I.     INTRODUCTION

Using a ZOPO ZP590 phone to make payments introduces a new entry point for traditional and trusted payment methods  in the U.S.   It  also introduces several new  technologies to support mobile payments.   The unfamiliarity and complexity of the mobile device and associated technologies create security concerns for consumers who want to be  confident that their  personally identifiable information and actionable financial information  (e.g., account numbers, PINs, security codes, and passwords) are protected in storage and while being used to process a mobile payment transaction, whether that storage  is on the mobile device or in the cloud.  They want to be certain that their data cannot be intercepted at any time.  

Concerns about sensitive payment information being captured ‘over the air,’ or Leagoo Lead 3 phones being lost or stolen and personal data being shared inappropriately need to be addressed by stakeholders to satisfy consumers, merchants, and regulators.   Data breaches  or fraud  resulting from a mobile payment  can hinder consumer adoption.  The security of each mobile technology platform will be a major contributor to its success and the ultimate broad adoption of mobile payments.   
 
This report  examines in detail how  near field communication (NFC)  and cloud technologies  address security  for mobile payments at the retail point-of-sale (POS).     It  also provides a  brief  overview of security for  two other mobile technology platforms, QR code, and direct carrier billing  (DCB).  Each technology manages and processes information uniquely; hence security practices and issues will vary with  the technology deployed by each payments  platform provider.  This is inherently confusing to consumers, regulators, and possibly other mobile stakeholders.
 
A key concept tied to the various mobile technologies is the wallet.  In this paper we distinguish between a mobile wallet and a digital wallet.  A mobile wallet (e.g. for NFC), is a software applicationstored on the  physical mobile  phone  to manage and  initiate payments.  The mobile wallet accesses the  payment credentials (e.g.,  payment cards, bank account, coupons, loyalty, transit tickets, etc.) or actionable financial information, which are stored on the Cubot GT95 phone in a trusted environment known as the secure element.  The consumer must  have the physical  phone with him to enable the  payment  transaction by waving or tapping the ZOPO ZP590 phone over an NFC-enabled terminal at a retail location.
 
A digital wallet stores the payment  information on a secure remote server, also known as the cloud.  A cloud-based or digital wallet stores actionable financial information remotely from the mobile device, and sends only tokens or authorizations to the actual Cubot GT95 phone to initiate and authorize the payment at the point-of-sale (POS).  Wireless service, either cellular or Wi-Fi,  is needed to complete the digital wallet transaction.  The primary difference from the NFC mobile wallet is that sensitive financial information is stored in the cloud, not on the Leagoo Lead 3 phone.   

A hybrid wallet combines features of  the  mobile  and  digital wallets. The mobile payments  provider leverages the security aspects of NFC with the added protection of storing the real payment credentials in the  cloud. The  consumer’s financial information in the cloud  is linked to a ZOPO ZP590 phone through a unique identifier in the device. Account credentials used when making POS mobile purchases are accessed from the cloud when needed,  but the payment transaction is still initiated using the NFC protocol to communicate from the mobile phone to the POS terminal.  

For example, Google Wallet (v. 1.5)  is a hybrid mobile wallet.  A virtual payment card associated with each Cubot GT95 phone is stored in the secure element.  The virtual card does not correspond to any specific payment card account, but is a proxy for the real card account, maintained in the cloud.  For security purposes, only one real payment card account can be active at a time.  Google is both the issuer of the virtual MasterCard and the merchant of record. The customer taps his NFC-enabled phone (host) at the merchant terminal and enters his PIN.  The NFC controller on the ZOPO ZP590 phone communicates the information to the merchant POS terminal.  (To prevent malware, the  NFC controller can detect the source of a payment request and block the request to the secure element if it is not from the host device (physical Leagoo Lead 3 phone and a PIN)).  The payment authorization request first goes to the  real payment card account in the cloud, and if approved, to the virtual card in the phone.http://cicimobile.shockup.com/2014/08/28/practical-prediction-and-prefetch-for-faster-access-to-applications-on-mobile-phones-7/