Blog article
See all stories »

5 myths about Google's HCE

Hardly a day goes by without someone getting excited about Google's Host Card Emulation (HCE). Media is selling it as the "Open Sesame" for mobile payments. Is that true?

Executive summary: IMHO, b***cks! HCE is a good tool for specific use cases, but it's not - by far - the Holy Grail. Here's why.

To understand what HCE is all about, let's take it straight from the Google horse's mouth

  • The HCE architecture itself provides one core piece of security: only the OS can communicate with the app. This ensures that any data received is actually received by the OS from the NFC controller.
  • The core remaining (!) piece is where you get the data from that you're sending back to the NFC reader. This is intentionally decoupled in the HCE design: it does not care (!!) where the data comes from, it just makes sure that it is safely transported to the NFC controller and out to the NFC reader.

Myth 1: HCE replaces secure element
That was the main selling point that caused all the excitement. Secure element is about secure (i.e. extremely hard to break or clone) storage of sensitive data or values, e.g. payment credentials AND cryptographic keys. 

HCE has got NOTHING to do with secure storage. All HCE does is attempts to ensure that NFC controller on the phone talks - via OS - only to your app. HCE "does not care" where your app stores sensitive data... Ditto.

Myth 2: HCE is interface-agnostic
There have been many claims made that HCE is not just about NFC, and can be extended to any other interface, for example Bluetooth. As Google clearly spelled it out, HCE is about "OS-NFC" interface at this stage, nothing else.

That also means that HCE is not suited for "card present" e-commerce. Ditto.

Myth 3: Card networks support HCE
Yes, Visa and MasterCard are "looking at" HCE, but they do not - yet (if ever) - accept or approve it as the solution for making "card present" (let alone EMV-compliant) payments. Visa and MasterCard made some enthusiastic general statements about HCE. Yet, at the recent Cartes conference MasterCard clearly stated that all their current plans in respect of mobile payments are SE-based.

Which brings us to another point.

Myth 4: HCE is EMV-compliant/compatible
No, it is not. Again, HCE is about "OS-NFC" channel. EMV is about specific data flow that, most importantly, includes a cryptogram. That cryptogram requires secret keys. Which need to be stored securely. The keys are currently stored in... secure element. Google "does not care" where you store those keys on the phone...

EMV could amend the specifications to accommodate HCE-based solution, but that would take YEARS...

Myth 5: HCE enables any NFC-based service
HCE does not support low-level protocols such as Mifare. Hence, HCE does not support transit applications (which could be critical for mass adoption in some countries). That leaves room - with an open door - for a competitor...

In summary, HCE is a tool that allows to implement several use cases based on open access to NFC controller. Some adventurous parties may even implement payment applications based on HCE.

However, (a) HCE does NOT replace secure element as HCE does not ensure secure storage of secret keys, (b) HCE is not EMV-compliant (yet), and (c) HCE is not suited for such use cases as transit and "card present" e-commerce.

 

5122

Comments: (4)

Martin Cox
Martin Cox - Rambus - Rotterdam 25 November, 2013, 14:59Be the first to give this comment the thumbs up 0 likes

Alexander, I have an alternative Exec summary: Bravo!! Google for adding some momentum to the NFC market. (no asterisks required).

And some thoughts on your "myths":

Myth 1: HCE replaces secure element

HCE enables the NFC controller to communicate with an app that isn’t in the SE. It therefore enables solutions to be developed that do not require an SE. Where sensitive data is stored is not the responsibility of Google or HCE, it’s the responsibility of the architect of the system using HCE. This could be in a server in the issuer’s environment or perhaps in TEE on the device. For issuers who prefer to use the SE, a cloud/SE hyrbrid brings the benefits of both into a single solution (and doesn’t require HCE).

Myth 2: HCE is interface-agnostic

True. (Is this really a myth?)  Aren’t NFC, EMV cloud based solutions enough excitement for now?

Myth 3: Card networks support HCE

Indeed the card networks have said very little publically about HCE other than the “enthusiastic general statements” that you mention. I guess their issuers and those under NDA may have better insight into their plans.

Myth 4: HCE is EMV-compliant/compatible

“The cryptogram requires keys which need to be stored securely” True. “The keys are currently stored in the SE” True. “Google doesn’t care where you store keys” True but the issuer does (and so do the schemes). That’s why they’re stored in the issuers own environment and not on the device in the Bell ID SE in the cloud solution.

Myth 5: HCE enables any NFC-based service

Is Myth five “there will be no competitors but I’ve found a market where there might be one?” Interesting aren’t NFC, EMV cloud based solutions enough excitement for now?

 

In your summary, your five myths have become three. I won’t repeat why I disagree with all three.

My summary would be that HCE is an exciting development that creates additional options for issuers. That doesn’t necessarily mean that there will be a stampede to implement HCE-based solutions but it will have an impact on the market and change the dynamics. Ultimately the cloud/SE hybrid may be preferred by some, (including the MNO’s since the requirements are much more manageable) whilst others will continue with the fully loaded SE model. The key development here is choice and I think that’s a good thing. 

If anyone would like more information on the implementation of a secure, EMV compliant SE in the cloud or cloud/SE hybrid solution, I would recommend that they visit the Bell ID website download the whitepaper and contact one of the Bell ID team. Under NDA, all of the above points can be addressed in much more detail than is possible here. 

 

A Finextra member
A Finextra member 25 November, 2013, 15:19Be the first to give this comment the thumbs up 0 likes

Martin,

Thank you for taking time to confirm the validity of my statements - Bell ID's opinion, as one of the disruptive players in the field, is of value.

You are doing a great job as Global Head of Sales. (I wonder why Finextra doesn't allow self-promotion within the blog posts, but is OK with self-promotion in the comments... ;) 

I agree that there are several SE-related solutions out there - that's why I was rather agnostic in my blog post and not insisting that, for example, a $2 embedded SE is the best way forward.

TEE is still a dark horse... As is Bell ID's "Cloud SE" - I have been keen to learn more about it since June - http://www.finextra.com/News/FullStory.aspx?newsitemid=24888 - to see if we can use it for MultiPass...

Martin Cox
Martin Cox - Rambus - Rotterdam 25 November, 2013, 16:51Be the first to give this comment the thumbs up 0 likes

Thanks Alexander, I just like to rederess the balance occastionally when I see some reluctance to embrace an exciting new technology.

However, I don't want to appear totally focused on being disrputive. Bell ID also supports the standard SE model with our TSM solutions, so we don't aim to dicate the market, just react to our clients' requirements.

HCE enables the full range of options from pure cloud, through cloud/TEE, cloud hybrids with SIM SE or eSE and of course full SE.

I think in the end the market will decide where each application (in the wider sense of the word) sits. Low value at the cloudier end and high value at the full SE end. Perhaps 'low value' contactless payments will be in the hybrid middle ground for many but there will be others who will want full SE or full cloud.

As I mentioned earlier, the exciting thing that HCE brings to market is choice.

Martin Cox
Martin Cox - Rambus - Rotterdam 19 February, 2014, 14:25Be the first to give this comment the thumbs up 0 likes

http://www.finextra.com/news/fullstory.aspx?newsitemid=25743

Retired Member

Member since

19 Mar 2009

Location

Blog posts

4,122

Comments

4,919

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all