Despite being widely encouraged to do so, most banks have not rushed to build their own mobile wallets to maintain their brand identities while complementing the capabilities of existing payment apps.
Cardtek wants to get those banks off the fence by supplying its HCEXpert technology to banks via MasterCard's payment processing unit. The partnership builds on work the technology company and card network have done to build bank-powered mobile wallet technology in Europe.The key is host card emulation (HCE), a a contactless payment technology that can be used without the permission of carriers and has the support of both MasterCard and Visa.
HCE enables a deployment of contactless mobile payments technology that’s based more on software delivery than hardware upgrades, said Erdal Yazmaci, a general manager at Cardtek. The hardware-based approach, which requires access to a device's secure element, was used by Apple Pay and defunct apps like the original Google Wallet and Softcard.
"HCE allows direct connection to the cloud by MasterCard as a service provider, and it eliminates the SIM cards," Yazmaci said. "It's an easier implementation by far."
Cardtek is working with MasterCard Payment Transaction Services, formerly known as Trevica S.A., a payments processing company wholly owned by the card network. The Cardtek deployment also fits with MasterCard's strategy to provide tools to enable issuers to develop their own mobile payment technologies.
HCE is expected to greatly expand the options to build mobile payment systems. But HCE bank wallet deployments have been limited, with the most prominent examples being RBC in Canada, Capital One in the U.S. and a few early adopters in Spain.
Cardtek did not name the banks deploying HCE through its MasterCard integration, saying only that it is working with one bank in Poland and two in Turkey.
Cardtek's technology is also integrated with MasterCard's Digital Enablement Services, which is designed to provide extra security. This is to address some banks' concerns about the security of using HCE, Yazmaci said.
"Issuers are very much interested in HCE but there are still questions about security because it's a cloud-based technology," Yazmaci said. "There is a mobile app in the phone…and providing security for sensitive data in the transaction is crucial."
By integrating Cardtek's HCE technology with MasterCard's Digital Enablement Services, Cardtek hopes to add security through the use of tokenization, which creates dummy identifiers that stand in for real account numbers. MasterCard recently expanded its digital enablement services to support tokenization for more types of payments.
"You can get a good sense of the concerns that banks have about HCE by examining what the Clearing House has been proposing, which includes more dynamic payment credentials," said Al Pascual, director of fraud and security for Javelin Strategy & Research.
Mobile payment apps are still in their infancy and banks don't want to face another incident similar to Apple's early issues with security, wherein fraudsters tricked banks into enabling Apple Pay for stolen card accounts.
"There are lingering concerns that with HCE without any access to hardware-based containers, there is still a need for more substantial security to mitigate the risk of compromise incident with mobile payments," Pascual said.