Host Card Emulation, which enables Near Field Communication payments without accessing a smartphone's secure element, has major supporters like Google, Visa and MasterCard. But some are expressing concern over the technology's approach to security.
Isis, the mobile wallet venture of AT&T, Verizon Wireless and T-Mobile, plans to use HCE only for less sensitive accounts, such as loyalty cards. For payment card data, Isis plans to keep using the secure element. And the SIMalliance, a SIM card manufacturer association, published a paper last week calling HCE "vulnerable to malicious attack" in its current state.
The report makes good points about being cautious with new technology, but it comes from an organization that strongly supports the SIM cards that house the secure element, says Pradeep Moudgal, director of emerging technologies advisory services for Boston-based Mercator Advisory Group.
"As new technologies are evolving, they will go through the process of certification and it is known that there is no technology that is foolproof," Moudgal says. "Even with EMV, no one says that it is 100% guaranteed."
More U.S. merchants and issuers are studying EMV-chip cards as a way to protect card data in the wake of Target's holiday-season data breach, but EMV cards primarily protect the physical card. In countries where EMV cards are commonplace, fraud has migrated online or to other regions.
But the SIMalliance is correct to note the proven benefit of using a phone's secure element to protect data, Moudgal says.
"The secure element has been certified by the card brands as the most secure technology. That's why it is known as a secure element," Moudgal adds.
However, Visa and MasterCard are also outspoken supporters of HCE as an alternative to relying on the secure element. Both card brands declared in February they would provide requirements and guidelines for deployment, and Visa is actively testing it with some issuers.
"Ensuring payment security is one of Visas highest priorities and security in cloud-based payments is no exception," Visa states in an e-mail.
Visa will deploy several layers of security to protect payment accounts on the network, application and hardware levels. One-time use data, real-time transaction analysis, payment tokens and device fingerprinting technology contribute to a multi-layered defense against unauthorized account access in the cloud, Visa says.
MasterCard has not publicly established its HCE standards, but is on track to do so soon. MasterCard is also on target with its testing schedule, looking to add more financial institutions using HCE this year after successful tests with Capital One in the U.S. and Banco Sabadell in a Europe, says MasterCard spokesman Brian Gendron.
"The pilots have helped inform MasterCards direction, and the learnings will pave the way for additional deployments around the world," Gendron says.
SIMalliance acknowledges HCE "will bring new creative players into the NFC ecosystem" that will trigger many new use cases, according to its paper. But the association suggests that HCE is "best suited to use cases where the user's stored credentials are of low value and where the emulated NFC application is not based on direct implementation of a current, pre-existing card application."
The SIMalliance maintains that a secure element is necessary for mobile transactions, and it must be capable of hosting applications in a "black box" manner. The secure component should not contain software that can be "easily removed, decompiled or otherwise interrogated to reveal the location of stored confidential data," the paper says.
One reason many mobile wallet providers are looking at alternatives to the secure element is that mobile network operators control access to it and charge a lot of money to companies wanting to use it, Moudgal says.
Even deep-pocketed mobile wallet developers like Google ran into resistance over use of the secure element. Verizon Wireless blocked an earlier version of Google Wallet, citing security concerns, and Google Wallet only came to Verizon handsets after Google added support for HCE in an update to its Android mobile operating system.
Visa and MasterCard's efforts to establish rules for using HCE resemble their efforts years ago to encourage the use of contactless cards, says Doug Yeager, CEO of SimplyTapp. Yeager wrote code that enabled HCE to run on earlier, modified versions of the Android operating system.
"They gave you rule books for how to use the contactless cards," he says. "They do the same here in saying HCE is a new technology that is safe to use and this is how you would use it on our network."
Ultimately, it is up to the issuer to decide whether to deploy HCE, use a secure element or do both, Yeager says.
"If they believe HCE compromises their security model in any way, they are more than welcome to use the secure element model. It's not prohibited, obviously," Yeager says. "If they are satisfied and happy with the rules and requirements of the card associations, then they can just as well use the new HCE guidelines."
The SIMalliance report confirms that HCE should be considered a "slow-adopting" technology and that "not everyone on the planet is going to be testing it and using it," Yeager says. There is time to refine HCE and make changes to its security, he says. But at the moment, "banks seem pretty gung-ho on HCE, and we are not seeing any security concerns holding anyone back from it," he says.