HCE cloud-based mobile payments have opened a new chapter in the industry's thinking around security of card data on-device and the risk management associated with it.
The lack of secure element hardware storage on-device creates the need for strong software based solutions to mitigate the risk of storing sensitive card data on phone memory. Tokenization has emerged as one of the most important solutions for enabling secure
cloud-based payments. By replacing something of high value, the secure Personal Account Number (PAN), with something of lower value, the limited-time use card data or "token," tokenization protects the original PAN number from misuse.
But is tokenization alone enough?
Traditionally, tokenization means one-time use data. If one-time use card data is provisioned to the phone then the security risk of the data in open is restricted to that transaction only. However, as per EMVCo specification on tokenization, the definition
of token is alternate PAN, which is not the same as one-time use data. Consequently, tokenization specifications being implemented in commercial services today provision tokens to phones with extended active life spans – opening the window for potential fraud.
Hence the role of tokenization in cloud-based payment security for proximity payment has lesser importance than it is often given. The main security it provides is that a hacker cannot use the stolen card data online or other channels.
Furthermore, having cryptographic keys and functions in the phone database leaves critical payment data vulnerable to attacks.
Two aspects become critical for consideration in thinking about cloud payment deployment based on HCE and tokenization. They are dynamic issuance and on-device security and management.
Service providers are generally familiar with the aspects of card issuance and personalization. Card issuance and personalization for SE-based and HCE-based issuance have much in common. The key difference being that the former is static while the latter
is dynamic in nature. Dynamic issuance requires dynamic management of the card and account data in addition to tokenization.
On-device management is the ability to dynamically monitor various threshold parameters that govern the policy of making a transaction and performing account replenishment. For example, a bank may decide to replenish account parameters if the device is used
to transact at a location that is 250 miles away from where the account data was initially issued. In this case, the digital issuance system is resetting the threshold parameters and replenishing the limited-use key. This is an example of how location data
can be used to dynamically manage account parameters for cloud payment deployments.
On-device security is the implementation of software-based secure element to protect card data and cryptographic keys and functions. In addition, application integrity must be maintained to resist modification of the application by hackers. Various techniques
must be employed to protect application integrity including white-box cryptography.
At the end of the day, secure mobile payments, especially leveraging cloud-based HCE, will only be possible by leveraging all the available tools for security. That will include network-based tokenization and dynamic issuance and management as well as robust
on-device software and device fingerprinting. The sooner we understand that and start having a holistic approach to mobile payments security the sooner mobile payments will migrate from early adopters to the majority of the population.