Many have seen Google announcement for supporting Host Card Emulation in their latest Android 4.4 KitKat OS. HCE is not new technology. BlackBerry had is for some time in their devices. But wider HCE support may trigger new and revived interest in implementing
custom NFC contactless mobile payment apps without need to utilize Secure Element (SE) in the phone and without any reliance / dependence on MNOs
For example, every contactless card specification of every payment scheme (Visa, MC, Amex, Discover and JCB) mandates the support for the 'mag-stripe' profile / mode of operation (one with dynamically generated one time CVV3/CVC3 cryptogram). Every contactless
capable POS must also support interaction with the contactless card / NFC phone with the 'mag stripe' profile. That card doesn't have to be plastic card or card implemented in the phone SE. As long as POS can talk to it by exchaning standard APDU commands,
it can be implemented as a virtual card (vCard) provisioned to the phone 'on the fly' ahead of the transaction by the cloud. Such vCard would have very limited lifespan and would be good for 1 transaction. It would contain the following main data (of ourse
it will contain also vPPSE, vAIP, vAFL, etc):
vPAN = REAL BIN + some RANDOM number / token (up to the 16 numeric chars)
dCVV3/dCVC3 = dynamic (one time ) CVV3/CVC3 value generated by the cloud, unique and valid only for the next transaction
vEXPIRY = lifetime of the token
The txn flow may be something like this:
1. before the payment, the consumer starts the HCE enabled app on the phone, which immediately connects to the 'provisioning' cloud and obtains [vPAN, dCVC3/dCVV3, vEXPIRY] digitally signed by the cloud private RSA key - this is more or less 'on the fly'
vCard provisioning. The consumer may be required to enter passcode to authenticate itself to the cloud, for this 'provisioning' to happen, if implementation requires
2. once when step 1 is successfully completed, the consumer has limited time window (until vEXPIRY time is reached, and its duration can be tailored according to the risk management rules) to make purchase on contactless capable POS devices - as if they
are using the regular contactless 'mag-stripe' profile provisioned card
3. once the standard 'tap' interaction between POS and HCE enabled app is finished (actual sequence depends on the payment scheme implementation) -> POS prepares regular online ISO 8583 auth request (containing the obtained [vPAN, dCVC3/dCVV3, vEXPIRY] data)
and sends it to the issuer for authorization => of course POS can also ask user for the PIN which can also be encrypted and sent for online check
This is just one of the possible use cases, of course there can be many more and very different ones, but this clearly gives issuers and potential payment innovators freedom from MNOs, and new lease of life for NFC community - will it help? That nobody knows
for sure and it is still to be seen.
But PCI DSS may not be an issue anymore ;-) because after the transaction completes the vCard data is useless.