Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key management for Issuer Security Domain (ISD) using GlobalPlatform Specifications. A client receives from a server an authorization to update a first ISD keyset. The client encrypts, via a client-side secure element, a second ISD keyset with a server public key. The client sends the encrypted second ISD keyset to the server for updating the first ISD keyset with the encrypted second ISD keyset. Prior to updating, the client generates the first ISD keyset at a vendor and sends the first ISD keyset to the client-side secure element and sends the first ISD keyset encrypted with the server public key to the server. The disclosed method allows for updating of an ISD keyset of which only the client-side secure element and a server have knowledge.

Abstract: Systems, methods, and computer-readable media for communicating electronic device secure element data over multiple paths for online payments are provided. In one example embodiment, a method includes, inter alia, at a commercial entity subsystem, receiving, from an electronic device, device transaction data that includes credential data indicative of a payment credential on the electronic device for funding a transaction with a merchant subsystem, accessing a transaction identifier, deriving a transaction key based on transaction key data that includes the accessed transaction identifier, transmitting, to one of the merchant subsystem and the electronic device, merchant payment data that includes a first portion of the credential data and the accessed transaction identifier, and sharing, with a financial institution subsystem using the transaction key, commercial payment data that includes a second portion of the credential data that is different than the first portion of the credential data.

Abstract: An electronic device (such as a cellular telephone) automatically installs and personalizes updates to an applet on a secure element in the electronic device. In particular, when a digitally signed update package containing the update is received from an updating device (such as a server), the secure element identifies any previous versions of the applet installed on the secure element. If there are any previously installed versions, the secure element verifies the digital signature of the update package using an encryption key associated with a vendor of the secure element. Then, the secure element uninstalls the previous versions of the applet and exports the associated user data. Next, the secure element installs the update to the applet, and personalizes the new version of the applet using the user data.

Abstract: Systems, methods, and computer-readable media for provisioning multiple credentials of a multi-scheme card on an electronic device for selective use in a secure transaction are provided.

Abstract: To facilitate conducting a secure transaction via wireless communication between a portable electronic device (such as a smartphone) and another electronic device (such as a point-of-sale terminal), the portable electronic device may, after a final command is received from the other electronic device, determine a unique transaction identifier for the secure transaction. In particular, the final command may be specific to an applet, stored in a secure element in the portable electronic device, which conducts the secure transaction. The secure element may generate the unique transaction identifier based on financial-account information associated with the applet, which is communicated to the other electronic device. Next, the secure element may provide, to a processor in the portable electronic device, an end message for the secure transaction with the unique transaction identifier.

Abstract: Systems, methods, and computer-readable media for priority based routing on an electronic device of data received from a processing subsystem are provided. In some embodiments, a method may include detecting on an electronic device that data received from a remote subsystem includes identifier information that is associated with a match element of an entry of a routing table, routing at least a portion of the data to a first priority destination identified by the entry, and, when the routing of the at least a portion of the data to the first priority destination identified by the entry is not successful, routing the at least a portion of the data to a second priority destination identified by the entry, wherein the second priority destination identified by the entry is different than the first priority destination identified by the entry.

Abstract: Systems, methods, and computer-readable media for securely pairing a secure element and a processor of an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter cilia, deriving a key using a processor of the electronic device, sharing the derived key with a commercial entity subsystem, and receiving the shared key from the commercial entity subsystem at a secure element of the electronic device, where the received key may be leveraged for enabling a secure communication channel between the processor and the secure element. Additional embodiments are also provided.

Abstract: An electronic device (such as a cellular telephone) automatically installs and personalizes updates to an applet on a secure element in the electronic device. In particular, when a digitally signed update package containing the update is received from an updating device (such as a server), the secure element identifies any previous versions of the applet installed on the secure element. If there are any previously installed versions, the secure element verifies the digital signature of the update package using an encryption key associated with a vendor of the secure element. Then, the secure element uninstalls the previous versions of the applet and exports the associated user data. Next, the secure element installs the update to the applet, and personalizes the new version of the applet using the user data.

Abstract: The disclosed embodiments related to a first electronic device (such as a cellular telephone) that includes a secure element. In response to a challenge and a request for a secure-element identifier associated with the secure element, which are received from a second electronic device (such as a trusted services manager that loads content onto the secure element), the secure element provides to the second electronic device: the secure-element identifier, a certificate associated with a provider of the secure element, and a digital signature. The digital signature may include a signed version of the challenge and the secure-element identifier, which are encrypted using an encryption key associated with a provider of the secure element. In this way, the second electronic device may certify the secure element.

Abstract: To facilitate conducting a financial transaction via wireless communication between a portable electronic device (such as a smartphone) and another electronic device (such as a point-of-sale terminal), the portable electronic device may, after a final command is received from the other electronic device, determine a unique transaction identifier for the financial transaction. In particular, the final command may be specific to a payment applet, stored in a secure element in the portable electronic device, which conducts the financial transaction. The secure element may generate the unique transaction identifier based on financial-account information associated with the payment applet, which is communicated to the other electronic device. Moreover, the financial-account information may specify a financial account that is used to pay for the financial transaction.

