Activating New Mobile Services and Business Models · PDF fileSelf-service kiosks ......

www.sdcard.org | ©2014 SD Association. All rights reserved

Activating New Mobile Servicesand Business Modelswith smartSD Memory cards

White Paper | November 2014 - enhanced from September 2013

1

2

Table of Contents

Activating New Mobile Services and Business models with smartSD Memory Cards


SD Association2400 Camino Ramon, Suite 375San Ramon, CA 94583 USATelephone: +1 (925) 275-6615,Fax: +1 (925) 886-4870E-mail: [email protected]

Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Introducing the smart microSD memory card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Security Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7smartSD issuance and acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Host implementation and integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Roles of smartSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9The smartSD ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Mobilization of services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Go to market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Evolution of services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

For the service providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13For the card issuers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13For end users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

smartSD Business Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15HCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Payment card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Transit pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Dematerialized Loyalty card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Express check out for Retailers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Parking meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Ticketing / VIP event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Machine to machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Hotel room card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Campus card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Government / Secure communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18TSM operator & MNO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Handset bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Self-service kiosks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Secure services for multimedia in consumer devices . . . . . . . . . . . . . . . . . . . . . .19

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

1

3

Definitions

App An application running on the mobilehandset

Applet A Java Card application running on the NFCSE; also called a cardlet

APDU Command for Java Card applet(Application Protocol Data Unit)

ASSD Advance Security SD is SDA transportprotocol for APDU

BOM Bill of Material, i.e. cost of the finished good

Dematerialized Many virtual cards sharing the same card physical microSD memory card

EMVCo Standard body that defined the ContactlessMobile Payment, Application ActivationUser Interface

FIPS Federal Information Processing standardthat defines security certification profile

HCE Host Card Emulation. A function for NFCdevice to route Applet calls/commands toa mobile App

microSD a memory card format defined by the SDAssociation

MNO Mobile Network Operator

NFC Near Field Communication, a contactlesscommunication, as defined by ISO18092standard 18092

Contactless Self-contained microSD card with SE and smart microSD contactless interface. The contactless

interface (i.e. NFC card emulation) is notdefined by SDA

OTA Over the Air

PPSE Proximity Payment System Environmentdefined by EMVco that specifies thedefault payment card.

PVR Personal Video Recorder.

SDA SD Association manages standard relatedto SD, miniSD and microSD memory cards

SE Secure Element chip that provides asecure run time environment approvedfor banking Applet

A tamper resistant component used toprovide the security, confidentiality, andmultiple application environmentsrequired to support various businessmodels.

SIM The Subscriber Identification Module usedto authenticate a subscriber on the mobilenetwork

smartSD smartSD is the general term defined bySDA for memory card that embeds a SE

SWP Single Wire Protocol that allows interfacingwith NFC front end as defined by ETSI SCP(TS102 613)

TAM Total Available Market

TSM The Trusted Service Manager provides asecure gateway to remotely administratethe NFC SE

UICC Universal Integrated Circuit Card containsthe SIM applets and can store otherpersonal data.



1

4Activating New Mobile Services and Business models with smartSD Memory Cards


smartSD Memory Card Application Ecosystem

1

5

Executive Summary

Smartphones are everywhere and rarely outside consumers’reach, giving service providers unprecedented reach into theircustomers’ daily lives. Mobile phones have created a newchannel to deliver exciting new services to consumers andmobilization of services is becoming a strategic imperative tobuild and extend your brand. This white paper presents thecompelling benefits of smartSD™ memory cards as not onlythe best, but also the easiest solution to enable Near FieldCommunications card emulation and deploy mobile securitytokens on mobile devices.

Using smartSD memory cards as the Secure Element formobile payment and identity enables value-added services tobe interoperable across millions of devices, thousands ofconsumer products and hundreds of global brands. Newopportunities in mobile commerce, advertising, locationbased services, access control, rewards programs andtransportation emerge.

At a minimum, smartSD memory cards can achieve the samesecurity certification as smartcards and security tokens and,therefore, can be used to bridge existing services with variousmobile devices, including mobile phones.

However, smartSD memory cards are more than just anotheroption for contactless communication or smartcard andsecurity features. The removability and cross-compatibility ofsmartSD enables many business models and provides greatflexibility for providers and customers. With access to morethan 78 percent of the mobile phones in the world and themarket weight of the SD standard, smartSD gives serviceproviders unequal access to consumer devices.

The smartSD memory card also supports a consumer-centricbusiness model envisioned by GlobalPlatform™ that sets inmotion a virtuous ecosystem and ultimately creates value forall parties.

smartSD memory cards offer service providers and cardissuers a superior approach to deploy services to the totalavailable market using existing business processes andexisting hardware. smartSD memory cards help serviceproviders and card issuers reach the largest audience, retainbusiness independence, launch faster and with lower costs,and differentiate their services.



The smartSD memory card also supports a consumer-centric businessmodel envisioned by GlobalPlatform that sets in motion a virtuousecosystem and ultimately creates value for all parties.

