logo migros

KOBIL provides security for Migros mobile payments

WORMS – 10 November 2015 Since the end of August, the Migros Cooperative Association has enabled its customers to pay by smartphone – even if the mobile phone is offline. In order to process the payment transactions securely, the Swiss company uses the mIDentity security platform by KOBIL Systems to protect the App and the identity of the user against hacker attacks. KOBIL also provides the back-end security infrastructure and ensures communication between the Migros payment servers and the payment providers.

No bothersome cash, no expensive credit cards and no bank cards. Buyers only need to whip out their constant companion, their smartphone, and can settle the due payment via an App. This is quicker and easier for the customer. The mobile payment function integrated into the Migros App generates a 2D code containing information about the identity of the payer and the payment method. This code is scanned at the checkout and transmitted to the Migros payment servers, which handle secure communication with the payment providers that ultimately authorise the transaction. The whole payment process, including the back-end processing, takes place at least just as quickly as a traditional payment with cash or bank/credit card, with more convenience and security for the customer. The advantage for Migros is that mobile payments promote customer loyalty and the company can provide incentives to make using the Migros Bank even more popular among its customers.

Before customers use the App for the first time to make a payment, they must activate the function, be allocated a PIN code and provide details of method(s) of payment (Migros bank account or current credit cards). To make a payment, a customer enters the PIN code and selects the method of payment. The App then generates the aforementioned 2D code that authorises the payment transaction. After that the customer receives a payment confirmation on their mobile phone.

The App is not dependent on Near Field Communication (NFC). It works on Apple and Android smartphones and does not require any special hardware. The payment function is also active if the mobile phone has no network connection.

Migros secures the mobile payment transaction by using the mIDentity security platform by KOBIL Systems in Worms. The platform offered by the German provider ensures the security of the App, which was developed with the help of the App Security Toolkit by KOBIL that contains various security mechanisms and generates the 2D code. It offers a range of integrated security functions, such as protection from debugging and reverse engineering, security sensors (jailbreak and malware detection), methods to make software more resilient to prevent known run-time attacks, encryption, secure keystores for application-specific certificates, as well as trustworthy certification mechanisms independent of the operating system. The SDK also ensures that the Migros App cannot be accessed by other applications, which could lead to corruption.

KOBIL is also involved in the payment server, which not only processes the data for the relevant customer transaction contained in the 2D code, but also ensures secure communication with the systems at Migros Bank and other payment providers. The payment server is fitted with the Smart Security Management Server (SSMS) by KOBIL. Its functions include checking the code generated by the App, including the PIN and device signature, as well as authorisation. This ensures that the encrypted data is indeed coming from the relevant App and that the latter is using the selected method of payment correctly. It is only after the server has successfully completed its checking routines that it forwards the data contained in the 2D code and the transaction data to the Migros Bank core system or that of a third-party payment provider. After these have confirmed the solvency of the customer, the checkout activates the transaction in the payment server and the customer account is debited. The whole of this process takes place in real-time, so the customer does not have to wait at the checkout.

Dr. Adrian Büren, responsible for the mobile payment project at Migros, is convinced that the mobile payment function in the Migros App ensures greater customer convenience and therefore loyalty. “In future more and more customers will expect that they can pay us by mobile phone and we would like to offer them this convenience with the greatest possible security. The security and identity mechanisms necessary for this have been provided to us by KOBIL. As we have already cooperated with them for mobile banking for the Migros Bank, we were already familiar with their expertise and did not have to start anew for mobile payment. The cooperation with KOBIL therefore enabled a swift implementation of the platform.” Thomas Balgheim, the chief representative at KOBIL, states: “Our mIDentity platform is extremely secure and is used, for example, by major banks and logistics providers for authorisation and identity management. We have now extended the platform for mobile payment transactions. We are especially delighted that Migros uses our technology across a range of business areas, thereby creating an ecosystem between them.”

Paying with the Migros App – this is how it works