Security Domain Integration Complete
The project timeline we posted in the last update called out “Security Domain Integration” as the most recent milestone, and we are pleased to report that it has been reached. Ok, great. But what the heck is “Security Domain Integration” and why is it important? Bear with us Backers; we are going to take a dive into the weeds on this one to describe Security Domains and their significance to Pagaré.
Pagaré’s core payment methodology conceals your personal account information (or PAN) through a process called tokenization. A token is a payment credential that enables retail transactions to occur without sharing your PAN at the point of sale. A security domain is simply the digital silo that safely stores that payment credential, or the tokenized version of your credit card information. Security domains are a mandatory part of the tokenization provisioning process because they ensure that your tokenized payment information is securely stored and enabled to safely complete a purchase.
Think of the security domain as a safety deposit box for the tokenized version of your credit card information. It’s provided by a Secure Element - Trusted Service Manager (SE-TSM). To ensure that it is secure, an external governing body establishes and oversees the security parameters and protocols used in the process. In order to establish a security domain, our platform must request a discrete domain for your Pagaré from the SE-TSM and then write it to the hardware (the eSE chip, or the embedded secure element) on your smartstrap.
Here’s more detail on how it works:
Step 1: Security Domain Request
Once a new account and wallet is created through the Pagaré mobile app, a request for a new security domain is initiated from the platform to the SE-TSM.
Step 2: Setup Script Sent
A setup script tells the platform, the mobile app and the eSE on the smartstrap that the security domain is ready to be created. The script contains APDU (Application Protocol Data UNIT) commands, which instruct the secure element to create the security domain on your Pagaré. APDU commands are defined by ISO/IEC 7816 which is an international standard governed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). All of that means that your information is kept secure.
Step 3: Security Domain Setup
Once the setup script is confirmed through a series of receipts, the Pagaré mobile app communicates the proper APDU commands over Bluetooth to the eSE, creating the security domain.
Step 4: Domain Key
After another series of receipts (or acknowledgements) confirms the security domain has been established, the security domain keys are sent back to the platform to start the personalization process.
Completing the Security Domain Integration milestone means that the platform can now successfully request a security domain and create it on the Pagaré eSE chip. It sounds simple, but as you can see it is a complicated process that involves not only Pagaré and our platform, but also integrating with third-party providers and financial data governing bodies to ensure that every part of the transaction is secure. Completing the Security Domain Integration is a big step in establishing the infrastructure needed to make Pagaré work safely and securely.
The next step is the personalization of the security domain, which is the process of actually loading individual payment credentials (a tokenized version of a credit card) in the security domain on the Pagaré. We are currently in the testing phase of that process and will have results to report soon. We will provide that information and other updates soon.
The FitPay Team