1

6

A smart card secure element can be packaged into variousform factors including all SD memory card formats such asfull-sized SD and microSD memory cards of any storagecapacity or speed. The smartSD memory card comes with anembedded Secure Element (SE) that features the exact samelevel of security as other smart card form factors. smartSD isaccessible to the host appliation and through contactless(when applicable) therefore it is ideal for mobilizing both theworld of digital security and the world of contactless cards,bringing innovative new services to mobile devices. Thesmart SD card is available in two flavors: a smartSD thatfeatures Java Card technology and complies withGlobalPlatform™ specifications and a contactless smartSD thatadditionally features a contactless antenna. Fully compatiblewith each other, both are compliant with legacy microSDspecifications thus maintaining portability and universalstorage capabilities.

The smartSD card isn’t specific to a particular SE chip, JavaCard and GlobalPlatform versions: the card can be custom-made to meet security requirements and certification ofparticular use cases . smartSD cards can protect all cipher,authentication and signature keys, validate PIN andbiometrics, and run cardlets of different types includingtransit, payment, ticketing, loyalty, and many more.

smartSD covers business needs such as User Identification,Remote Authentication, Non-Repudiation and Confidentiality.It enables new business models for service providers andprotects end users.

Most importantly, smartSD provides a SE independent fromboth the OEM and MNO.

smartSD combines the advantages of memory cards withthose of security tokens while it benefits from the hostcapabilities such as display and 24/7 connection.

As such smartSD could be distributed, initialized, and pre-personalized with a service or mailed personalized to the enduser like regular banking cards. Services can also be issued inthe field, allowing end users to purchase smartSD cards andconfigure them to fit their unique needs.

Typical target usages are:

• Security token: The embedded SE is typically used toprotect credentials used for authentication, digitalsignature, data encryption, etc.

• Secure Element: The smartSD is the secure element for thehost device NFC

• NFC card emulation enabler: Contactless smartSD bringsNFC card emulation and SE to the host device independentof the host device being present or NFC capabilities missing.



Introducing the smart microSD memory card

Figure 1: Types of smartSD

1

7

Security Certifications

Security certifications are typical of target services and assuch are not covered by SDA. SDA also doesn’t define thecontactless interface of smartSD which is driven by NFCstandards and ISO14443.

Security certifications are attached to the SE in a microSDpackage and are therefore dependent on the security levelof the selected smartcard chips. User storage has no impacton the certification and a certification is typically valid formultiple storage capacities. Certification is product specificand obtaining certification is a business decision.

There are already multiple certification programs and labsthat can certify a smartSD card: Visa®, MasterCard®,American Express®,EMVCo, FIPS 140-2 for government andenterprise applications and more. SmartSD could also beused in transit applications when the chip features MIFARE™or can be loaded with the adequate transit App such asCalypso™ or Cipurse™.

smartSD issuance and acquisition

The smartSD memory card has a similar life cycle as legacysmartcards, SIM cards, contactless cards and other securitytokens. Despite a different physical communicationinterface, the manufacturing is very similar to the otherform factors as many components are shared, including theembedded secure chip that meets the security andfunctional requirements mandated by the different markets(e.g. banking, identity, transport).

The following table illustrates the similarities anddifferences for these different form factors:

smartSD can be configured and distributed as typical smartcard and security tokens.

The configuration of the SE can be done using standardsmart card software as PC/SC drivers are typically availablefor microSD as well. Only the physical interface to the cardis different. Initialization and personalization of the SE canbe done on anything from desktop solutions using a simpleUSB reader up to mass personalization solutions withautomated machines that can handle many microSD at onetime.

Smart microSD can be distributed to the consumer indifferent ways: retail purchase, from the service provider,kiosk, received by mail, on-site issuance, bundled with thephone, etc. The secure element in the smartSD can beinitialized with a specific security configuration or be readyfor a service or personalized in the field.

smartSD is also compatible with TSMs that cancommunicate to the card through mobile apps or services.Typically a compatible service would check in at the TSMand look for specific job(s) to perform.

The GlobalPlatform Consumer Centric Model will ensurethat post-issuance of cardlets would be the same as gettinga new App on a mobile phone. GlobalPlatform Consumercentric specifications provide the security mechanisms andthe user control to ensure such a user experience can beimplemented.



