographic Whiteboxes and stored offline in mobile devices and therefore can be used offline without devices needing to be wirelessly online connected at the time of the transaction.
- WPKI secured mobile payments platform
- EMV tokenized payments based on Host Card Emulation (HCE)
- User & Device authentication (mobile to host using software token based Wireless Public Key Infrastructures)
- Software Wireless Identify Module SWIM app providing Host Card Emulation (HCE) on Android
- All layers of end-to-end solution (mobile app, secure network, cloud platform)
- Platform/Software as a Service (PaaS/SaaS)
- Trusted service management (WPKI security)
- User experience (UX simplicity)
- Added value services (payments, loyalty, access)
- Global cloud SWIM service centre connecting users, issuers, acquirers, payment schemes and corporates
- End-to-end SWIM mobile app to host architecture dynamically securing the sensitive credentials
- Works even when smartphones are offline (no wireless data connectivity)
- Manage/prioritize multiple Accounts/Tokens service provider payment services
- Solid and mature technologies (NFC, WPKI, HCE-Host Card Emulation, Android, RSA, 3DES, Software Whiteboxes)
- No hardware secure elements resulting in flexible business model
- Using Host Card Emulation, the real card data are not transmitted to the merchant reducing the risk of subsequent fraud
- EMV compliancy: Visa, MasterCard and in the future Amex, Discover, JCB, Union Pay, RuPay, etc.
- Allows card issuers to be business model independent of MNO (mobile network operator) and other 3rd parties
- Service is applicable to large global banks as well as regional banks with customer bases of few 100,000.