The trade-offs of HCE on mobile payment security

Clarie-M Claire Maslen

The recent inclusion of host card emulation, known as HCE, into Android 4.4 KitKat last year opened up the possibility of performing mobile NFC payments without using a hardware secure element. But while HCE may potentially remove some of the complexity of SIM secure element NFC payments, this is only part of the story.

Mobile contactless payments have traditionally been secured by a tamper-proof hardware secure element (such as a SIM), which is inspired by chip-and-PIN cards. This secure element controls the transactions’ security level through an established process, bringing it to similar security levels as chip-and-PIN cards. While this well-known process is certified, it also brings multiple players (such as mobile operators) to the business model. This collaboration aspect is hard, as it adds complexity to the ecosystem, but it is achievable – for example services in markets including China, Korea, Canada, France, Poland and Norway are already experiencing steady growth.

It is the reduced complexity that is the key appeal of HCE — HCE makes it possible for software-only payment applications to access the handsets’ contactless interface without using this hardware secure element. This interests banks who are eager to deploy their applications with more flexibility. The main issue for banks, however, is that without a secure element, HCE doesn’t have the tools to protect payment applications and so additional security measures are needed to reduce the likelihood and impact of a successful attack. Key points of vulnerability include the cloud, payment app and handset, where use of logical and procedural security measures, such as user verification and white-box cryptography, will help to reduce the risk. The efficiency of these kinds of security measures will need to be verified and evaluated for each specific implementation while banks explore the strengths and weaknesses for each solution.

chart-blog-v1-2015

 

 

 

 

 

 

 

 

 

 

But with these security measures comes a trade-off with the bank’s project costs and complexity and — more importantly — the impacts on user experience. Mobile payments are competing with contactless cards. If a customer can take their contactless card out of their wallet and tap for entry to a subway station, why would a customer enter a PIN each time they enter the subway station?

The introduction of HCE is good for the mobile payment ecosystem as it gives banks an alternative to SIM-based services and encourages them to take up mobile services sooner. Important considerations will need to be made to balance the usability and security concerns, but by being flexible and future proofing projects, banks will be able to offer their customers the mobile services they want with the convenience they expect.

Claire Maslen leads the financial services outreach for the GSMA, where she is responsible for fostering collaboration between the mobile and financial services sectors. Prior to the GSMA, Claire led market development in the UK for O2 Money and held telecommunications leadership roles in mCommerce and NFC.

The GSMA represents the interests of mobile operators worldwide. Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators with 250 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and Internet companies, as well as organisations in industry sectors such as financial services, healthcare, media, transport and utilities. The GSMA also produces industry-leading events such as Mobile World Congress and Mobile Asia Expo.

For more information, visit www.gsma.com or follow @GSMA

RECENT ARTICLES

Get a US$50 Amazon voucher for sharing your IoT brand knowledge

Posted on: March 28, 2024

We want to know what you know about the IoT space. Just 3 minutes could earn you a US$50 Amazon digital gift card!

Read more

Enhance EV charging performance with cellular connectivity

Posted on: March 28, 2024

Electric vehicles (EVs) are steadily growing their market share at the expense of internal combustion engine vehicles. The growth is fuelled by several factors. Perhaps most importantly, prices for EVs have started to drop as competition in the industry is intensifying. New players and models are emerging, prompting several established EV makers to lower their

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more