Silicon Opera�ng System Packaging Init and perso Distribu�onMobile

Host DevicesService access

RemoteManagement

contactless smart microSD

Most microSD host devices

TSM & other(op�onal)

smart microSD with SWP

Phones with SWP to microSD

TSM & other(op!onal)

Security token N/A PC solu!on only

Contactless card N/A NA

SIM card with SWP ● MNOOnly NFC phones from partner MNOs

TSMOTA

Embedded SE Handset bundle Phone model specific TSM

● Retail● Banks● Service provider● MNOs● Handset bundle● Mailing

Instant gra!fica!on or

TSM issuance whenapplicable

● Security sensor detectors

● Secure memory management

● Secure run !me environment● ISO7816-3,4 compliance● ISO 14443

compliance and ISO 18092

● Electrical ini!aliza!on and personaliza!on

● Physical personaliza!on

A$er issuancethrough TSM

TTTSSSMMM &&& otthhhhhher(op�onal)lTSM & other((((((((((ooooopppppppppp!!!ooooonnnnnaaaaalllll))))))))))

Instant gra!fica!onooooooorrrrrrr

TTTTTSSSSSSMMMMM iiiiiissssssuuuaaannnccceee wwwhhhhhheeennn

MMMostt miiicroSSSDDD hhhhhhosttdevices

Phones with SWP tommmmmiiicccccrrrrroooooSSSDDD

● Retail● Banks●●●●● SSSSSSSeeeeeeerrrrrrrvvvvvvviiiiiiiccccccceeeeeee pppppppppppprrrrrrrooooooovvvvvvviiiiiiidddddddeeeeeeerrrrrrr●●● MMMMMNNNNNOOOsOsOsOs

●●●●●●●●● EEEEEEEEEEEllllllllllleeeeeeeeeeecccccccccccttttttrrrrrrrrrrriiiiiiiiiiicccccccccccaaaaaaaaaaallllllllllliiiiniiii!!!!alilililiza!!!!on a dddnd

conttacttllllllesssmart microSD

smart microSDwwwwwiiittttthhhhh SSSWWWPPP

●●● SSSSSeeeeccccuuuurrrriiiiittttyyyyyyy sssseeeennnnssssoooorrrr

● Secure run !meeeeeeeeeeeennnnnnnnnnnvvvvvvvvvvviiiiiiiiiiirrrrrrrrrrrooooooooooonnnnnnnnnnnmmmmmmmmmmmeeeeeeeeeeennnnnnnnnnntttttt● IIISSSSOOOO777818181816666-3333,444

Figure 2: smartSD life cycle

1

8

Host implementation and integration

smartSD defines a memory card that embeds a SE. Thetypical SE features JavaCard and Global Platform andcommunicates with APDU.

Therefore SDA has defined a transport for APDU: ASSD is asoftware protocol to send APDUs using a standard microSDinterface (no extra or dedicated pin for APDU is needed).ASSD is available on Blackberry and the source code isavailable for Android SEEK.

Many smartSD cards typically feature the capability totransport APDU using files, which has the advantage ofworking over a standard file system and can addressdevices where ASSD hasn’t been implemented. These fileI/O solutions are however proprietary and not defined bySDA.

SDA has also defined a pin for Single Wire Protocol (SWP)that is used to connect to the host NFC and provide asecure element for NFC card emulation. In some cases,where supported by the SE and the host NFC, this SWP pincould also be used to transport APDU.



The implementation of a smartSD App is quite simple. Itonly requires standard mobile App development and takesadvantage of a few APIs to exchange APDUs.

Most smartSD and contactless smartSD will work withoutan App however the value-add typically results from theinclusion of an app that takes advantage of the host/phonecapabilities.

The smartSD could be implemented as a security tokenwhere it protects credentials and could be used to secureemail, messaging, digital signatures, transaction approval,identification, VPN access and many more. In that case thesmartSD would be implemented into different apps wherethe card services and security features would be madeavailable to the end user.

The smartSD can be implemented for NFC card emulationuse cases. NFC card emulation covers many applicationsand multiple target markets. The smartSD would typicallyrun the cardlet required for the service and take advantageof the App to provide additional value to the end user. Thiscould also apply to MIFARE when the smartSD SE featuressuch capabilities. For these implementations the mobileand its App typically adds value on top of what acontactless card could do.

smartSD could also perfectly combine with HCE (host cardemulation) and TEE (Trusted Execution Environment) whereit would bring the necessary certified security to reduce theoperation cost inherent to HCE while keeping all the valuepropositions of HCE unchanged. The integrated SE in asmartSD card allows for a more secure HCE implementationwithout a major overhaul of the existing solution.

Overall the smartSD implementation ensures that theservice provider can decide on the role of the card, the typeof user interface and the business model. Furthermore thecard provides complete independence from the phonemodel and from the mobile operator.

It also makes it very easy for today’s card issuer as smartSDcan be distributed as current cards and prepared using thesame software solutions.

1

9

App and services could take advantage of smartSD securityto ensure specific business requirements such as privacy,confidentiality, non-repudiation, useridentification/authentication, and more.

For this usage the smartSD provides a known level ofsecurity that meets business requirements and ensurestamper resistance.

In this world, smartSD is typically used to protect cipherkeys, perform strong authentication and perform useridentification using PIN or biometrics. The card ensures thatkeys cannot be copied and that user information remainsprotected.

SmartSD is typically integrated into crypto libraries such asPKCS#11 or CSP that are used by an App for secure email,privacy and confidentiality, backend authentication,document authenticity or approval cycles.



Roles of smartSD

smartSD can be used for both contactless services and forthe security of App and services.

