This article in Mobile Payments Today is an interview with Kaushik Roy based on the deployment of Sequent’s HCE deployment for Sberbank in Russia. When asked regarding the perceived security of HCE-based NFC mobile payments, Roy gave this succinct response:
“That’s a very important question. There is a misperception that tokenization is all you need to make HCE mobile payments secure. In current commercial deployments of tokenization, tokens work more like alternate Personal Account Numbers (PANs). They are kept on a device for extended periods of time (instead of being strictly time-limited tokens) making them almost as valuable as a real credit card number for a crook.
But HCE, by not relying on a hardware-based secure element, requires much stronger on-device software and additional network-based security measures. Banks need to use code-hardening techniques and white box crypto to build a robust on-device software in lieu of secure element to store the tokens. In addition, network-based security measures are needed to prevent man in the middle, ear dropping or device cloning.
But at the end, HCE mobile payments can be made extremely secure, comparable to chip-based security. Beyond all the measures to secure the transactions, HCE also allows you to evaluate transaction risk in real time relying on multiple additional data points such as location, device ID and other telemetry data.”
Roy perfectly describes the challenges issuers face when deploying HCE-based solutions in this response, which Mercator described in August of last year in “Is the Security of Host Card Emulation Debatable?” and January of this year in “The Obstacles Facing Android to Enable a Payments Infrastructure That Rivals Apple Pay.”
Roy’s explanation highlights the shift in fraud management that must occur to support HCE. Tokens become restricted in time and value and new risk parameters are generated by the cloud that issuers must be able to recognize and respond to – issues that will be greatly reduced as mobile devices become more hardened by device manufacturers and OS suppliers.
Roy is then asked if given MasterCard and Visa have announced support for HCE, will this be the year of HCE deployment:
“Yes, you are right, that will change dramatically this year. What happened last year was a reality check for banks, networks and vendors alike. Making cloud-based HCE mobile payments happen securely on a commercial level proved to be a lot more challenging than many initially anticipated. Legacy payment infrastructure built to provision and process EMV credit card data on chip cards needed to be adapted to the security and other requirements of cloud-based transactions from mobile devices.
Tokens, for, example can wreck havoc in card-linked programs by issuers if not properly handled. On-device security must be hardened, dynamic issuance, TSPs and application management systems need to be integrated with a bank’s issuance and processing systems. All of this is not trivial.
But the advent of Apple Pay completely changed the picture. Banks in multiple countries feel like they need to move forward fast with HCE implementations in order to power their banking apps for payments. There is a lot of concern that they will be permanently intermediated by major tech companies in mobile payments and lose their direct connection to their customers. After spending years and millions of dollars investing in their mobile banking apps, the last thing they want to do is to lose the investment because they don’t have the desired payment functionality.”
This response further articulates the challenges that are in store for issuers that decide to deploy HCE-based mobile payment solutions. With these problems properly vetted, Roy is asked about international deployment of HCE, where he accurately identifies some of the reasons why HCE is so much more important internationally than it is domestically:
“We are starting to see a huge expansion outside the U.S. One interesting thing about the payments industry is how regionalized it is. You may have a few big global networks, but at the end of the day banks have huge power in their specific regions and local regulation plays a huge part in how players work in each country.
For this reason, I expect different mobile payment solutions to have more or less traction in different markets. For example, Apple has a commanding 45 percent market share of phones shipped in the U.S., which allows them to have huge market power when launching Apple Pay. But globally that share goes down to 12 percent and Android’s share of close to 85percent opens the field to many other players.
HCE has been gaining traction in Europe, especially where Android share is higher, and banks have considerable power in each country. But you can’t forget Samsung, other OEMs and even the MNOs. This will be a very active market in the next several years with regional battles raging between local players.”
One aspect of international adoption of HCE that was not addressed is that many countries are looking to enable their own domestic payment networks and so are inclined to adopt HCE before MasterCard and Visa arrive in-country.
In this article Roy properly identifies that HCE payments are more complex to deploy. Missing from the article is information regarding how fast alternatives may come to market. While Mercator has just started its research on the topic, it appears likely that mobile devices in the US will incorporate SE and other hardware-based security features over the next few years, which should obviate the need for HCE solutions as payment credentials become protected by the mobile handset’s hardware security features.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story