PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Is the Security of Host Card Emulation Debatable?

Tim Sloane by Tim Sloane
August 27, 2014
in Uncategorized
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Robert Wessels wrote an Opinion in Payments Source that was titled “Host Card Emulation is a Secure Option for Mobile Payments.” In this, he argues that security is a matter of perspective and that on balance tokens make HCE sufficiently secure for the purpose.

“While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, tokens are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets.

“Many issuers therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.”

The article also argues that HCE simplifies the business model and that despite some initial concerns the branded networks have embraced the HCE implementation.

“Overall, the benefits that HCE can bring, such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects, are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.”

Tokens can clearly be an acceptable method for managing risk in a mobile environment where access to the Secure Element has been restricted, but only if properly implemented across all participants in the value chain.

For example, will everyone in the value chain have a shared perspective on the meaning of the 00-99 values assigned to the Token Assurance Level identified in the The EMVCo Payment Tokenisation Specification? If these values are implemented and interpreted differently for every issuer then the cost of managing the environment goes up, versus when the risk is implemented in a common fashion as is done with cards today.

The article suggests that some risk adverse issuers may want to utilize an alternative hardware device as an SE.

“For issuers that still consider HCE as “too insecure,” there may ultimately be a role for what Bell ID has called the “hybrid solution,” combining the benefits of the cloud with a physical SE on the device.”

This is exactly what the Token Assurance Level is designed to support, but if every issuer assigns its own values how can real time fraud engines be developed to meet the needs of the industry rather than being custom designed for each specific issuer? Tokens will be deployed, but how they are deployed (per issuer, per network, common across networks) will have a more significant impact on the payments value chain and the cost of managing fraud, than many currently think.

Tags: CreditDebitMercator InsightsMobile PaymentsPrepaidSelf Service and Convenience
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    commercial payments

    Optimizing Commercial Payments in the Digital Age

    March 21, 2023
    cross-border payments

    Cross-Border Payments: Fighting
    E-Commerce Fraud Using Data

    March 20, 2023
    fraud, ChatGPT-4

    How to Fight Fraud While Still Enabling a Great Online Customer Experience

    March 17, 2023
    RTP

    Financial Institutions Without an RTP Strategy Risk Being Left Behind

    March 16, 2023
    visa chargeback

    New Visa Chargeback Guidelines Will Be a Game Changer

    March 15, 2023
    liquidity management

    Liquidity Management Takes on Increasing Importance in Uncertain Economic Times

    March 14, 2023
    payments

    Key Challenges from Growing Payment Methods and Volume

    March 13, 2023
    Data Governance is a Journey, financial data

    How FIs Can Power Their Operations with a Modern Data Architecture

    March 10, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download the Autorek complimentary report: Payments Industry Outlook 2023: