Google made waves last week with their announcement about Host Card Emulation (HCE) solution that allows, inter alia, to "emulate" EMV without
requiring any secure element (SE). Oh my...
Google's own source claims that "Android HCE emulates ISO/IEC 7816 based smart cards". Well, ISO
7816 is a standard for contact (!) cards that describes... physical characteristics of... SE - nothing to do with contactless payments interface or protocol, let alone SE-less payments. Also, Google says that HCE allows to implement transit application;
however, HCE does not support such popular low-level transit protocols as Mifare. Does Google truly understand what it is talking about?..
Let's take a step back and re-visit Socrates who said: "The beginning of wisdom is a definition of terms." What does "emulate" mean?.. "To try to be like
something you admire". Even if we discount the "admire" bit, if one (legitimate) Android app can pretend to be an EMV card, so can another (malicious) app...
Take a look at Google's "security" pedigree as far as its Wallet is concerned. Problem, problem, problem.
Sure, those issues were eventually fixed, but why does anyone need a condom with a hole in the first place, even if that hole can be - disaster post factum (!) - patched up?..
HCE is not a new feature - BlackBerry had it for over a year. It takes it roots from SimplyTapp's solution that did entail secure element - that SE was cloud-based. When adopting HCE, Google decided to drop SE altogether (as far as one can tell) not because
it made perfect technological sense, but because it made some business sense. For Google.
What about banks? Compromised HCE can result in £100+ loss. The cost of SE is £2 or less. If that level of risk really worth it?..
So, where does all that lead us to? To make things work properly, mobile payments market need agnostic (and free) secure element which can be used by any legitimate third party via "open API". Such a secure element should work with any smartphone out there
- not just with Android (let alone just with Google's own phone).
Such a secure element should have a magic "press to pay" (mechanical) button that puts the user firmly in control and also prevents "man in the middle" attacks.
Such a secure element would support any transit and access control protocol out there. And be EMV-compliant. And allow to implement "card present" e-commerce. Now that's what I call a true game-changer.