Page 19 - FIGI Digital Financial Services security assurance framework
P. 19
Magnetic Strip Technology (MST). 3G, 4G, and Wi-Fi generate a unique transaction-specific QR
are prevalently used for mobile wallets. Any risk that code to the merchant; the merchant scans
exists on a standard desktop or laptop computer the code through their payment application
may also exist on a mobile device. using a QR scanner to initiate the transaction
Along with the standard communication methods that can be completed by entering a PIN.
of traditional desktop and laptop computers, mobile
devices may also include multiple cellular technol- iv. 3G/4G and WiFi
ogies (e.g., LTE and GSM), GPS, Bluetooth, infrared
(IR), and near-field communication (NFC) capabil- In addition to 3G and 4G cellular networks, mobile
ities. Risk is further increased by removable media devices can also connect to wireless (Wi-Fi)
(e.g., SIM card and SD card), the internal electron- networks, these networks enable the mobile appli-
ics used for testing by the manufacturer, embedded cation on the device to interact with the payment
sensors, and biometric readers. service providers. 3G, 4G, and WiFi networks are
usually provided by the Mobile Network Operator.
i. Near Field Communication (NFC): NFC is a
wireless communication protocol based on d) Token Service Provider (TSP)
radio-frequency technology that allows data to The TSP manages the life cycle of tokens. Addi-
be exchanged between devices that are a few tional services typically include, creating and stor-
centimetres apart. A wallet on an NFC-enabled ing tokens, managing the token lifecycle, process-
mobile device is a software application stored on ing token transactions, performing token-to-PAN
the mobile phone that manages and initiates pay- mapping, cardholder validation, including provi-
ments. The mobile wallet accesses payment cre- sioning services, key management for device-based
dentials such as tokenized payment cards, bank wallets using HCE, verification services for the trans-
accounts, loyalty coupons, or financial information action and device validity.
stored on the mobile phone in a trusted environ-
ment. The physical phone is used to initiate a pay- e) Acquirer
ment transaction by tapping or holding the mobile The acquirer is the financial institution or bank that
device near a contactless-enabled POS terminal. passes the merchant's transactions along to the
ii. Magnetic Strip Technology (MST): Magnetic applicable issuing banks to receive payment.
Secure Transmission, or MST, generates a mag-
netic signal like that of a traditional payment f) Issuer
card when swiped. The magnetic signal is then The issuer is the financial institution that issues credit
sent from the device to the POS terminal. MST is cards to consumers on behalf of the card networks
enabled on some Samsung mobile phones.
iii. QR codes: QR codes offer contactless payment g) Wallet Service Provider (WSP)
alternatives in two ways: WSPs offer specific wallet solutions that use various
communications technology for mobile payments.
a. Payer scans the merchant’s QR code, the
merchant generates a transaction QR code h) Payment Service Provider (PSP)
or displays their assigned static QR code, PSPs provide the various methods that allow a
the payer will then scan the code using their merchant to accept payments from mobile and digi-
phone camera and the payment applica- tal wallets. The PSP can connect to multiple acquir-
tion will interpret the payment or merchant ers as well as payment and card networks. By enlist-
details to initiate the transaction that can be ing the services of a PSP, the merchant becomes less
completed by entering a PIN dependent on financial institutions to manage trans-
b. Merchant scans payers QR code; the custom- actions, since the PSP can manage bank accounts as
er through their payment application will well as relationships with the external network.
Digital Financial Services Security Assurance Framework 17