Contactless services would rely on contactless smartmicroSD or on a smartSD implemented within an HCEcapable host.

Therefore smartSD could be used to mobilize existingcontactless card services and solutions and take advantageof the mobile host display and connection capabilities toenable value-add services. This would be applicable totransit, access control, ticketing, payment, loyalty, and manymore applications.

smartSD would run the needed cardlet that would beaccessible from the contactless side and from the App thatprovides a UI and facilitates a connection to a backend.

This would also permit the development of new innovativeservices taking advantage of the contactless interface tocommunicate with a cardlet in the smartSD thatmaintains the required security to protect theend user and to enable business models whilean App provides a nice user interface.

1

10

The smartSD ecosystem

The smartSD enables an ecosystem that creates value for allparties. It is not like other approaches where a single partyis perceived to extract all the value at a disproportionatecost to all other parties.

First, smartSD provides freedom to the end user as it isavailable to most users independently from their phonemodel or mobile operator. This means that in addition toextra storage always valued to the end user, changingphone and mobile network operator doesn’t come at theexpense of losing credentials and benefits of associatedservices.

It also means the service providers can address most oftheir customers (including iPhone 4/5 owners through aspecific case adaptor1).

smartSD can be issued by service providers or purchaseddirectly by consumers, as well as distributed by traditionaloperator controlled smartcard channels.

In particular, smartSD memory cards allow service providersto differentiate and determine a specific business modelthat does not have to involve a third party.



Therefore smartSD presents more benefits for stakeholdersthan any other mobile security solution. And businessindependence is key for the service providers as mobile is anecessary strategic move.

This ecosystem becomes virtuous as more parties, users,services and applications, take advantage of smartSD,creating greater value for all.

GlobalPlatform Consumer Centric Model allows consumers,rather than issuers, to control multiple services on a singlesmartSD as they do with apps on a mobile phone.

Driven by the SD Association and with the support ofGlobalPlatform, the smartSD memory card ecosystem willcontinually evolve to meet new industry needs, evengaining the ability for consumers to add third-party serviceson their smartSD memory card.

The smartSD is not a transitional technology simply waitingfor NFC handsets to become available to the masses or untilanother SE takes over; rather, smartSD offers the market acompelling value for today and tomorrow.

1 iPhone 6 TBCFigure 3: A virtuous ecosystem

1

11

Mobilization of services

With smartphones and super phones becoming widelyavailable and various app stores making it very easy todownload new applications to any device, consumers nowwant all services on a single device which they always carry withthem.

Therefore mobilization of a service is not only a must havecapability but also a strategic move. It is a real opportunity tocreate new revenue streams and strengthen customerrelationships while differentiating your offering with a betteruser experience and value added services. Mobilization istypically a real success when taking advantage of the displayand the connectivity of the phone. This is when the end uservalue-add shines on top of what contactless card or securitytokens already provide.

As such, mobilization should be carefullyconsidered and more particularly for servicesthat involve security such as smartcard,contactless services and security tokens. Thechoice of SE or no SE could be critical.

Some service requirements would dictate the need for a specifictype of SE. Such mobilization should be thought throughcarefully and the choice of form factor for the secure elementcould be critical to keep control of the business model, easilydifferentiate from competition, and facilitate go-to-market.

There are services using card and security tokens where thecontinuity of existing operation process is critical. In that case,smartSD is a perfect fit as it can use the same distributedprocess and channels already in place. smartSD also brings thevalue of being a hardware token providing strict control on theissuing process.

Other services rely on implementation in the app such as HCE.smartSD is also very relevant for this type of implementation asit brings increased security to reduce the financial risk andminimize operation costs. HCE services such as for paymenttypically rely on transaction tokens delivered by a server. The

smartSD would typically secure the connection to the serverand provide strong identification. It can also increase thesecurity of the received tokens and associated rules. As such thesmartSD brings a known level of security into the solution andincrease the security on critical parts. As such the HCE App andclient-server relationship does not need a constant update tostay ahead of hackers. Therefore for these types of servicessmartSD is ideal as it doesn’t change the value propositions ofbusiness independence and differentiation provided by HCEwhile adding a smart card level of security into the solution.

The development of new features and the release of valueadded apps that can reach all customers without any MNO orhandset model limitation is perhaps the biggest value ofsmartSD.

The smartSD is the best approach to mobilize securityservices by:

• Delivering the largest market reach as more than 78 percentof mobile phones and thousands of other devices have amicroSD memory card slot

• Working on most users’ current phones independent fromthe mobile subscription and operator

• Offering unsurpassed portability and easy transfer by theconsumer to a device of choice

• Allowing familiar issuance processes that fit contactless cardand security token operation and business processes

• Providing an open choice of business models

• Simplifying the launch of services, reducing time to marketand eliminating the need for third parties and for upfrontTSM deployment



1

12

Go to market

The smartSD memory card makes mobilization easier forservice providers/operators who focus on delivering valuepropositions.

Once the type of smartSD implementation has been chosen,launching is very easy as it fits existing business processesand does not require any agreement with third parties.

