A Thing
The Green SheetGreen Sheet

Tuesday, July 8, 2014

HCE payments face security, end-user hurdles

Host card emulation (HCE) technology is considered a promising new mobile payment scheme because it facilitates in-store contactless payments without transactions having to pass through the costly real estate of the secure element (SE) embedded in smart devices. But a recent SIMalliance Ltd. white paper details limitations of HCE, including lack of security and the very practical shortcoming that if an end user's mobile device runs out of battery life, the HCE-enabled transaction cannot be completed.

In Secure Element Deployment & Host Card Emulation v1.0, the London-based mobile payments association SIMalliance explained that HCE is beneficial for the near field communication (NFC) ecosystem as a whole because it encourages end-user adoption and developers writing NFC-based applications. However, HCE's main advantage, that it circumvents the SE controlled by the mobile communication firms, also means that HCE transactions do not benefit from the same level of security provided by the SE.

SE versus HCE

Like payments that flow through the SE, HCE relies on NFC communication between smart devices and POS terminals. But, unlike the hardware-based security of the SE, the HCE scheme bypasses the SE for the cloud, where payment credentials are stored, but are more vulnerable to cyber theft.

SIMalliance said, "HCE does not provide any specific hardware- or software-based security services; it behaves just like any other Android application and does not, therefore, offer the same level of security as conventional contactless smart card applications."

Because of this security limitation, and other drawbacks, HCE is currently best employed in lower-value environments, such as for closed-loop gift cards, where sensitive customer data is not at risk, SIMalliance added. Consequently, the association regards such schemes as open-loop payments, where credit and debit cards (and their associated account details) are employed, should be off limits to HCE.

"HCE is best suited to use cases where the user's stored credentials are of low value and where the emulated NFC application is not based on direct implementation of a current, pre-existing card application," SIMalliance said.

HCE and Android

In October 2013, Google added HCE functionality to its latest version of the Android operating system, called KitKat. SIMalliance pointed out that Android is the most attacked mobile environment to date, and by a substantial margin. SIMalliance cited the CISCO 2013 Annual Security Report as saying that 99 percent of all malware is aimed at Android.

SIMalliance also noted research from McAfee Labs that said, "Threats against other mobile operating systems, including Apple's iOS, are insignificant compared with malicious Android apps." That report added that in the third quarter of 2013, Android was the target of over 680,000 malware applications, a number which had grown by one third over the previous quarter.

This vulnerability to fraud is not shared by SE-based applications. "[T]here are no demonstrated instances of unauthorized access to, or duplication of, the sensitive data stored in a SE," SIMalliance said.

Power pitfalls of HCE

Other HCE shortcomings apparently exist. HCE payments that rely on the cloud also rely on the reliability of those networks. "An NFC transaction requiring back and forth exchanges with its corresponding IT system in the cloud, for example, will bring a critical dependence on the quality of the mobile network coverage or in-store Wi-Fi speeds, either of which could negatively impact transaction times at the point of sale," SIMalliance stated.

And what about consumers' concern about making payments with smart devices when battery life is low? In the case of HCE, the smart device relies on its own power to facilitate transactions, according to SIMalliance. If the device's battery is sufficiently drained, the payment cannot be made.

But SE-based payments are evidently a different story, as contactless readers or POS terminals can complete transactions even if mobile devices are turned off or batteries are low. "This SE functionality, known as 'low power mode,' means that a user can still rely on their device as a payment instrument even when it is otherwise unusable," the alliance said. "This feature has clear and far reaching implications for end-user convenience."

It is another pitfall of HCE that, as a software solution, its workability is dependent on the functioning of an entire ecosystem. "The fact that HCE is not a standalone piece of hardware but it is an integrated component in the Android OS (together, potentially, with other OSs in the future) is s serious challenge," SIMalliance said. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing