Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided. Many recognize the value and opportunity that this brings to banks and other service providers for the deployment of mobile services such as payments, transit and loyalty. Others have raised security concerns that they maintain limit the technology’s potential.

The balance of risk & reward

While some may consider HCE based systems less secure as there is no physical secure element (SE) involved, a risk assessment should take into account the risk and reward. In the HCE/cloud SE model, ‘tokens’ are downloaded to the device and used to complete transactions at the point of sale (POS) rather than storing the payment application on the device. Any breach of security would expose the token that was compromised but not the account itself. It is therefore questionable whether the risk - reward ratio would make this an attractive target for fraudsters.

Service providers also need to balance risk and reward and with the value of the token being so low they are questioning whether the highest level of security is required. Many are happy that the rewards offered by the HCE/cloud SE model, such as simplified ecosystem, lower cost and independence, outweigh the relatively limited risk.

Layered security options for HCE

Security is however important and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments. These include white box cryptography, obfuscation of key data, use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels.   

Overall, the benefits that HCE can bring – such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects – are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never support such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.

Security versus usability

Security is of course important but it should be balanced and proportionate. Adding multiple layers of defence may limit functionality and/or usability, which will in turn limit consumer uptake.  For example, requiring an additional Cardholder Verification Method (CVM) such as a PIN for each contactless payment transaction could be appropriate for high value transactions but may become a usability nightmare if implemented indiscriminately. Requiring a user to enter a PIN to unlock the phone, another PIN or Passcode to open their Banking/Payment App, and yet another to enable the transaction is probably several steps too far. For high value transactions a further PIN is likely to be required and making it far from the ‘tap and go’ experience the user may expect. This is likely to be a tiresome and unattractive proposition.

Issuers should therefore find a balance between security, acceptable risk and user friendliness that meets their needs without alienating their customers.

Many banks have concluded that the opportunity that HCE brings outweighs the risks that it presents despite the vocal efforts of detractors. This debate is certainly one to watch over the coming months as we see more service providers make their moves.