• Gemalto is now part of the Thales Group, find out more.

Thales eSE secure end-to-end solutions

What is an eSE?

The eSE (embedded Secure Element) is a tamper-proof chip available in different sizes and designs, embedded in any mobile device. It ensures the data is stored in a safe place and information is given to only authorized applications and people. It is like a personal ID for the end-user and for the device itself.


The eSE is multi-applicative and allows to secure a wide range of applications in any type of device and in various use cases: payment, couponing, transport, access control, ticketing, corporate, cloud computing, e-government. Depending on the device, eSE functionalities can vary, particularly the remote and secure way to retrieve data, secure connectivity, strong user authentication, device integrity, etc.

According to Eurosmart, 500 million eSE will be shipped in 2020 (i.e. +13.6% increase vs. 2018). Mobile payment has been increasing in popularity, smartphone OEM mobile wallet programmes are blooming across the globe. Wearables are also seen as a convenient form factor for payment and mass transit.

Thales has developed specific software to administrate and update eSE during the complete life cycle of the devices.

Thales Embedded Secure Elements
  • State-of-the art certified eSE
    • Compliant with the GlobalPlatform Card Secure Element Configuration standard, Version 1.0 
    • Certified by major payment schemes (EMVCo, Visacard, Mastercard, AMEX, China UnionPay)
    • Integrating all latest features gained in embedded OS, NFC ecosystem and multi-services markets thanks to Thales' number one position
    • Available in various form factors: die or surface mounted device (SMD)
  • Unrivalled application offer
    • Rich application catalogue gathering certified payment, transport, biometrics, enterprise, ID, government apps, both proprietary and with established partners
    • Unique expertise for local application development and support
  • A unique Trusted Service Hub (TSH) offer to quickly and easily deploy services worldwide

  • Strong local technical teams (Field Application Engineers and Technical Consultants) dedicated to supporting consumer electronics manufacturers

  • Recognized expertise in end-to-end fully deployed NFC projects

  • Established relationships with key players in the industry
    • Silicon vendors, combo makers, Contactless Front End (CLF) makers, device manufacturers, certification bodies, payment schemes

eSE production stage

Before shipment by Thales, the eSE is loaded with a secure, tamper-resistant Operating System (OS) and a set of secure applications selected by the device manufacturer according to his target market(s). 

In addition, each unit of eSE is loaded with uniquely diversified keys, identifiers and data files, some of them being specific to the secure applications.
The creation of this data and its loading into the chip are executed in sites and environments that have been certified to comply with stringent security requirements from e.g. the banking community.
At the end of the loading process, and before it exits the factory, each eSE is logically locked so that only the eSE owner is allowed to amend it.

eSE post-issuance management

When an end-user purchases a device that embeds a secure element, he or she has to activate the eSE and then can download and personalize any application in a secure way.

Various players are involved in making this scheme successful. The eSE owner is responsible for activating and administrating the eSE via the Secure Element Issuer Trusted Service Manager (SEI TSM). He can create a security domain for each service provider (SP) who can administrate his application in the eSE once provisioned either through his own  Service Provider Trusted Service Manager (SP TSM) or through the aggregator's one. The aggregator role is optional and can be provided by Thales.

Thales provides the Trusted Services Hub (TSH ) that includes both SEI TSM and SP TSM functionalities, in addition to the aggregator role. Furthermore, our TSH can be connected to any existing SEI TSM or SP TSM.

Thales proposes a very flexible approach based on various business models in order to best meet consumer electronics manufacturers' requirements. The benefits of our TSH are multiple:

  • Generate new revenue for device manufacturers when connecting to our hub
  • Facilitate service deployment in the eSE anywhere in the world with a "plug and play" solution
    • Technical: A single entry point to connect just once to enrich your service portfolio
    • Commercial: Simple to connect to numerous service providers (banks, transport operators, etc.) with whom Thales already has commercial agreements.


Read more information on Trusted Service Hub


  • Posted on Jul 07, 2017

    Four questions OEMs should ask embedded Secure Element manufacturers

    OEMs need to ask what markets their eSEs will allow them to target, what the proven market acceptance is, and how an eSE can improve a vendor’s device lifecycle strategy.

    Read this post
  • Posted on May 04, 2017

    Samsung makes a play for the ultimate mobile experience with the Galaxy S8

    From payments to enterprise security, the new device relies on Secure Element technology to add value to the end user.

    Read this post
  • Posted on Apr 05, 2016

    M2M’s exciting, say business leaders, but, take note, security and privacy must be addressed

    Vodafone’s M2M Barometer 2015 reveals widespread enthusiasm for M2M IoT, but security and data privacy top the list of concerns.

    Read this post