HUAWEI Mobile Services (HMS)
Security Technical White Paper V2.0
Copyright © Huawei Device Co., Ltd.
6.5 HUAWEI Wallet/Huawei Pay
Huawei Pay is a secure, convenient, and smart electronic wallet that allows users to
access their public transport passes, bank cards, door keys, and eIDs on their
Huawei mobile devices. With just a single tap, users can use their phones to shop,
take a bus, open a door, authenticate their identities, and more.
HUAWEI Wallet does not store sensitive information such as a bank card's CVV (the
last three digits on a bank card's magnetic stripe) and validity period. Only the token
information of a bank card number is stored in the security chip. To ensure data
security when a bank card is added to Huawei Pay, the binding information is
transmitted to the card issuer through the security control it provides. The issuer will
then send an authorized token to the security chip for storage. This means that the
actual card number is never stored on the mobile phone. The security chip provides
an isolated space for storing sensitive information, avoiding malicious behavior that
may occur in a non-isolated space.
Users can pay using Huawei Pay only after they complete identity verification using
their payment passwords or biometric data. Biometric data analysis is performed in
the TEE. No apps, including HUAWEI Wallet, can access the user's raw biometric
data, and biometric data will not be uploaded to any server.
The Huawei Pay server communicates with devices and payment servers through a
secure TLS channel.
Huawei Pay signs payment messages using a digital certificate to ensure their
integrity, preventing user payments from being maliciously deducted or tampered
with.
In-App Purchases (IAP) provides in-app payment capabilities for global developers,
and delivers unified capabilities such as product definition, product ordering and
purchase, and service delivery for apps.
With IAP, users can make in-app payments (using bank cards or HUAWEI Points)
conveniently, securely, and confidentially.
Users can authorize IAP to use their fingerprints or faces for payment, which is based
on the CCS. After a mobile phone's device certificate (key attestation) passes
verification, the PKI system server issues a payment certificate for the app with IAP
integrated. During payments, the certificate will be used to sign specified sensitive
data, thereby enabling security verification from the device, app, and user
perspectives, as well as ensuring message integrity.
When a user makes a payment on Huawei Pay using their fingerprint or face, the
system verifies whether the fingerprint or face data is consistent with that stored in
the TEE of the user's mobile phone. If the fingerprint or face data is consistent,
transaction data will be signed using the PKI digital certificate in the TEE before
being uploaded to the server, ensuring payment security. Throughout the payment
process, fingerprint and face data is stored only in the TEE, as opposed to the cloud,
safeguarding users' private information.
The IAP server adheres to the storage encryption requirements of the financial
industry. Only the first six and last four digits of a bank card are displayed on a
mobile phone. When the HUAWEI Points balance records of a user are stored, only a
digest of the current balance is stored to prevent data tampering. The PBKDF2
algorithm exports digests of users' payment passwords, and does not store the actual
passwords.