Abstract: Methods for operating a portable electronic device to conduct a mobile payment transaction at a merchant terminal are provided. The electronic device may verify that the current user of the device is indeed the authorized owner by requiring the current user to enter a passcode. If the user is able to provide the correct passcode, the device is only partly ready to conduct a mobile payment. In order for the user to fully activate the payment function, the user may have to supply a predetermined payment activation input such as a double button press that notifies the device that the user intends to perform a financial transaction in the immediate future. The device may subsequently activate a payment applet for a predetermined period of time during which the user may hold the device within a field of the merchant terminal to complete a near field communications based mobile payment transaction.

Abstract: Methods for operating a portable electronic device to conduct a mobile payment transaction at a merchant terminal are provided. The electronic device may verify that the current user of the device is indeed the authorized owner by requiring the current user to enter a passcode. If the user is able to provide the correct passcode, the device is only partly ready to conduct a mobile payment. In order for the user to fully activate the payment function, the user may have to supply a predetermined payment activation input such as a double button press that notifies the device that the user intends to perform a financial transaction in the immediate future. The device may subsequently activate a payment applet for a predetermined period of time during which the user may hold the device within a field of the merchant terminal to complete a near field communications based mobile payment transaction.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key management for Issuer Security Domain (ISD) using GlobalPlatform Specifications. A client receives from a server an authorization to update a first ISD keyset. The client encrypts, via a client-side secure element, a second ISD keyset with a server public key. The client sends the encrypted second ISD keyset to the server for updating the first ISD keyset with the encrypted second ISD keyset. Prior to updating, the client generates the first ISD keyset at a vendor and sends the first ISD keyset to the client-side secure element and sends the first ISD keyset encrypted with the server public key to the server. The disclosed method allows for updating of an ISD keyset of which only the client-side secure element and a server have knowledge.

Abstract: Systems, methods, and computer-readable media for using an online resource to manage reloadable credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving selection data via an online resource, where the selection data may be indicative of a particular credential applet stored on a secure element of the electronic device, in response to the receiving the selection data, accessing validation data from the particular credential applet on the secure element, transmitting initialization results comprising the accessed validation data to a remote subsystem associated with the online resource, in response to the transmitting, receiving reload data from the remote subsystem, and adjusting a balance of the particular credential applet based on the received reload data. Additional embodiments are also provided.

Abstract: A system for provisioning credentials onto an electronic device is provided. The system may include a payment network subsystem, a service provider subsystem, and one or more user devices that can be used to perform mobile transactions at a merchant terminal. The user device may communicate with the service provider subsystem in order to obtained commerce credentials from the payment network subsystem. The user device may include a secure element and a corresponding trusted processor. The trusted processor may generate a random authorization number and inject that number into the secure element. Mobile payments should only be completed if the random authorization number on the secure element matches the random authorization number at the trusted processor. The trusted processor may be configured to efface the previous random authorization number and generate a new random authorization number when detecting a potential change in ownership at the user device.

Abstract: Methods for operating a portable electronic device to conduct a mobile payment transaction at a merchant terminal are provided. The electronic device may verify that the current user of the device is indeed the authorized owner by requiring the current user to enter a passcode. If the user is able to provide the correct passcode, the device is only partly ready to conduct a mobile payment. In order for the user to fully activate the payment function, the user may have to supply a predetermined payment activation input such as a double button press that notifies the device that the user intends to perform a financial transaction in the immediate future. The device may subsequently activate a payment applet for a predetermined period of time during which the user may hold the device within a field of the merchant terminal to complete a near field communications based mobile payment transaction.

Abstract: A system for provisioning credentials onto an electronic device is provided. The user device may include a secure element and a corresponding trusted processor. A contactless registry service (CRS) applet running on the secure element may be used to manage the activation of one or more associated payment applets during a mobile payment transaction. The CRS applet may include at least a user input received flag and an authorization received flag. The user input received flag may be asserted in response to detecting a required user input for initiating payment. The authorization received flag may be asserted when the trusted processor sends an activation request to the secure element. A payment applet should only be activated when at least one of the user input received flag and the authorization received flag has been asserted.

Abstract: To facilitate conducting a financial transaction via wireless communication between a portable electronic device (such as a smartphone) and another electronic device (such as a point-of-sale terminal), the portable electronic device may, after a final command is received from the other electronic device, determine a unique transaction identifier for the financial transaction. In particular, the final command may be specific to a payment applet, stored in a secure element in the portable electronic device, which conducts the financial transaction. The secure element may generate the unique transaction identifier based on financial-account information associated with the payment applet, which is communicated to the other electronic device. Moreover, the financial-account information may specify a financial account that is used to pay for the financial transaction.

Abstract: Systems, methods, and computer-readable media for securely rotating keys for an issuer security domain of an electronic device are provided. In one example embodiment, an electronic device may include a communications component that receives encrypted issuer data from a commercial entity subsystem. The electronic device may also include a secure element that, inter alia, decrypts the encrypted issuer data with a first key that is stored in an issuer security domain of the secure element and stores a second key in the issuer security domain based on the decrypted issuer data. Additional embodiments are also provided.

Abstract: Systems, methods, and computer-readable media for efficiently storing credential service provider data in a security domain of a secure element of an electronic device are provided. In one example embodiment, an electronic device may include a secure element that, inter alia, receives credential service provider data from a secure element vendor subsystem, and that encrypts a key of the secure element with the received credential service provider data. The electronic device may also include a communications component that transmits the encrypted key to a credential service provider. Additional embodiments are also provided.