m Payment and Security Challenges Hassan Khan Head

m. Payment and Security Challenges Hassan Khan Head of Security Practice (MEA)

Content What are mobile payments How to exploit the opportunity How to secure the business 2 © Nokia Siemens Networks GS CSI Security, Hassan Khan 1 2 3

Overall, the mobile payment market falls logically in four categories or domains Mobile banking • Bank and credit card accounts • Account transfers • Bill payments • Stored-value account top-ups Money transfers In developing countries • Person-to-person • Payment of utilities and prepaid airtime • International remittances Near Field Communication based payments • Credit/debit card embedded in NFC –enabled phone • ‘Touch and pay’ POS and vending Mobile commerce strategies in retail • Shopping on mobile websites • Mobile coupons and loyalty cards • Mobile ticketing Source: Ovum, Mobile payments: progressing towards large-scale deployment, 10 March 2008 3 © Nokia Siemens Networks GS CSI Security, Hassan Khan

In addition to money transfers, mobile channel benefits banking both in the developed markets… End-user benefits • e- and m. Banking • Anywhere, any time access to basic banking services • Personal, interactive service • On-the-spot handing of payments • Mobile Po. S / NFC • Convenient, fast payment for public transport, parking, fast food, tickets • No need for coins & cash • Mobile terminal as an electronic wallet • Consolidated management of cards, tickets, vouchers, rebates • Electronic ID more secure than cards 4 © Nokia Siemens Networks GS CSI Security, Hassan Khan Benefits for merchant • Payment solution suitable for demanding environments (moving, outdoors, public spaces) • 50% faster transaction than with debit cards • Less cash -> increased security • More efficient marketing and CRM

… as well as in the developing markets End-user benefits • Low cost and fast money transfers (also fast response to emergency needs) • Trustworthy and secure place to keep money • Convenience of nearby prepaid merchant for making deposits and withdrawals compared to long lines and poor service at distant retail bank branch • Increased disposable income at receiving end • Earn interest on deposits • Access to financing at reasonable rates • Convenient and fast payment of bills 5 © Nokia Siemens Networks GS CSI Security, Hassan Khan Benefits for merchant / prepaid agent • More sales • More customer visits to store • Larger purchases – more money available • Incremental revenue from transaction fees • Long term: increased security as cash economy transitions to electronic funds

Key success factors: trust/brand, network effects and effective partnering Trust and brand • • 1 st mover often establishes a de facto payment platform Leverage trusted provider position Network effects • • • Enable as many connections between users as possible Interoperability with other payment and banking systems Good coverage of agent network, and retail POS Partnering • • 6 To fill gaps in the value chain and to create successful ecosystem For required financial services functions and processes International retail channel Training, motivation and management of retail partners © Nokia Siemens Networks GS CSI Security, Hassan Khan

Content What are mobile payments How to exploit the opportunity How to secure the business 7 © Nokia Siemens Networks GS CSI Security, Hassan Khan 1 2 3

…The key is to identify the opportunities where communications service providers can excel Key questions and analyses S pr er st o v re vi ice ng de th r s GS CSI Security, Hassan Khan er m to s us ed C ne © Nokia Siemens Networks • What roles and positions are available and attractive to a service provider • Who will drive the development, who are needed as partners Opportunity space • What to do itself, what to source or partner 8 Ec n io at • Additional requirements & domestic vs international transactions • Where the service provider can be competitive in creating and capturing value os y st ul eg R • Are banking licenses needed, can a communications service provider hold one em • What will be allowed within existing license Technology platforms • What needs are underserved or latent • Which segments to focus • What other requirements do they have

Mobile Payments opportunities arise from creating superior value to the transacting parties Required business components • Retail agent / merchant / POS network • Mobile payment platform operator • Payment clearing / account settlement • Account / stored value / billing relationship • Cash management Communications service providers key strengths • Large base of capable terminals • Core infrastructure • Retail partners for distribution • Wide geographic reach • Credit rating for post paid subs • Elaborate value storing in pre paid • Customer care 9 © Nokia Siemens Networks GS CSI Security, Hassan Khan Customer Needs • Lower cost of transaction • Wide reach through high mobile penetration • Easy access regardless of location and time • Low / no additional cost terminal • Reduced cash management needs

