Marco Polissi, head of product development financial institutions, SIA, explains why there is so much industry interest in HCE and why a SIM-based technology is preferable.
Sr. Polissi is correct in saying that a Secure Element solution is more secure than HCE (but not exclusively SIM-based, as he also says), but he ignores the technical and commerical complexity of making such a solution into a viable proposition, capable
of mass rollout and interoperable across brands, networks, mobile networks and TSMs.
With HCE the compexity for issuers and consumers is vastly reduced and risk mitigation techniques, such as short-lived keys, will counter the increased exposure of having credentials in phone memory.
SE may have a place in areas such as secure ID, but the market is voting with its feet – those with vested interests in SE/TSM technology will naturally attempt to protect their intellectual and financial investments.
Sr. Polissi should also see first hand what a cumbersome and technical nightmare (and costly) it is to work with TSM providers, provisioning and personalisation of the app and SE, support, device NFC challenges etc. MNO's wanting to charge/rent SIM space
etc all adds to the management complexity and hence low entry interest.
Google have made HCE a proven concept and have made it available to all. It's now up to others to capitalise on this and identify their own opportunities from this. There are ways to limit risks form one-time/low TTL tokens to porting high value transactions
through the SE for further validation/authentication (so long as the MNO's get on board).
HCE is here to stay and further Android flavours of this are sure to arrive. Other platform adoption of the same approach is also just round the corner (eyes on the usual Apple October/fall announcements..)
Marginal Cost and Marginal Benefit...
I don't believe the relevant question is whether SE based NFC is more secure than HCE based NFC solutions. I'll concede that point.
The more relevant question is whether the incremental security benefit of a SE based solution is worth the incremental cost. Issuers and retailers have yet to embrace SE based solutions in the market at scale, so this feel like a very esoteric discussion.
Said differently, SE based NFC solutions are the ultimate in security... there aren't any transactions so there isn't any fraud ;-)
© Finextra Research 2018