Driving market adoption, however, requires understandingwhat it takes for consumers to change their habits. Thismeans understanding their perceived value of the services aswell as knowing what value would inspire them to buy theservice or the smartSD memory card.

Millions of microSD cards are sold every day and a(contactless) smartSD would be an inexpensive add-on tothe standard card consumers buy today. Demonstrating andpromoting consumer benefits is important to facilitateadoption and potentially transfer the entire cost of the cardto the consumer. In short creating awareness at key locationsdrives adoption of the service

Here are some examples of real life end-user valueproposition applicable to various markets:

A smartSD consumer centric approach can provide formultiple services thus making the smartSD cards an evenmore valuable investment for the end user. Also, smartSDmemory cards include all of the current benefits from beingthe world’s leading memory card form factor: extra portablestorage for end-user content and data.

Evolution of services

App stores make it easy to inform users about updates and todeliver and install these updates. Updated apps can haveadditional features and value propositions on the smartSDdevice. This makes improving the user experience anddifferentiating the service easy.

Existing cardlets on the SE can be configured or personalizedwith a simple data connection to the mobile device (Cell, Wi-Fi or tethered), through contactless communication, or usingonsite issuance.

Adding new applets on the SE may require the use of a TSM.However, most TSM vendors support smartSD with their TSMsupporting data connection. This is typically the same ascommunicating with other SEs over a data connection, butsome TSMs might be set for a specific SE and would requirean additional module to handle a second SE such as smartSD

Overall, GlobalPlatform’s consumer centric approach specifiesall the information and the processes needed to facilitatesuch updates or service evolution and work seamlessly withsmartSD.



Type Tag line Implementation Cash back 2% cash back for every purchase Using interchange rate

Annual membership could pay for the card

Cost saving $Save - Up to 50% off Promotion to smartSD holder for purchase at specific target stores

VIP VIP yourself! Skip the queue Special line for smartSD contactless check in

Pack lighter Downsize your wallet Travel lighter

Leverage dematerialized loyalty and payment cards and security tokens for badge and VPN

Safety Protect your money PIN protection and consumer control RF

Control Get back in control of your finance Takes full advantage of mobile UI and alerts

1

13

Benefits Summary

For the service providersLargest reach: User’s current and future mobile devices,

any mobile operator and mobile plan,phones with and without NFC

Business independence: No dependence on any 3rd party,including MNO’s or handsetmanufacturers.

Easier launch: Fits existing business process. No need toinvolve a 3rd party.

Lower cost: Upfront TSM integration optional. Simplifyservice delivery

Differentiation: No constraints to differentiate fromcompetition with your own userexperience, set of features and businessmodel.

For the card issuersService Providers: In some cases the service provider is also the smartSD

issuer. In that approach, the smartSD could be sold as partof the service and advertised as consumer centriccompliant and thus usable and compatible with multipleservices. Such service provider contributes to theecosystem by making these cards available for otherservices and can take advantage of cards sold by otherservice providers.

Retailers: Millions of microSD are sold every day abd smartSD couldbe sold in retail alongside or instead of regular SD cards.smartSD could come with a service pre-installed to addupfront value and the GP consumer centric modelfacilitates the issuance of additional applets post-sale.

Mobile network operators: smartSD lowers the upfront cost of NFC as it could betargeted to specific users. SmartSD has a larger reach andcould assist in acquiring subscribers from competition.

TSM operators: smartSD provides new TSM opportunities, a larger reachand business independence



1

14

For end users

Instant Gratification: smartSD works with existing phones and can potentially require only a software upgrade to integratewith users existing applications, providing immediate value to the user upon purchase.

More choice: smartSD provides a choice of suppliers and more products to choose from.

Greater freedom: smartSD provides the freedom to choose phones and mobile plans independently from services.

Extra storage: smartSD provides the same benefits of millions of microSD sold every day for extra storage whichsupports the growing need for music, photos, videos and games.

Ease of Upgrade: consumers can upgrade their phone or change their MNO without losing their existing services.

Application Control: users can choose the applications can services they want and make changes easily.



Instant Gra�fica�on

Greater Freedom

Control Apps and Applets

Extra storage for PC, phones

tablets, etc.

More choice

Easy to upgrade

1

15

smartSD Business Cases While the consumer could purchase a smartSD memory carddirectly in any of the following scenarios, these business casesfocus on the examples where the smartSD memory card issubsidized or provided at no-cost to the consumer. Theydemonstrate how the cost of issuing the smart microSDmemory card can be recovered even when provided free tothe customer.

This focus does not detract from the consumer ability orinterest in buying the smartSD memory card directly to accessvalue-added services on their mobile phones. Other businesscases can include selling the smartSD to the end userproviding an immediate return on invest, but they are notconsidered in this section.

HCE

HCE allows for software emulation of contactless JavaCardand is typical of contactless use cases. It is unrelated tosecurity tokens for mobile application and online services. Itis also specific to JavaCard and may not apply to contactlesssolutions with proprietary features such as MIFARE andDESFire.

