Thales’s security evaluation of Samsung Pay contactless payment app on Galaxy S8 and S8+ leads to certification


Thales’s security evaluation of the Samsung Pay contactless payment application, performed on the Galaxy S8 and S8+ smartphone, has succeeded in allowing the app to be certified on the device.

As a result of the security evaluations undertaken by the Thales teams in Toulouse (France), the newly unveiled Samsung Galaxy S8 and S8+ enables secure payment networks from all major credit cards such as Mastercard and Visa.

The Samsung Pay HCE enabled banking app lets users save their bank and credit card details on their smartphones. Users can then use the NFC-based  and MST-based  contactless system to make payments at the point of sale. This payment method is currently being rolled out worldwide for Samsung users and is supported by more than a thousand banks and credit unions worldwide.

Underpinning the evaluation process was a relationship of trust established by Thales, Mastercard and Visa over the course of more than a decade. Thales operates one of the first laboratories accredited by Visa in 2014 to conduct security evaluations on HCE-based banking applications. From 2015, the Thales cybersecurity laboratory in Toulouse was accredited by Mastercard and other payment networks.

Thales has long partnered with Samsung, to deliver cryptographic security at critical points of the manufacturing process for mobile phones and other smart devices.

The development of Thales’s expertise in the security of contactless payments is a logical step beyond the Group’s leadership in cybersecurity for the banking sector. Today, Thales contributes to the protection of 80% of worldwide payment transactions and ensures data security for 19 of the 20 largest banks in the world.

In IT security, Thales’s services focus on penetration tests, code audits, vulnerability scans, Common Criteria evaluations and secure architecture design.

They encompass two types of evaluations:

  • Software evaluation for first level security certification by ANSSI, France’s national agency for information system security
  • Evaluation of hardware and embedded systems

Thales ITSEF (information technology security evaluation facility) is certified by ANSSI for Common Criteria evaluation and by Mastercard, Visa, EMVCo, American Express, Discover and JCB for security evaluation of bank cards (contact / contactless and dual smartcards) and integrated circuit cards. The ITSEF is a leader in the evaluation of NFC (near-field communication) and mobile payment products and has been present in this market since 2005. It is also involved in HCE (host card emulation) and TEE (trusted execution environment) evaluations. TEE provides a secure execution environment on mobile handsets for trusted applications, independently of the secure element.

About Thales:

Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 64,000 employees in 56 countries, Thales reported sales of €14.9 billion in 2016. With over 25,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.

Thales is one of the European leaders in the security domain, established as an integrator of systems with high added value, manufacturer and service provider. Thales solutions secure the four key domains considered essential by modern society: government, cities, critical infrastructure and cyberspace.

Drawing on renowned cryptographic capabilities, Thales is one of the world leaders in cybersecurity products and solutions for defense, governmental bodies, critical infrastructures operators, communication, industrial and financial companies. With a presence throughout the information security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting and audits, data protection, digital trust management, cybersecured sytem design, development, integration, certification and through-life management to cyber-threat intelligence, intrusion detection and security supervision with Security Operation Centres in France, the United Kingdom, The Netherlands, Canada and Hong-Kong.