Hardly a day goes by without someone getting excited about Google's Host Card Emulation (HCE). Media is selling it as the "Open Sesame" for mobile payments. Is that true?
Executive summary: IMHO, b***cks! HCE is a good tool for specific use cases, but it's not - by far - the Holy Grail. Here's why.
To understand what HCE is all about, let's take it straight from the Google horse's mouth:
- The HCE architecture itself provides one core piece of security: only the OS can communicate with the app. This ensures that any data received is actually received by the OS from the NFC controller.
- The core remaining (!) piece is where you get the data from that you're sending back to the NFC reader. This is intentionally decoupled in the HCE design: it does not care (!!) where the data comes from, it just makes sure that it is safely
transported to the NFC controller and out to the NFC reader.
Myth 1: HCE replaces secure element
That was the main selling point that caused all the excitement. Secure element is about secure (i.e. extremely hard to break or clone) storage of sensitive data or values, e.g. payment credentials AND cryptographic keys.
HCE has got NOTHING to do with secure storage. All HCE does is attempts to ensure that NFC controller on the phone talks - via OS - only to your app. HCE "does not care" where your app stores sensitive data... Ditto.
Myth 2: HCE is interface-agnostic
There have been many claims made that HCE is not just about NFC, and can be extended to any other interface, for example Bluetooth. As Google clearly spelled it out, HCE is about "OS-NFC" interface at this stage, nothing else.
That also means that HCE is not suited for "card present" e-commerce. Ditto.
Myth 3: Card networks support HCE
Yes, Visa and MasterCard are "looking at" HCE, but they do not - yet (if ever) - accept or approve it as the solution for making "card present" (let alone EMV-compliant) payments. Visa and MasterCard made some enthusiastic general statements about HCE. Yet,
at the recent Cartes conference MasterCard clearly stated that all their current plans in respect of mobile payments are SE-based.
Which brings us to another point.
Myth 4: HCE is EMV-compliant/compatible
No, it is not. Again, HCE is about "OS-NFC" channel. EMV is about specific data flow that, most importantly, includes a cryptogram. That cryptogram requires secret keys. Which need to be stored securely. The keys are currently stored in... secure element. Google
"does not care" where you store those keys on the phone...
EMV could amend the specifications to accommodate HCE-based solution, but that would take YEARS...
Myth 5: HCE enables any NFC-based service
HCE does not support low-level protocols such as Mifare. Hence, HCE does not support transit applications (which could be critical for mass adoption in some countries). That leaves room - with an open door - for a competitor...
In summary, HCE is a tool that allows to implement several use cases based on open access to NFC controller. Some adventurous parties may even implement payment applications based on HCE.
However, (a) HCE does NOT replace secure element as HCE does not ensure secure storage of secret keys, (b) HCE is not EMV-compliant (yet), and (c) HCE is not suited for such use cases as transit and "card present" e-commerce.