ABSTRACT
Payment transactions initiated through a mobile device are growing and security concerns must be addressed. People
coming from payment card industry often talk passionately about porting ISO 9564 PIN standard based authentication in open-loop card payment to closed-loop mobile financial transactions and certification of closed-loop payment
product or solution against this standard. In reality, so far this standard has not been adopted in closed-loop mobile
payment authentication and applicability of this ISO standard must be studied carefully before adoption. The authors
do a critical analysis of the applicability of this ISO specification and make categorical statement about relevance of
compliance to closed-loop mobile payment. Security requirements for authentication in closed-loop mobile payment
systems are not standardised through ISO 9564 standard, Common Criteria [3], etc. Since closed-loop mobile payment is a relatively new field, the authors make a case for Common Criteria Recognition Agreement (CCRA) or other
standards organization to push for publication of a mobile device-agnostic Protection Profile or standard for it, incorporating the suggested authentication approaches.
Keywords: - ISO 9564 PIN Based Authentication, Card-Present and Card-Not-Present Transactions, Open-Loop and
Closed-Loop Payments, Mobile Payment, Stored-Value-Account, Common Criteria Protection Profile, Device Fingerprinting, m-PIN (mobile PIN), One Time Password (OTP), Android Application component called Service, backend
service.