Bangladesh is at a turning point in its mobile financial services industry. As a fast growing country with large unbanked population spread across rural areas, there is need for financial services to reach far and wide. This has been the key success factor for some of larger mobile financial service providers who are currently dominating the industry. However, with the recent boom in smart phone and internet accessibility, the MFS landscape is preparing for some major changes. One of the key players in this change is one of the largest banks in Bangladesh, the Dutch Bangla Bank Ltd.
Dutch Bangla Bank Ltd. has recently launched its own mobile financial and payments service in the form of Nexus Pay in December 05, 2017. It is the first Host Card Emulation (HCE) payments solution in Bangladesh with first EMV QR payment capability. An HCE solution provides security similar to that of the chip payment cards by emulating the card itself. To a payments acceptance terminal, the HCE cards behave the same way as a chip based payment card by using cryptographic challenges to verify its authenticity. Thus, unlike its predecessors, the Nexus Pay solution can allow for its users to make payments directly into a merchant account in an effortless manner. Complementing its ease of use is a high level of security built into the platform to keep the user’s payment information secure.
Using the capabilities of a smart phone, the Nexus Pay solution supports several channels of payments for both user and merchant convenience. These methods of payment range from in-store payments to online payments as listed below:
NFC – Allows for the user to quickly tap and pay at a merchant payment acceptance terminal.
QR/Bar Code – Currently trending across the world, the QR/Barcode payment method allows for users to scan a code to send payment from his device to the recipient’s account.
Virtual Card for Online Payment – Creates a temporary payment card for online transactions which will expire after a limited time.
Security has always been a major requirement in the payments industry. Due to the technical capabilities of the recent mobile phones, it is now possible to provide several layers of security when securing an EMV compliant HCE application. The Nexus Pay platform does this using the following techniques.
When it comes to electronic transactions, user’s payment authorization is secured using a Personal Identification Number (PIN) which is only known to the user. Malicious users will try to acquire this PIN from the user to gain access to his account. An easy method of doing that is by visually taking note of the keys pressed by the user when entering the PIN.
The secure keyboard uses a randomization to scramble the keys of the keyboard. This make it difficult for onlookers to determine the keys pressed as they are not located in their common location. The data captured using the secure keyboard is also encrypted hence making the Secure keyboards are highly effective at securing the entered value by a user.
For an HCE solution to initiate payment at a merchant payments acceptance terminal, the solution must provide the account holder’s information. However, it is difficult to ensure the security of a user’s account information on a mobile device as a small breach in the device security may compromise the user’s banking security. As such, the HCE solutions use a method called Tokenization to ensure the security of the user’s personal information.
Tokenization is a method in which the user information is masked by storing it in a server and using a temporary “token” data generated by the server for transactions. During the transaction, the token data provided to the payments acceptance device for verification. Once the transaction is complete, the token can be made invalid, requiring a new token for subsequent transactions. This method is effective against stealing transaction information since tokens can be made invalid after a limited number of transactions or a specified duration.
QR code-based payments is now trending for its quick and convenient way of making payments with little to no cost from the merchant end for payments acceptance. It supports both customer presented and merchant presented forms of payment. However, since QR codes are easy to generate and replicate, it may be easy for malicious users to generate their own QR code and divert payments into their own account. For this reason, it is important to provide a level of security for QR-codes.
EMV standardization allows for QR codes generated by the platform to be recognized and accepted at all EMV compliant device. In addition to the standardization, EMV has also added security guidelines for QR codes generated from customer and merchant end.
* Dynamic Codes – The codes generated by the customer and/or merchant devices should be dynamic, expiring the codes after a given period of time. The merchant my use static QR codes, for which there are other mechanisms to ensure security.
* Code Encryption – The QR codes generated are kept secure by encrypting the messages using authentication certificates and encryption key pairs. This ensures that only entities sharing the same pair of keys will be able to decode the messages received and generate QR-codes accepted by the same set of users.
The communication between KonaPay mobile application and server takes place in an untrusted network environment i.e. over Wi-Fi or Mobile Network. So, it is very crucial to maintain the security and authenticity of this communication. Secure Messaging communication is encrypted with a set of session keys derived from a set of pre-shared keys between server and wallet application, ensuring the integrity of the communication between the user device and the server.
Local Database Encryption
As all the payment and card data resides inside the mobile application, Local Database Encryption (LDE) is used to secure the data. This deters malicious users from trying to gain access to sensitive user information directly from the mobile device database itself.
The use of NFC for transactions has several security advantages. The basic requirement of NFC communication is the proximity at which the communicating devices must be. This requirement makes it difficult for other external entities to access and steal information from any of the devices without coming in very close contact with the NFC payments devices. The other advantage is supporting a session based communication that allows for cryptogram verification and device authentication. With these two mechanisms put together, the NFC technology provides a secure form of transaction widely accepted by payments security standards around the world.
Unification of Payment
In addition to the robust and secure payment methods provided by Nexus Pay, the solution has also managed to unify the Dutch-Bangla Banks different payment platforms, such as the MBS, CBS, CCS etc. into one solution and in the process bringing to the market a unified very feature rich payment solution.
With a subscriber base of over 400k+? users and 250+? Merchants, NexusPay has proved that it has already gained mass acceptance between Consumers and Merchants alike.
NexusPay’s ability to transfer funds from other Banks cards into the wallet and packed with the added convenience of paying bills, making payments via QR/POS, fund transfer to other users via scanning a QR and giving any user the accessibility to cash via ATM Cash withdrawal(coming soon), invokes a very strong competitor in the mobile wallet market in Bangladesh.