Credit card companies, such as MasterCard and Visa, are currently successfully using an EMV (Europay, MasterCard, and Visa) credit card payment standard to perform credit card personalization. Credit card personalization refers to the process by which security and user data is transmitted to a user's credit card, such as a smart card containing an EMV chip. A first step in this personalization process is establishing an issuer security domain, which today is typically done in the factory of a smart card manufacturer. The security domain is used to create a secure channel between a personalization device, which is used to conduct the download of application data and the actual personalization, and the EMV chip embedded in the credit card. A secure channel is any channel over which information can be transmitted without being readily publicly available, and may be created, for example, using various encryption schemes or by authenticating both end points of the channel. Once the secure channel is created, the personalization device can activate the EMV chip and eventually transmit the personalization data to it. Credit card companies often rely on smart card manufacturers, such as Orga, Axalto, Giesecke and Devrient, or Cedex, to perform this personalization process. These manufacturers receive the needed user personalization data from the credit card companies and perform the steps discussed below in order to embed user-specific data into each credit card. The smart card manufacturers can then act as credit card issuers on behalf of the credit card companies.
FIG. 1 is a flow chart illustrating the steps which may be taken, for example by a smart card manufacturer, when performing credit card personalization today. In step 101, the personalization device activates the EMV chip by sending it a reset command. The EMV chip responds, in step 102, by sending an Answer to Reset (ATR) to the personalization device. The application that has to be personalized, for instance a specific credit card application which has been preloaded onto the card, is then selected using a select command, in step 103. In step 104, the EMV chip returns the necessary file control information, such as file data structure information, and in step 105 an initialize update command provides the EMV chip with a personalization device random number. This random number is used as part of a cryptogram creation to establish a secure channel.
The chip responds, in step 106, by sending a sequence counter (for session key derivation), a challenge (to be used as part of the cryptogram creation), a card cryptogram (to be used to authenticate the chip), the identifier and version of the session DES (data encryption standard) master key, derivation data for encryption, decryption and message authentication code (MAC) DES (Data Encryption Standard) keys, and a source channel protocol identifier.
In step 107, the personalization device authenticates itself to the EMV chip by providing a cryptogram in the external authentication command. The EMV chip then confirms the external authentication, in step 108, and then, in step 109, the personalization device starts shipping the data to the EMV chip by issuing one of several store data commands and eventually the special last store data. Finally, in step 110, the data storage is confirmed.
Recently, companies such as MasterCard and Visa have introduced a new payment method known, for example, as PayPass or Visa Waver, wherein credit cards are manufactured having RFID (radio frequency identification) capabilities. Under this new method, merchants are equipped with RFID devices that are capable of reading these RFID-capable credit cards when a user places his or her card a few centimeters in front of the reader. This new method enables faster and easier credit card payments. Similar proximity RFID systems are also being used in public transportation systems, such as Octopus or Helsinki Public Transport. For example, prepaid bus, or train, cards containing RFID capabilities may be purchased by customers and used in conjunction with RFID readers at the bus or train station to purchase tickets for riding the bus or train.
The use of RFID readers at different vendor locations, as well as at various public transportation stations, opens the door to other types of payment methods that could utilize these point-of-sale (POS)RFID readers. One such payment method would be to enable an individual to use his or her mobile phone, or some other mobile device, such as a personal digital assistant (PDA) or mobile personal computer (PC) that is connected to a mobile phone or PDA (e.g., via Bluetooth, cable, RFID, or Infrared), to transfer credit card or other user-specific information. In other words, the individual could use his or her mobile phone in the same circumstances as he or she would use his or her credit card or prepaid public transportation card. For example, the user's personal credit card details could be embedded in the mobile device and transmitted to the POS RFID reader. The same protocols used, for example, for PayPass and VisaWave could be used. In this case, the mobile device would be connected to a PC; the PC would request the necessary data from the mobile device, and then transfer the data to the POS (via the Internet).
In order to implement this mobile EMV system, the overall system must first be certified. EMV certification is an expensive procedure defined by EMV that every smart card issuer that wishes to act as an EMV issuer must comply with. Without certification, it is unlikely that credit card companies will accept the inherent risks involved and “connect” the mobile EMV solution to their payment infrastructure. Mobile devices, however, are much more open than smart cards, since they can run additional software applications and have more external interfaces than a smart card. As a result, mobile EMV software applications built on existing mobile device hardware would likely face serious challenges when attempting to obtain EMV certification; thus making obtaining the requisite certification very difficult and expensive.
One alternative solution is to integrate an already certified EMV chip or smart card into the mobile device, rather than building mobile EMV software applications on existing mobile device hardware. To do this, one option is to introduce a second slot into the mobile device, wherein the EMV chip could be personalized as usual, for example at a smart card manufacturer, and then later inserted into the mobile device by the user. However, this approach too can be very expensive due to the additional hardware costs for the mobile device for the mass-market. Other options would be to either incorporate a Universal Integrated Circuit Card (UICC) that supports many applications into the mobile device, or embed the certified EMV chip into the mobile device during manufacturing of the device.
During manufacturing, however, it is not known who will ultimately own each mobile device; thus preventing any payment data from being fully personalized during the normal manufacturing process. This is different from the credit card business of today, where the recipient of the card is known during issuance of the card. One solution is to incorporate the UICC or embed the certified EMV chip into the mobile device during manufacture and then require that the user send his or her mobile device to a smart card manufacturer or personalization bureau that can then perform the personalization, in a manner similar to that discussed above with respect to the credit cards. This, however, requires that the user relinquish his mobile device to the smart card manufacturer for some period of time. Another solution is to require that the user apply for a phone with credit card functionality in the same manner as he or she would apply for a credit card. The fully personalized mobile device having credit card capabilities would then be sent directly to the user. These options, however, would require that changes be made to the existing manufacturing process and sales channels, and they can be expensive and time consuming.
Another solution is to perform the personalization over the air (OTA) after the user has purchased his or her mobile device. However, certain risks are inherent in the transmission of security data OTA. As stated above, prior to initiating a personalization process, an issuer security domain that can be used to establish a secure channel between the personalization device and the EMV chip or UICC must be created. A need therefore exists for a secure means of transmitting credit card personalization data to a mobile device OTA—i.e., a means of creating the requisite issuer security domain and secure channel.