Host Card Emulation would not seem to be a target marketfor smartSD but once the costs of maintaining HCE servicessecure such as for contactless payment are considered,smartSD can be seen to add significant value to theseimplementations.

For example there are HCE solutions that rely on clientserver architecture and temporary tokens. Such solutionsare designed around temporary credentials to ensurestrong security is not required to protect them. Howeverthese architectures usually involve connecting to a server toget the tokens. The App typically authenticates to thebackend or uses some other identification means in orderto identify the user and deliver tokens.

In some implementations protection of those credentialscould cripple the user experience. For example it won’t beconvenient for the end user to have to present his/her PINevery time new tokens are required. It also will not beconvenient for the end user to enter their credit cardinformation every time new tokens are required.

In some implementations non repudiation is a must-haveand proper user identification is required. Once again thiscould damage the user experience if the user is asked to beidentified too often.

Ideally the connection to the backend should betransparent to the end user and if possible done atconvenient times, e.g. not at transaction time. Howevercaching information to maintain a good user experiencerequires adequate security. Caching is not optimal whenthe number of transactions is unpredictable such as fortransportation or fare-collection systems.

The token server is a great target for hackers and forimpersonation as tokens are personal.

Tokens are also delivered to the device and only protectedin software. This would be another target for hackers whocan get free transactions either by changing the expirationrules (when applicable) or by using the renewal mechanismto get more tokens.

In both cases the App is the weakest link because itcontains the information to authenticate to the backendand the information to access to local tokens. To stay aheadof hackers, the App must be continuously updated alongwith the server side. This represents a large cost as the Appwould have to be continuously tested for all supportedphone models. Furthermore the financial risk remainsunknown because software hack could be unpredictable.Additional software layers such as TEE might help on thesecurity side but could also increase the cost for a financialrisk that remains unknown as TEE does not have securitycertification at the moment.

This is where smartSD becomes valuable for HCE:• ensure a great user experience• provide non-repudiation and protection for identity theft • provide a hardware root of trust that could be

preconfigured for the service• be pre-personalized to ensure strong authentication to

the backend token server, for example by using PKI assuggested by Fido.org



1


www.sdcard.org | ©2014 SD Association. All rights reserved16

• perform strong user identification (protection of PIN,biometrics match on card, etc), also suggested byFido.org

• protect the tokens from the end user

More importantly smartSD reduces the risk to a knownsecurity level as it has already passed adequate securitycertification. Therefore smartSD not only helps lower thefinancial risk but also reduces operation cost as hackerswould focus on the card rather than the App.

Using smartSD along with HCE gives the best of bothworlds: the flexibility of HCE and great integration in the OSwith all the security of a certified smartcard chip, withoutthe trouble of implementing a TSM for evolution of theservice or having to sign agreements with all mobileoperators and mobile phone makers.

Payment card

The main revenue from a payment card is typically derivedfrom serving as a deposit account. Nevertheless, there areother revenue streams that could cover the costs of issuinga smartSD memory card:

• When interchange fees are applicable, the cost of asmartSD memory card with average use is easily paidback within the first year. Furthermore, interchange feesrevenue could be used to build a cash-back valueproposition to the consumer that could both drive salesof the card and absorb the entire cost.

• The revenue from a referral program with partners canalso easily pay for the card within a few transactions.Program partner merchants would pay for customers tobe directed to their stores or services.

• A futuristic business case would capture smartSDmemory card benefits in online payment scenarioswhere it could be used for card-present transactions andfor 3D Secure using http(s) as an alternative topotentially costly SMS.

Transit pass

The ease and convenience delivered by smartSD memorycards should compel consumers to purchase the smartSDmemory cards. However, some transit services may want topromote mobile phone usage to save on kiosk costs and tokeep workforce costs low. In that case, a reloading fee

would pay for the smartSD memory card. The consumercan easily accept a minor fee to take advantage of theconvenience and shorter wait times. A regular user wouldpay for the card within the first year.

Transit operators could also consider the additional revenueopportunity from advertising in the mobile App. As thesmartSD memory card is the sole SE option withoutrecurring fees, advertising, so revenue stream could recoverthe cost of the smartSD before adding to the bottom line.This example provides real value for local shops and transitpassengers, plus transit traffic numbers would attractadvertisers.

Dematerialized Loyalty card

Dematerialized loyalty cards not only reduce clutter inusers’ wallets, they mobilize smartcard-based loyaltyservices by taking advantage of mobile phonecommunication channels and localization capabilities. Thefirst allows for a direct marketing channel that could beused to increase sales and strengthen the brand and thesecond makes it easier to locate a nearby store. Whileincreased sales would recover the costs of the smartSDmemory card, targeted marketing would also affectcustomer retention.

For these programs the embedded SE in the smartSDmemory card could play a role to locally and securelymanage some of the rules so the consumer could redeembenefits even when offline.

