Host Card Emulation and the Future of Contactless Payments
The name of the game with cashless mobile payments is finding a way to securely transfer sensitive account holder data from the consumer, to the merchant POS terminal, and finally to the financial institution for final payment authorization. For decades this was done by concealing data on magnetic strips on the backs of credit or debit cards. Next came EMV chip-enabled cards. Recent attempts to establish touchless payment solutions have given rise to storing cardholder data in tamper-resistant Secure Elements (also known as an SE) inside of mobile devices. The SE provides the primary account number (PAN) and other necessary payment credentials to the merchants POS terminal using near field communication (NFC) technology. The SE model, however, has not seen widespread adoption because of dissatisfaction and concern about its adaptability. This has led to a new technology known as Host Card Emulation (HCE). HCE stores payment credentials in secure cloud environments and eliminates the need for the SE. HCE is gaining traction in the payments landscape and is postured to be the more dominant form of NFC payment in the future.
HCE is attractive to the payment industry because using cloud technology to access payment credentials removes the SE from the equation. The sustainability and cost-effectiveness of using SE payments have long been sticking points within the payments industry. SE payment models require a significant amount of cooperation and collaboration between phone manufacturers, service providers, merchants, and financial institutions. In some situations, it requires banks to pay for SE space or hand over control to a third-party Trusted Service Manager.
HCE attempts to remedy this by taking a different approach. Rather than keeping PANs and other account credentials on the SE, the information is instead stored in a secure cloud environment. The cloud server then provides the PAN to the mobile devices as needed using encryption to secure the information on a mobile wallet application. The phone is then free to make touchless payments at NFC-enabled POS terminals.
Opponents of this model cite security issues as a primary concern. The HCE cloud service, which requires an always-online and connected state, represents a large and attractive target for attackers and some doubt that a cloud-based payments ecosystem can be as safe as a secure element inside a mobile device. The truth is that the same level of security can be achieved if the cloud service is powered by the same financial industry-compliant hardware security modules (HSMs) and encryption processes found in traditional payment ecosystems.
A prime example of this is the VirtuCrypt Hardened Enterprise Security Cloud. VirtuCrypt uses a cloud-based service model to offer clients remote access and flexibility while powering its services with real-world HSMs from Futurex. This cloud model offers the best of both worlds by offering clients cloud-level accessibility combined with the security of enterprise-grade hardware security modules.
Futurex’s primary product line of transaction processing HSMs, the Excrypt Series, are compliant with FIPS 140-2 Level 3 and PCI HSM regulations, which are the same standards required for traditional card-based payments. These tamper-resistant devices represent the first layer of security for HCE payment processing.
The second layer is encryption. The processing HSM will encrypt the PAN and obscure it while in transit to protect from man-in-the-middle attacks. Encryption can also be used to authenticate the mobile device by assigning private keys to each user. Other safeguards such as tokenization, key management, PIN entry, and biometric identity verification can also be implemented to increase the overall security umbrella of the process.
While mobile devices and IoT technology have drastically changed many areas of life, touchless payments at POS terminals are in their relative infancy, especially in the United States. This is in part because consumers have not been presented with widely-compatible options. HCE is positioned to change this. When similar technologies go head-to-head, the one that is more open to development and consumer choice tends to win the day. The primary benefit of HCE is the cloud-based functionality that lends itself to flexible development with greater use case potential. By eliminating the obstacles present in the SE model, HCE is poised to become the more developer-friendly option.
Today, touchless payments are typically thought of in the realm of small, on-the-go purchases like coffee or convenience store stops. However, this will change as consumers become me comfortable with touchless payments and gain confidence with the security of the technology. In the future, restaurants waitstaffs may be bringing NFC payment terminals to the table with your check, or you may be reaching for your phone at the car dealership to make a down payment. It’s important to have the right security and encryption technology sourcing your HCE infrastructure when that day comes. Contact a Futurex Solutions Architect today to find out how we can help you build a secure HCE infrastructure that’s ready for tomorrow’s landscape of touchless payments.