Robert Wessels wrote an opinion piece in Payments Source that was titled, “Host Card Emulation is a Secure Option for Mobile Payments.” In this he argues that security is a matter of perspective and that on balance tokens make HCE sufficiently secure for the purpose.
“While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, tokens are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets,” wrote Wessels.
“Many issuers therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.”
The article also argues that HCE simplifies the business model and that despite some initial concerns the branded networks have embraced the HCE implementation.
“Overall, the benefits that HCE can bring, such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects, are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments,” according to Wessels.
Tokens can clearly be an acceptable method for managing risk in a mobile environment where access to the Secure Element has been restricted, but only if properly implemented across all participants in the value chain. For more thoughts on this, read the Payments Journal blog, “Is the Security of Host Card Emulation Debatable?”
To read the full story, go to Payments Source.