25 October 2014

HCE will support secure element market growth - SIMalliance

23 June 2014  |  1036 views  |  1 Source: SIMalliance

Following the recent publication of the Consult Hyperion/GSMA discussion paper 'HCE and SIM Secure Element: It's Not Black and White', SIMalliance has highlighted that future growth of the NFC ecosystem and NFC-based applications, resulting from host card emulation (HCE), is likely to expedite SIM-based NFC payment deployments and create opportunities for mobile network operators (MNOs) to 'address the security and authentication gaps in HCE*'.

Frédéric Vasnier, SIMalliance Chairman, comments: "SIMalliance recognises that a future NFC landscape will consist of HCE and SE-based models, together with hybrid deployment models. Importantly, there is consensus within our membership that this is a real opportunity for growth in the SE market; we believe this for a number of reasons.

"Firstly, HCE promises to drive forward mass adoption of NFC services as it offers a speedier route to market and makes NFC more accessible and versatile to developers. So as consumer familiarity increases, demand for NFC SIM-based services will also grow. Yet as the recent Consult Hyperion/GSMA report indicates, there is an increasing acceptance that HCE will be best suited to certain types of low-value NFC applications. The enhanced security offered by a SE, particularly when distributing or managing valuable and/or sensitive credentials, continues to make it a necessary requirement in high value NFC service deployments.

"Secondly, the SE is the most likely route to market for payment service providers who want to achieve an early mover status in the NFC payment space. This is because there is an established global infrastructure which makes secure SIM-based NFC payment service delivery possible today; 124m NFC-enabled SIMs have already been shipped in the past three years. What's more, the supporting infrastructure needed to access and manage NFC-enabled SIMs 'over the air' is also in place. Put simply, the foundation is already out there and ready for use.

"And finally, even when a payment service provider opts for a HCE-tokenisation approach to NFC payments, there is still a valuable role for the MNO's SE (SIM) to play. For example: the user could authenticate to the token service provider using SE stored credentials; additionally, the risks introduced by storing tokens in a non-secure environment may be manageable for low value credentials, but are likely to be unacceptable when dealing with high value credentials, so the storage of tokens in a tamper resistant SE inevitably provides the most secure solution.

"In summary, there is significant potential for HCE to drive growth across the entire NFC market, and if that market consists of both HCE and SE-based NFC deployments, then that is certainly good news for the whole ecosystem.

"Within SIMalliance, HCE is viewed as an NFC enabler. In recognition that it is rapidly bringing mass NFC deployment ever closer, SIMalliance remains focused on supporting MNOs in their efforts to simplify third party access to their subscribers, via the strong base of NFC-enabled SIMs which are already operational and those that will continue to be proactively deployed to wider subscriber portfolios in the future. By simplifying NFC service deployments between mobile networks and across national borders, MNOs will better enable service providers to maintain the security and usability benefits that today's SE-NFC solutions already deliver."

SIMalliance published a paper in April 2014, titled 'Secure Element Deployment & Host Card Emulation'. It explores both the advantages and the limitations of HCE, providing insights and assessments on a broad range of related topics, including the investment risks for early adopters, the security fallibilities of Android 4.4, the scale of the HCE-NFC certification challenge and the prohibitive barriers to HCE acceptance in global transport and ticketing systems. 

Comments: (1)

A Finextra member | 23 June, 2014, 12:49

I think the issue that nobody seems to have addressed: Offline requirements - i.e. if the device is out of battery (my understanding is HCE is non-operable in this use-case - a eSE or UICC SE will operate but having more than one payments application - how does a user determine the preferred application?) or if network access is too slow or not available (e.g. Transport Application Oyster/Octopus).  Pre-Caching Hashes for (limited) offline authentication will only lead to potential attacks/exploits.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Related blogs

Create a blog about this story (membership required)

Featured job

£100,000 plus bonus
Central London

Find your next job