Express check out for Retailers

A basic program for a retail shop to issue smart microSDmemory cards is sustained by the use of a retailer specificmobile app to leverage shopping lists, target promotions,and reward loyalty; however, the current programs stillrequire payment from the user via credit card or cashtransaction. A richer approach would also allow shoppers touse their phone cameras to scan the goods added to theircart (also allowing for instant promotions) to reducecheckout time. This richer approach would deliver animproved shopping experience for the user and requirefewer cashiers for the retailer. Plus, this experience couldalso motivate shoppers to buy the smart microSD memorycard to obtain this value-added service.

1



Parking meter

Contactless communication clearly reduces costs forparking meter service and maintenance. It facilitates moneycollection, reduces vandalism and dramatically lowersmaintenance costs. The mobile app opens a new world ofpremium services for users. For example, a typical premiumservice uses the mobile app to secure a parking spot.Additionally, like the transit pass business case, the parkingmeter app could be used for highly targeted advertisingbased on the user’s parking spot location.

Ticketing / VIP event

This business case is partially supported by reducing time atevent checkpoints. Contactless technology presents manyadvantages over other technologies: it works even when itis dark and does not require a lens to focus, its built-in anti-cloning/ anti-pass back security enables offline validation,and the use of contactless communication reduces the riskof failure as no mechanical parts are involved. Overall, thisnew method helps reduce operation costs and, moresignificantly, reduces the number of people needed at thegates to ensure a good user experience.

Users would also gain the option to make purchases fromwithin the mobile app. The app creates new revenuegenerating premium services such as paying extra for VIPaccess and paying the issuer a percentage on resoldgenuine tickets.

Since the smartSD memory card typically does not presenta reason for recurring fees, a card can be issued once andused for multiple events by the consumer.

Machine to machine

The smartSD memory card presents the perfectcombination to leverage mass secure storage and a securerun time environment. One consideration for this businesscase is the communication cost savings yielded by usingthe smartSD memory card to securely store data for latertransmission during lower cost, low-traffic times.

Another consideration for the business case is in the costsavings realized on a design that could have lower BOMcosts and the option to adapt the storage capacity to need,thus optimizing inventory costs.

Hotel room card

Hotels will definitively benefit from the dematerializedloyalty card business case taking advantage of localadvertising from partnering restaurants, bars and otherlocal events. It would provide benefit to both serviceproviders and users.

Additionally, the smartSD memory card with NFC reduces costsas it decreases staffing required for a good user experience atcheck-in and checkout. The user could take advantage of thehotel booking app to reserve a room and receive thecredentials to access such room directly on its smartSD. Takingadvantage of the smartSD contactless capabilities, thecustomer could go direct to his/her room while the bookingsystem can benefit from strong authentication.

The value add for the consumer could justify the consumerpurchase of a smartSD memory card, yet the cost savingsand the optional revenue opportunities from referring localpartners and advertising also provides a hotel operator withROI on the smartSD memory card.

Campus card

The cost of a campus smartSD memory card could easily beincluded in the students’ tuition fees since it supports manyuse cases such as physical access control to campus premises,library and other campus assets, remote access to the schoolnetwork and online courses, and payment of services andfees. It could also serve as a payment card for parentsinterested in managing their child’s spending, allowing themto remotely add funds when needed to provide additionalfunctionality over typical credit/debit card setting.

Some campus usage may generate revenue from thisprogram. For example, payment could leverage an e-purseor pre-paid MasterCard or Visa that would generate intereston the pool of funds, which could help subsidize the cost ofthe card. This might be complemented as well by customeracquisition fees from partner banks.

Universities can also use smartSD cards in the managementof textbooks and related class materials. The smart SD cardcan securely load and store required materials for a class ina format that can be easily accessed by students on themobile phones, tablets or laptops. Rental options, wherethe materials are only available during the class, are easilyadded to this model.

1



Enterprise

The smartSD memory card in the enterprise is a perfectexample of mobilization of services. The smartSD memorycard with NFC can actually address multiple use cases suchas physical access control and IT security, including secureemail on mobile devices, secure data storage and VPNaccess. smartSD memory card storage can also be used toeasily move files around the enterprise in a controlledmanner. As such, in the context of mobilization of theenterprise, the smart microSD memory card with NFC has aclear business case based on cost savings. First, it does nothave recurring costs unlike many other SEs. Then, it allowsthe enterprise to reduce the total cost of ownership byreducing the number of devices per employee and allowinguse of the employees’ own mobile devices. This move cutsthe cost of VPN tokens, sophisticated contactless badges,CDs and USB memory sticks, to name a few. Finally, havingan SE entirely controlled by the enterprise adds freedomand facilitates additional services.

Government / Secure communication

Today’s mobile devices provide the average consumer morecommunication abilities than a U.S. president could access20 years ago. The mobile device is a must-have tool thatprovides instant access to most information, which couldbe critical in certain situations. So while the potential ofmobile technology should be embraced, it should be verysecure so that sensitive information and communicationremains protected at all times. The cost of compromisedinformation could have immeasurable consequences. Thesmart microSD memory card could be used to providesecure voice communication, emails and remote access. Itcan also secure the data on mobile devices to ensure thatsensitive information is always protected. FurthermoresmartSD meets BYOD requirements.

