The eSE (embedded Secure Element) is a tamper-proof chip available in different sizes and designs, embedded in any mobile device. It ensures the data is stored in a safe place, and information is given to only authorised applications and people.
It is like a personal ID for the end-user and for the device itself.
The eSE is multi-applicative and allows to secure a wide range of applications in any device and various use cases: payment, couponing, transport, access control, ticketing, corporate, cloud computing, e-government.
Depending on the device, eSE functionalities can vary, particularly the remote and secure way to retrieve data, secure connectivity, strong user authentication, device integrity, etc.
According to Eurosmart, 500 million eSEs will be shipped in 2020 (i.e. +13.6% increase vs 2018).
- Mobile payment has been increasing in popularity; smartphone OEM mobile wallet programmes are blooming across the globe.
- Wearables are also seen as a convenient form factor for payment and mass transit.
Thales has developed specific software to administrate and update eSE during the entire life cycle of the devices.
Thales embedded Secure Elements
Thales’ embedded Secure Element offer is characterised by the following elements:
- State-of-the-art certified eSE
- Compliant with the GlobalPlatform Card Secure Element Configuration standard
- Certified by major payment schemes (EMVCo, Visacard, Mastercard, AMEX, China UnionPay, MTPS) and contactless certifications organisations (FeLiCa, MiFare)
- Integrating all latest features gained in embedded OS, NFC ecosystem and multi-services markets
- Available in various form factors: WLCSP, surface mounted device (SMD)
- Available as a single-chip solution that supports both trusted contactless services (based on eSE) and mobile connectivity (based on eSIM)
- Unrivalled application offer
- Rich application catalogue gathering certified payment, transport, biometrics, enterprise, ID, government apps, both proprietary and with established partners
- Unique expertise for local application development and support
- A unique Trusted Service Hub (TSH) offer to quickly and easily deploy services worldwide.
- Strong local technical teams (Field Application Engineers and Technical Consultants) dedicated to supporting consumer electronics manufacturers.
- Recognised expertise in end-to-end fully deployed NFC projects
- Established relationships with key players in the industry
- Silicon vendors, combo makers, Contactless Front End (CLF) makers, device manufacturers, certification bodies, payment schemes
What’s a connected embedded Secure Element
The Connected eSE is the combination of an eSE and an eSIM in a single security chip, allowing to reduce the number of components in a device.
Thales’ OS ensures a strict separation between the security applications hosted in the eSE domain and the eSIM functionality.
This unique innovation brings a state of the art security level to any NFC service deployed in the connected eSE, unlike more straightforward solutions based on a plain eSIM.
In March 2020, Samsung has launched the world’s first smartphones, the Samsung Galaxy S20, Galaxy S20+ and Galaxy 20 Ultra, featuring a secure single-chip solution that supports both mobile connectivity and trusted contactless services, leveraging unique Thales’s connected eSE.
eSE production stage
Before being shipped, the eSE is loaded with a secure, tamper-resistant Operating System (OS) and a set of secure applications selected by the device manufacturer according to his target market(s).
In addition, each unit of eSE is loaded with uniquely diversified keys, identifiers and data files, some of them being specific to the secure applications.
The creation of this data and its loading into the chip are executed in sites and environments that have been certified to comply with stringent security requirements from recognised international bodies such as international payment schemes and GSMA for the connected eSE.
At the end of the loading process, and before it exits the factory, each eSE is logically locked so that only the eSE owner (e.g. the OEM) is allowed to amend it.
eSE post-issuance management
When an end-user purchases a device that embeds a secure element, he or she has to activate the eSE and then can download and personalise any application securely.
Various players are involved in making this scheme successful. The eSE owner (e.g. OEM…) is responsible for activating and administrating the eSE via the Secure Element Issuer Trusted Service Manager (SEI TSM). It can create a security domain for each service provider (SP) which can administrate its application in the eSE once provisioned either:
- through its Service Provider Trusted Service Manager (SP TSM),
- or through the one of a service aggregator, which provides a portfolio of services to the end-user. The aggregator role is optional and can be provided by Thales.
Thales also provides the Trusted Services Hub (TSH) that includes both the SEI TSM and SP TSM functionalities, in addition to the aggregator role. Furthermore, our TSH can be connected to any existing SEI TSM or SP TSM.
Thales proposes a very flexible approach based on various business models to best meet the requirements of consumer electronics manufacturers. The benefits of our TSH are multiple:
- Generate new revenue for device manufacturers when connecting to our hub
- Facilitate service deployment in the eSE anywhere in the world with a "plug and play" solution
- Technical: A single entry point to connect just once to enrich your service portfolio
- Commercial: Simple to connect to numerous service providers (banks, transport operators, etc.) with whom Thales already has commercial agreements.