M-PESA Kenya – Money Transfers 10 © Nokia Siemens Networks GS CSI Security, Hassan Khan

M-PESA Kenya Easy-to-use Mobile Money Transfer Service Safaricom launched its mobile money transfer service M-PESA in March 2007 Service Highlights • Enables users to transfer money through mobile • Targeted mainly at those without a bank account; offers an Service Success alternative method of money transfer • Users have to register for an M-PESA account to send money • Users can send approximately EUR 1 to EUR 360 worth money using the service • 20, 000 registered customers within first month of launch; more than four million customers by October 2008 • No joining fee or minimum balance required; users pay commission on transactions Jul-2007 Service Offerings Feb-2008 Mar-2008 Jun-2008 Approximately 2, 500 users registered to the M-PESA service everyday in 2007. M-PESA enables users to: • Deposit money • Transfer money • Withdraw money • Buy airtime • Check account information M-PESA has facilitated approximately KES 9. 4 billion (EUR 96 million) in person-to-person transactions by the end of March 2008 Key Partners • Banks, Financial Institutions • More than 3, 500 M-PESA agents across Kenya • Transactions worth KES 3 billion (EUR 30 million) in March 2008 Young, Male, Urban migrant workers are the ‘Early Adopters’ of the service Source: Safaricom; Safaricom Annual Report 2008, CGAP; MIT Press Journals 11 © Nokia Siemens Networks Oct-2008 GS CSI Security, Hassan Khan Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0. 01027, as of 31 March 2008

M-PESA Kenya Moving the Money Around Using M-PESA offers an easy registration process to the users; Cash transfer and withdrawal are SMS-based User goes to M-PESA agent Upgrades the SIM for free, if required Provides details such as name, DOB, phone number and ID Registers for M-PESA Activates M-PESA menu phone No additional bank account details are required for registration Depositing money using M-PESA User goes to M-PESA agent Provides details such as phone number, amount and ID Sending Money Using M-PESA User Money deposited by users is held safely in a bank account run by MPESA on their behalf Withdrawing Money Using M-PESA Family Agent User SMS Instruction Send money to family M-PESA agent deposits money using their mobile SMS Instruction SMS Notice Mobile Network M-PESA Account Manager Money received Withdraw money from agent M-PESA Account Manager moves the money between customers in response to SMS instructions Mobile Network SMS Instruction Send money to user M-PESA Account Manager Registered M-PESA customers have a ‘virtual money’ account attached to their Safaricom mobile phone number, backed up by an equal amount of money held in a Kenyan bank Source: Safaricom; Safaricom Annual Report 2008 12 © Nokia Siemens Networks Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0. 01027, as of 31 March 2008 GS CSI Security, Hassan Khan

M-PESA Kenya M-PESA Customer Charge Rates Users are charged a commission of up to KES 170 (EUR 1. 7) for sending or withdrawing money in the range of KES 100 – KES 35, 000 (EUR 1 – EUR 360) Transaction Type Transaction Range (KES) Consumer Charge (KES) Deposit cash 100 – 35, 000 0 Send money to M-PESA user 100 – 35, 000 30 Send money to non M-PESA user 100 – 35, 000 75 – 400* Withdraw cash by non M-PESA user 100 – 35, 000 25 – 170* Receive money 100 – 35, 000 0 Buy airtime (for self or other) 20 – 10, 000 0 * Note: Consumer charges vary depending upon the actual amount of money sent or withdrawn • Customers are only charged for the transactions they initiate; services such as SIM swap are free • All charges are deducted from the user’s M-PESA account • Customers do not pay any charges to the M-PESA agents for transactions • All SMS sent to and from M-PESA are free to the users • A non M-PESA customer can also receive money through M-PESA Source: Safaricom; Safaricom Annual Report 2008 13 © Nokia Siemens Networks GS CSI Security, Hassan Khan

