The white paper, entitled The NFC Security Quiz: 6 Key Questions Answered, emphasises that all NFC stakeholders must understand their liabilities, undertake a risk assessment, seek clarity on areas of responsibility and investigate ways to confidently optimise security. This creates a ‘security chain’, which FIME believes every actor engaged in the NFC sector must actively support.
A key conclusion of the document is that the NFC security certification process must do more to recognise and address the discrepancy between the evolution speed of the mobile industry and certification speed of products with sensitive applications, such as payment. FIME states that the two must align or run the risk of significantly jeopardising product time to market and the long-term acceptance of the technology.
“Achieving the highest level of security, without compromising usability and within a framework that meets the commercial limitations and technical requirements of the diverse NFC community, is a key challenge for the industry,” says Christian Damour, Security Business Line Manager at FIME. “Finding this balance is also a priority, as any security breaches at this stage of implementation could discourage adoption and have a devastating impact on the industry.”
The white paper explains the three areas of a mobile device – the rich operation system (rich OS), trusted execution environment (TEE) and secure element (SE) – and the levels of security and functionality offered by each. As the industry works to agreed best practice guidelines, the efforts of different standards bodies contributing to this space is also outlined. Attention is then turned to the contribution of GlobalPlatform, the organisation which standardises the management of applications on secure chip technology.
The white paper details: the GlobalPlatform Composition Model, which streamlines the security evaluation of SEs to shorten product time to market and lower the cost of the certification process; and the GlobalPlatform TEE Protection Profile, which identifies the security needs for the TEE.
Kevin Gillick, Executive Director at GlobalPlatform, comments: “Sensitive mobile applications such as identity, wallets or corporate applications, need rigorous testing before a product is launched. While the industry is aware that this will increase a product’s time to market, it also acknowledges that NFC applications such as payment will facilitate the delivery of services that add significant value to the end user. Through our members, GlobalPlatform understands the balance that needs to be achieved and is committed to developing the resources required to support the advancement of NFC technology and ensure it has a sustainable future. We are delighted to see our members, such as FIME, promote this work to a wider audience.”
The NFC Security Quiz: 6 key questions answered regarding today’s security framework for delivering sensitive NFC mobile services is free to download here