GlobalPlatform, the organization that sets standards for the management of applications on secure chip technology, has announced a new implementation guide for the deployment of its latest specification on a secure element. The group said the document will be of particular interest to parties working to advance secure application management on embedded SEs and smart microSD cards.
In an NFC-based mobile payment or services scheme, the SE is the chip that holds payment and personal information on a mobile device for use across a number of applications. As the technology has developed, three main methods for deploying an SE have evolved: a universal integrated circuit card (UICC), an embedded SE, and a smart microSD card.
With its new guide, GlobalPlatform specifically addresses the needs of card manufacturers and application developers working with embedded SEs and smart mircoSD cards. It also outlines the behavior of every member of the SE value chain and provides a summary of the role and responsibilities of each in a variety of business models.
"The publication of this document is significant," said Gil Bernabeu, GlobalPlatform technical director. "GlobalPlatform has been working to standardize all three SE form factors to provide service providers and application developers with confidence when creating their products. Broader development and deployment reduces costs and time to market. With standardization and interoperability across the marketplace, developers will only need to make one application, where they once needed to create three."
The various methods for SE distribution by carriers, mobile operating system providers and handset manufacturers are still up in the air as the market develops, but Bernabeu clarified why it's important to have a standard for securing customer data on an SE.
"Authentication, identification, signatures and PIN management are all central to the deployment of mobile value-added services and all require a protected environment to operate securely," Bernebeu said. "Taking a payment application as an example, it is important that the user's credentials do not become visible. The tamper-resistant security of the SE is ideal for this task."
GlobalPlatform said it is already working to advance its SE compliance program to incorporate the latest SE configuration. The program was endorsed earlier this year by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.
For more information on this topic, visit the Security research center.