PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Is the Security of Host Card Emulation Debatable?

By Tim Sloane
August 27, 2014
in Mercator Insights
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Robert Wessels wrote an Opinion in Payments Source that was titled “Host Card Emulation is a Secure Option for Mobile Payments.” In this, he argues that security is a matter of perspective and that on balance tokens make HCE sufficiently secure for the purpose.

“While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, tokens are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets.

“Many issuers therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.”

The article also argues that HCE simplifies the business model and that despite some initial concerns the branded networks have embraced the HCE implementation.

“Overall, the benefits that HCE can bring, such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects, are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.”

Tokens can clearly be an acceptable method for managing risk in a mobile environment where access to the Secure Element has been restricted, but only if properly implemented across all participants in the value chain.

For example, will everyone in the value chain have a shared perspective on the meaning of the 00-99 values assigned to the Token Assurance Level identified in the The EMVCo Payment Tokenisation Specification? If these values are implemented and interpreted differently for every issuer then the cost of managing the environment goes up, versus when the risk is implemented in a common fashion as is done with cards today.

The article suggests that some risk adverse issuers may want to utilize an alternative hardware device as an SE.

“For issuers that still consider HCE as “too insecure,” there may ultimately be a role for what Bell ID has called the “hybrid solution,” combining the benefits of the cloud with a physical SE on the device.”

This is exactly what the Token Assurance Level is designed to support, but if every issuer assigns its own values how can real time fraud engines be developed to meet the needs of the industry rather than being custom designed for each specific issuer? Tokens will be deployed, but how they are deployed (per issuer, per network, common across networks) will have a more significant impact on the payments value chain and the cost of managing fraud, than many currently think.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: CreditDebitMobile PaymentsPrepaidSelf Service and Convenience

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Authorization Rates

    Boosting Revenue for Merchants by Optimizing Authorization Rates

    May 12, 2025
    Why Payment Orchestration is the key to international merchant growth

    Ensuring Payment Decisions Pay for Themselves

    May 9, 2025
    cross-border

    As Businesses Reevaluate Cross-Border Relationships, Financial Institutions Can Help

    May 8, 2025
    Nacha WEB Debit Account Validation Rule Verification Solution, Quovo ACH Payment

    The Brave New Future of the Disappearing Account

    May 7, 2025
    solana financial

    After an Upgrade, Solana is Primed to Be the Blockchain of Choice for Financial Institutions

    May 6, 2025
    PAR values

    The Connecting Thread: How PAR Values Can Mitigate Fraud and Supercharge Loyalty Programs

    May 5, 2025
    mobile banking

    How Mobile Banking Apps Can Be the Center of Customers’ Money Movement Activities

    May 2, 2025
    uk visa mastercard

    The Warning Signs Looming Over Credit Card Lending

    May 1, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result