News
Thales’s security evaluation of Samsung Pay contactless payment app on Galaxy S8 and S8+ leads to certification
August 2017 by Marc Jacob
Thales’s security evaluation of the Samsung Pay contactless payment application, performed on the Galaxy S8 and S8+ smartphone, has succeeded in allowing the app to be certified on the device.
As a result of the security evaluations undertaken by the Thales teams in Toulouse (France), the newly unveiled Samsung Galaxy S8 and S8+ enables secure payment networks from all major credit cards such as Mastercard and Visa.
The Samsung Pay HCE enabled banking app lets users save their bank and credit card details on their smartphones. Users can then use the NFC-based and MST-based contactless system to make payments at the point of sale. This payment method is currently being rolled out worldwide for Samsung users and is supported by more than a thousand banks and credit unions worldwide.
Underpinning the evaluation process was a relationship of trust established by Thales, Mastercard and Visa over the course of more than a decade. Thales operates one of the first laboratories accredited by Visa in 2014 to conduct security evaluations on HCE-based banking applications. From 2015, the Thales cybersecurity laboratory in Toulouse was accredited by Mastercard and other payment networks.
Thales has long partnered with Samsung, to deliver cryptographic security at critical points of the manufacturing process for mobile phones and other smart devices.
The development of Thales’s expertise in the security of contactless payments is a logical step beyond the Group’s leadership in cybersecurity for the banking sector. Today, Thales contributes to the protection of 80% of worldwide payment transactions and ensures data security for 19 of the 20 largest banks in the world.
In IT security, Thales’s services focus on penetration tests, code audits, vulnerability scans, Common Criteria evaluations and secure architecture design.
They encompass two types of evaluations:
• Software evaluation for first level security certification by ANSSI, France’s national agency for information system security
• Evaluation of hardware and embedded systems
Thales ITSEF (information technology security evaluation facility) is certified by ANSSI for Common Criteria evaluation and by Mastercard, Visa, EMVCo, American Express, Discover and JCB for security evaluation of bank cards (contact / contactless and dual smartcards) and integrated circuit cards. The ITSEF is a leader in the evaluation of NFC (near-field communication) and mobile payment products and has been present in this market since 2005. It is also involved in HCE (host card emulation) and TEE (trusted execution environment) evaluations. TEE provides a secure execution environment on mobile handsets for trusted applications, independently of the secure element.
