26 May 2018
Martin Cox

Martin Cox - Rambus

Martin Cox - Rambus

10Posts 54,584Views 39Comments

HCE mobile payments - how secure is secure enough?

20 August 2014  |  3531 views  |  0

Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided. Many recognize the value and opportunity that this brings to banks and other service providers for the deployment of mobile services such as payments, transit and loyalty. Others have raised security concerns that they maintain limit the technology’s potential.

The balance of risk & reward

While some may consider HCE based systems less secure as there is no physical secure element (SE) involved, a risk assessment should take into account the risk and reward. In the HCE/cloud SE model, ‘tokens’ are downloaded to the device and used to complete transactions at the point of sale (POS) rather than storing the payment application on the device. Any breach of security would expose the token that was compromised but not the account itself. It is therefore questionable whether the risk - reward ratio would make this an attractive target for fraudsters.

Service providers also need to balance risk and reward and with the value of the token being so low they are questioning whether the highest level of security is required. Many are happy that the rewards offered by the HCE/cloud SE model, such as simplified ecosystem, lower cost and independence, outweigh the relatively limited risk.

Layered security options for HCE

Security is however important and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments. These include white box cryptography, obfuscation of key data, use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels.   

Overall, the benefits that HCE can bring – such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects – are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never support such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.

Security versus usability

Security is of course important but it should be balanced and proportionate. Adding multiple layers of defence may limit functionality and/or usability, which will in turn limit consumer uptake.  For example, requiring an additional Cardholder Verification Method (CVM) such as a PIN for each contactless payment transaction could be appropriate for high value transactions but may become a usability nightmare if implemented indiscriminately. Requiring a user to enter a PIN to unlock the phone, another PIN or Passcode to open their Banking/Payment App, and yet another to enable the transaction is probably several steps too far. For high value transactions a further PIN is likely to be required and making it far from the ‘tap and go’ experience the user may expect. This is likely to be a tiresome and unattractive proposition.

Issuers should therefore find a balance between security, acceptable risk and user friendliness that meets their needs without alienating their customers.

Many banks have concluded that the opportunity that HCE brings outweighs the risks that it presents despite the vocal efforts of detractors. This debate is certainly one to watch over the coming months as we see more service providers make their moves. 



Comments: (0)

Comment on this story (membership required)

Latest posts from Martin

How Will We Pay in 2020?

07 October 2016  |  11360 views  |  2 comments | recomends Recommends 0 TagsMobile & onlinePayments

What makes blockchain so disruptive?

01 December 2015  |  4289 views  |  2 comments | recomends Recommends 0 TagsBlockchainPayments

Why use mobile payments?

24 June 2015  |  3359 views  |  2 comments | recomends Recommends 0 TagsMobile & onlinePayments

How Does Android Pay Differ from Apple Pay and Samsung Pay?

29 May 2015  |  10904 views  |  3 comments | recomends Recommends 1 TagsMobile & onlinePayments

Apple and Android Payment Buzz at Mobile World Congress

12 March 2015  |  2642 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePayments

Martin's profile

job title Strategic Product Marketing
location Rotterdam
member since 2013
Summary profile See full profile »
Building on a history in secure identity & payments by both card & mobile. Assisting banks & retailers to leverage opportunities that new payment technologies bring. In-app, in-aisle, HCE, NFC, PSD2,...

Martin's expertise

Member since 2006
10 posts39 comments
What Martin reads
Martin's blog archive
2016 (1)2015 (5)2014 (4)

Who's commenting on Martin's posts