Retailers need security standards for NFC-based services

With the addition of host card emulation and tokenization to mobile devices, near field communication services have become an increasingly complex ecosystem. As a result, security standards for applications that use NFC have become more important to retailers who want to provide a secure environment for their shoppers' transactions.

All service providers involved in implementing solutions using NFC technology—including retailers—have a key part to play in creating and maintaining the security chain, Xavier Giandominici, director of FIME America, told FierceRetailIT. "It is essential that appropriate security is applied throughout the development process, regardless of whether the involved actors are developing high value, high sensitivity solutions like mobile payments, or more basic, lower-value applications to serve gift or loyalty schemes," he said.

"Basic applications do not require the same level of security as those with higher sensitivity, but vigilance is still important; ensuring appropriate security measures are applied will mean that every application can help to guard data from hackers," Giandominici said.

To address many of the questions raised relative to cloud-based payments and tokenization technology, consultancy FIME has revised its white paper "The NFC Security Quiz v2.0." while using the work of the industry group GlobalPlatform.

"The paper is a guide for retailers and other service providers seeking to launch NFC-based services," Giandominici said. "In the last two years the ecosystem has evolved beyond recognition. There are more deployment options available now than ever before.

"This complexity is both a blessing and a burden for players seeking to enter the market. More options make it easier to reach more customers, but make the market more fragmented and complex to navigate as a result. The paper showcases these options and highlights the importance of security in protecting both the application and its users."

In acting on the recommendations of the paper, application security must be considered from the beginning of any development project. "A range of different international specifications exist from a number of bodies which an application could be required to align with, but the onus is not solely on retailers to do the leg work," Giandominici said.

"The testing community has been working with the standards bodies to support the creation and adoption of specifications for many years, meaning it is perfectly placed to help service providers like retailers get to grips with the compliance process, the certifications their application will need, and how they can be achieved quickly and effectively."

Retailers can use tokenization in two ways and both are "revolutionary" for the payments ecosystem, he said.

First, tokenization can be used to protect payment details as part of a "tap-and-pay" NFC mobile wallet. "The technology is used by both Apple Pay and Samsung Pay, and could equally be used by a retailer if they wanted to launch their own mobile payments wallet," Giandominici said. Tokens and limited-use keys are utilized in HCE deployments for additional security, according to the white paper.

Second, online retailers can use tokenization to protect their customers' stored payment information. "Instead of holding every customer's payment card details, retailers could save payment tokens that are unique to each customer, which have been created using their payment information and can only be used to make purchases on that website. This means that if the retailer is hacked, as we have seen numerous times in the last year, the stolen data would be useless to the thieves," he said.

In summary, Giandominici said, "retailers can get ahead of the game by making use of the resources available in the ecosystem and partnering with specialists who can help them speed their solutions to market quickly and avoid the pitfalls that the complexity of the market presents."

For more:
-See this FIME press release
-See this FIME white paper

Related stories:
Tokenization is key to mobile security
PayPal testing NFC option as Q3 eBay split approaches
Visa and MasterCard's HCE announcement creates new mobile payments players
Customers want payment options; many retailers reluctant to invest
CES: Personal security concerns spur new credit card products