The recent inclusion of host card emulation, known as HCE, into Android 4.4 KitKat last year opened up the possibility of performing mobile NFC payments without using a hardware secure element. But while HCE may potentially remove some of the complexity of SIM secure element NFC payments, this is only part of the story.
Mobile contactless payments have traditionally been secured by a tamper-proof hardware secure element (such as a SIM), which is inspired by chip-and-PIN cards. This secure element controls the transactions’ security level through an established process, bringing it to similar security levels as chip-and-PIN cards. While this well-known process is certified, it also brings multiple players (such as mobile operators) to the business model. This collaboration aspect is hard, as it adds complexity to the ecosystem, but it is achievable – for example services in markets including China, Korea, Canada, France, Poland and Norway are already experiencing steady growth.
It is the reduced complexity that is the key appeal of HCE — HCE makes it possible for software-only payment applications to access the handsets’ contactless interface without using this hardware secure element. This interests banks who are eager to deploy their applications with more flexibility. The main issue for banks, however, is that without a secure element, HCE doesn’t have the tools to protect payment applications and so additional security measures are needed to reduce the likelihood and impact of a successful attack. Key points of vulnerability include the cloud, payment app and handset, where use of logical and procedural security measures, such as user verification and white-box cryptography, will help to reduce the risk. The efficiency of these kinds of security measures will need to be verified and evaluated for each specific implementation while banks explore the strengths and weaknesses for each solution.
But with these security measures comes a trade-off with the bank’s project costs and complexity and — more importantly — the impacts on user experience. Mobile payments are competing with contactless cards. If a customer can take their contactless card out of their wallet and tap for entry to a subway station, why would a customer enter a PIN each time they enter the subway station?
The introduction of HCE is good for the mobile payment ecosystem as it gives banks an alternative to SIM-based services and encourages them to take up mobile services sooner. Important considerations will need to be made to balance the usability and security concerns, but by being flexible and future proofing projects, banks will be able to offer their customers the mobile services they want with the convenience they expect.
Claire Maslen leads the financial services outreach for the GSMA, where she is responsible for fostering collaboration between the mobile and financial services sectors. Prior to the GSMA, Claire led market development in the UK for O2 Money and held telecommunications leadership roles in mCommerce and NFC.
The GSMA represents the interests of mobile operators worldwide. Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators with 250 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and Internet companies, as well as organisations in industry sectors such as financial services, healthcare, media, transport and utilities. The GSMA also produces industry-leading events such as Mobile World Congress and Mobile Asia Expo.
For more information, visit www.gsma.com or follow @GSMA