New features in smartphone operating systems coupled with announcements from card brands and EMVCo have breathed new life into mobile payment using NFC at the Point of Sale - the idea that a phone has to have an EMV-like payment application installed in a Secure Element to support mobile payment has been overtaken. The new direction the mobile payments proposition is taking is being defined by HCE and Tokenization.

At Aconite we believe that existing card issuers need a simple way to enable their customers to use mobiles to pay at POS terminals. The good news is that HCE will ease the process, while Tokenization will make mobile payments even more secure than standard EMV cards. And to the POS the payment will still look like a regular EMV contactless transaction, preserving the technical and commercial infrastructure of existing card payments.

HCE allows an app installed in the phone - in regular phone memory like any other - to talk to the NFC hardware, when previously this was restricted to apps in the Secure Element, which are difficult to download and manage. Now it will be easy for a customer to download and install a payment app from their card issuer. But regular phone memory is not secure, so neither the secret keys used to protect EMV transactions nor the PIN or passcode can be stored there. This is where 'H' for Host comes in - all the information that needs to be stored securely is held in a server in the cloud, which the phone can access over the internet.

Likewise the PAN (or Card Number) should not be stored in non-secure phone memory, so the issuer or a service provider can tokenize it, that is, give it an alias. And a token used in place of the real PAN can have other properties too. Its use can be restricted to a specific merchant or group of merchants, or it can be limited to use between specified dates, to a set number of transactions or to a maximum spend amount. So if token data is stolen, its use to a fraudster is virtually zero.

The issuer will be able to push tokens to the customer's phone or the customer may request a token from a Token Server, operated by the issuer or by a service provider. Meanwhile, behind the scenes, issuers can apply risk management processes that will control the availability and usage of the tokens that a customer can receive.

Enhancements to existing Aconite products enable the features needed for issuers to operate an HCE and token-enabled service, including real-time data preparation, distributed EMV transaction processing, remote CVM management and mapping risk scores to card/token profiles. Issuers that are weighing an entry into the mobile payment world can start planning their programs now based on the use of Aconite products, secure in the knowledge that forthcoming releases will continue to lead the field with innovative support for these and other new industry initiatives.