TSM operator & MNO

There are various business models and opportunities to beconsidered by TSM operators and MNOs. Typically, thesmart microSD memory card with NFC could be subsidizedby charging a fee for loading a new applet on the SE. Whencharging a one-time fee, a few applets could easily coverthe cost of the smart microSD memory card with NFC.Rental fees could also be considered as an alternative, butrental fees could have a more direct impact on the service

provider’s business model. Also, additional revenue sourcesare created from managing the applet store and proposingadditional services to the consumer.

When a TSM operator is an MNO, the smart microSDmemory card allows the TSM to expand NFC servicesbeyond its customers and to acquire subscribers from otherMNOs. Furthermore, the removable smart microSD memorycard allows TSMs to target specific users, keeping upfrontNFC promotion costs very reasonable compared to othersolutions where contactless communication is providedwhether the user needs it or uses it.

Handset bundle

The removability of the smartSD memory card is a key assetwhen adapting a global device to local markets, as itreduces costs through higher production volume. Not onlydoes the smart microSD memory card allow availablestorage capacity to be adapted to the desired level for themarket and price point in regards to the device positioning,but it also facilitates enabling NFC where needed orrequested by mobile operators. As such, adding smartmicroSD memory cards to targeted markets results inoverall cost savings and potentially larger sales revenuethrough better market positioning.

Self-service kiosks

At the self-service kiosk – and photo kiosks in particularsince content sizes are growing every day – there isopportunity for improvement and innovation in the waycontent and payment are handled. With smartphones andother mobile devices emerging as the de-facto contentsource, secure payment would significantly improve theuser experience. Today, issues being reported from thekiosks include growing concerns with respect to userexperience, including issues with Bluetooth™ pairing, cablemanagement and accessing removable media. Theseproblems multiply in heavy traffic zones and during peakengagement times such as the holiday season.

The smartSD memory card also offers additional upsellingopportunities with the availability of additional storagecapabilities. The removable feature offers consumers theoption to store content from other sources like a camera oranother mobile device. At the service point, the contentfrom these sources can also be used to generate commercelike the printing of high-resolution pictures at a photo kiosk.

1



The service provider could then communicate coupons andpromotional materials based on the user activity. Thepresence of an SE in the smartSD memory card helpsvalidate these upsell items both while dispensing andconsuming them. The idea of a two-way communicationbetween the SE host and the payment point expands theprospects for self-service at the kiosk. The limitations of thecurrent contactless payment tokens are overcome withsmart microSD memory cards.

Pairing of NFC and smartSD memory cards provides asecure and flexible way for transferring content andfacilitates payment at self-service kiosks. This is animprovement on the current trend of fragmented servicesavailable to consumers. Providing the consumer withmobility, flexibility and security, smartSD technology canhasten the adoption of the mobile device as their paymentsource.

The GlobalPlatform Consumer Centric Model provides thetechnical framework to connect the token providers andthe service providers in delivering a better retail experiencefor the consumers and the service providers and smartSD isperfectly adapted to take full advantage of this model.

Secure services for multimedia in consumerdevices

smartSD memory cards also present a convenient approachto provide secure services such as payment or userauthentication for HDTV sets, gaming consoles, ebooks andmore.

For example, a smartSD memory card could be used ingaming to buy credits or additional game tools to moveforward and faster in a game. It can also be used toauthenticate the gamer for online multi-players games or toeasily report success on social networks. Overall, thesmartSD memory card helps protect identity theft, which iscrucial for online gaming where virtual goods are traded.

In the case of HDTV, the smartSD memory card could beused to create a link between payment and a Digital RightsManagement feature to grant access to multimediacontent. This smart microSD memory card could beincluded with the television, allowing support of DRMsystems from different content providers or with thedownload of a new DRM system. In that architecture, theDRM licensing cost is only paid when the smartSD memorycard is present, allowing for lower upfront cost on thetelevision for customers who are not interested in personalvideo recording.

1



SD Logos are trademark licensed by SD-3C, LLC

20

Conclusion

The smartSD memory card is the most versatile solution available today to enablesecure mobile services and to support contactless card emulation. It fits numeroususe cases and brings value to both the service provider and the consumer. smartSDextends the universal, convenient and portable value of SD memory cards to secureapplications and contactless communication services. smartSD memory cardspresent the most benefits to mobilize existing services as it fits with existingbusiness processes and ensures business independence. Plus, a competitive andthriving ecosystem means smartSD memory cards are available for purchase frommany SDA members.

All Copyrights and Trademarks referenced

in this document are property of their

respective owners.

Date post:	19-Mar-2018
Category:	Documents
Upload:	dangkhanh
View:	218 times
Download:	3 times

Activating New Mobile Services and Business Models · PDF fileSelf-service kiosks ......

Documents