Content What are mobile payments How to exploit the opportunity How to secure the business 14 © Nokia Siemens Networks GS CSI Security, Hassan Khan 1 2 3

Why Protection: Theft of 100 Million Credit card records. The Washington Post is reporting this afternoon that a security breach at the payment processor Heartland Payment Systems of Princeton, New Jersey late last year may have resulted in theft of 100 million credit and debit card accounts. According to Heartland's website, "Heartland Payment Systems, Inc. , a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250, 000 business locations nationwide. " In a company press release today, Heartland's president and chief financial officer Robert H. B. Baldwin, Jr. , said, "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice. " "No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. " The Post story said that Heartland "began receiving fraudulent activity reports late last year from Master. Card and Visa on cards that had all been used at merchants which rely on Heartland to process payments. . . 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. " The Post noted that many IT security folks are curious (as am I) as to why the announcement was made today - the day where 99% of the news is about the US inauguration. More than a bit suspicious, I think, and it makes you wonder if there is more to the story than what Heartland is disclosing, or whether their public relation's department is tone deaf. We will keep a close eye on this given the history of large scale data breaches, other shoes will be dropping shortly. 15 © Nokia Siemens Networks GS CSI Security, Hassan Khan

Protect the network from attacks: Perimeter security and Deep Packet Inspection m. Payment NOC SIEM OSS Center IPTV email OSS FW MMSC portal IMS FW VAS FW music VAS Domain Wap. GW GN/GP Domain GN DNS GI Domain GN SGSN GI GGSN SGSN OBS FW Charging/Supporting Services Domain GRX network CGW 16 © Nokia Siemens Networks DCS GS CSI Security, Hassan Khan BGW GI DNS BGW Other PLMN GI FW DPI GP FW GP DNS Other PLMN Corporate PDN DHCP AAA Corporate PDN

Subscriber data is your most important asset: How to protect and provide confidentiality Challenges • Main interfaces are exposed to outside • Integrity and confidentiality of subscriber data not granted • Attacks from internal and external sources against services and infrastructure • Service outages lead to loss of revenue and reputation Solution • Clear security domain concept • Layered defense • Customer data are highly protected • Clear access control between domains • Dedicated protection of publicly reachable • • • services interfaces Blocking of manipulation of subscriber data Prevention of eavesdropping during transmission Central view of security incidences Application Traffic Database Traffic OAM Traffic CSDB: Common Subscriber Data Base 17 © Nokia Siemens Networks GS CSI Security, Hassan Khan

Professional Security Operation Center to ensure high availability and compliance Security Operation Center (SOC) is a system that includes facilities, technology, process and persons in order to protect information assets: § § Incident Management § Infrastructure Management § 18 Detection and Reaction Centralized auditing functions (vulnerability scanning, SLA monitoring, compliance monitoring…) © Nokia Siemens Networks GS CSI Security, Hassan Khan

Nokia Siemens Networks has proven its extensive security experience in more than 130 customer projects Real security from Nokia Siemens Networks More than 130 commercial contracts closed A worldwide network of security experts supports the success Competitive advantage through combination of extensive telco -, IT- and security knowledge Satisfied customers: One-stop-shopping through strong ecosystem of best-of-breed partners 19 © Nokia Siemens Networks GS CSI Security, Hassan Khan … Covering the full lifecycle from security consulting to support

Inspired thinking, innovative solutions

Back-up – m. Payment

Technical solutions supporting Mobile Payments are widely available… RN USSD SMS GWY RN Subs d-base Agent Prepaid m. Payment application ISO 8583 Po. S, ATM Bank Internet. Banking 22 © Nokia Siemens Networks GS CSI Security, Hassan Khan Agent Optional