Everything you need to know about Host Card Emulation

February 20, 2014

nfc-mobile-paymentsThis week Visa and MasterCard announced new specifications for NFC mobile payments using host card emulation (HCE) . Until now mobile payment systems needed a special piece of hardware, normally in the SIM card, known as the secure element. It is used by the mobile payment system to perform certain authentication tasks. Because it was part of the SIM card these systems only worked with cooperation from the carriers. That’s why Google Wallet only works with a few carriers in the U.S., those that let Google’s app access the secure element. Other U.S. carriers including AT&T, T-Mobile and Verizon have a rival system called ISIS.

This reliance on the secure element isn’t just a problem in the U.S. In every market where banks want to enable NFC mobile payments there needs to be help from the carriers. This isn’t an ideal solution. One possible answer would be to include the necessary hardware in the actual mobile phones and so by-pass the SIM card. However all this does is move the need for cooperating from the carrier to the handset manufacturer or to the chipset maker.

The U.S. is the last major market to still use the old-fashioned swipe-and-sign system.

Because NFC is a standard that works across multiple operating systems (for example Windows Phone supports NFC) and has compatible chipsets from a range of manufacturers, the best solution to bypassing the reliance on the carriers is to move the secure element into software. When Google released Android 4.4 KitKat it did exactly that. Android 4.4 supports Host Card Emulation which allows any NFC enabled handset to “talk” to contactless payment terminals and emulate a physical contactless card.

A contactless card?

Although the U.S. seems to be ahead of the rest of the world with regards to mobile payments, it has been languishing behind Europe when it comes to alternatives to the traditional swipe and sign system used for card payments. Europe, and other large parts of the world, use smart credit/debit cards with integrated chips. To use them to make a payment the consumer inserts their payment card into a little machine and enters their PIN number. There is no need for a signature and part of the authorization for the payment is granted when the card tells the reader that the PIN number entered is correct. The PIN is actually stored on the card in its secure element. The branding of such systems is different around the world but the technology is essentially the same. In the UK and Ireland it is known as Chip and PIN, in Europe they are often referred to as EMV cards. EMV stands for Europay, MasterCard and Visa, the companies behind the technology. Besides Visa and MasterCard, Diners Club and American Express also support EMV.

contactless-cardContactless cards and ultimately mobile payments are a natural development of the EMV system. Besides the need for carrier support, one of the reasons for a slower roll-out of mobile NFC payments in Europe is the ubiquitousness of EMV and contactless payment methods. However in the U.S. consumers are jumping straight from swipe & sign to NFC based mobile payments. Well almost. EMV type payments are also coming to the U.S. According to the Wall Street Journal, beginning in 2015 shoppers will be able to use PIN numbers rather than signatures and by October of the same year the switch over will be compulsory. The way MasterCard and Visa will make it compulsory is by moving the fraud liability from themselves to the store which processes a swipe & sign payment when the customer has a chip card.

“The U.S. is the last major market to still use the old-fashioned swipe-and-sign system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions,” wrote Tom Gara.

Since the push to catch up with Europe is coming from Visa and Mastercard, it isn’t a surprise that these two payment processing giants are also pushing NFC mobile payments via HCE.

Security

nfc-with-secure-elementOn EMV cards any sensitive information is stored in the secure element, a tamper proof chip that “talks” with the card reader. The secure element provides several functions including a cryptographic check to validate the card’s integrity and cardholder verification (i.e. checking the PIN). When a mobile payment is made using a SIM card with a secure element, the NFC reader communicates directly with the secure element and no Android application is involved in the transaction at all. After the transaction is complete, an Android application can query the secure element directly for the transaction status and notify the user. In other words the secure element acts like the smart chips in EMV cards.

When there is no secure element an Android app must provide the missing functionality and the NFC data is sent directly to the app. Android’s HCE implementation guarantees that any NFC data received by the processing app was actually received directly from the controller. There isn’t a way to spoof a payment app with data from another source.

host-based-cardThe payment processing app itself can rely on the Android application sandbox to ensure that its data isn’t available to other apps on the device, however performing all the functions of the secure element in software still poses certain security risks. To mitigate those risks Visa and MasterCard are implementing cloud-based secure elements. What this means is that some of the functions that the physical secure element provided will be performed on Visa’s or MasterCard’s servers, over the Internet.

The problem with this approach is that it means that the smartphone would need to be connected to the Internet at the moment a transaction is authorized. It would also mean that the cloud service would need to reply to the NFC card reader in the sales terminal in less than half a second. These two constraints aren’t practical. Therefore the companies will use payment tokens.

MasterCard's approach combines custom software on the mobile device with highly secure cloud-based processing.
Mastercard

These tokens are stored locally on the smartphone but they only authorize the payment app to make a limited number of payments for a limited amount of time , say one day. Once the token expires or reaches its authorized limits then new tokens need to be fetched. The management of these tokens will happen in the background and can happen whenever the user is online, as part of the normal sync process. This means that if somehow the payment process is completely compromised the retrieved information is only good for a limited amount of time and money. In other words a hacker can’t empty your bank account.

Visa will deploy several layers of security to protect payment accounts in the cloud, including at the Visa network, application and hardware levels. One-time use data, real-time transaction analysis, payment tokens and device fingerprinting technology make up a multi-layered defense against unauthorized account access.
Visa

One last thing, in case you a worried that someone will walk down a crowded street and secretly perform fraudulent transactions via a hidden NFC card reader, Android turns the NFC controller and the application processor off completely when the screen of the device is turned off. Scanning a phone with the screen off won’t work!

What are your thoughts? Will you use your Android smartphone for NFC mobile payments even without a physical secure element?

Comments

  • bungadudu

    This sort of articles give credit to the name – Android Authority

  • Bill B

    “That’s why Google Wallet only works on Sprint in the U.S., because Sprint lets Google’s app access the secure element. Other U.S. carriers including AT&T, T-Mobile and Verizon have a rival system called ISIS.”

    FYI – Google Wallet did an update and works just fine on AT&T for me. I’m using a Nexus 5.

  • Mayoo

    Additional info: A lot has been spoken about Europe using that tech. Canada is using too since a few years now. That’s another point that the US is behind when Canada has better tech. Usually, it’s the other way around.

    Great article. Everything you need to know is there!

  • Bishop

    So when there’s no secure hardware element (tamper-proof chip) presents, it compensate by using cloud-based authentication over internet, with one-time token for limited use.

    For the time being I will stick with secure hardware chip for payment method, while waiting for this NFC HCE cloud-based payment to become mature.

    Nice article!

  • Jean-Francois Messier

    I really like this kind of article. This is something that I can understand, and then can explain to other non-technical consumers. I am happy that we have the chips on our cards for a while in Canada now. The only time I have to sign is when I use my Amex car, which only has the magnetic stripe. The other thing that is important is to always protect both the cell phone and the cards that are in your wallet, with some aluminum shield.

  • http://thewild.postach.io/ Eric De Wildt

    I’m in Canada and have been using this for awhile now but not on my phone. Google wallet always said its not allowed in Canada which really sucks. Paying for stuff with the tap is so easy, I dont even take the card out of my wallet, people would hand me back the tap machines thinking I was playing a joke. Older individuals would look at me like I was crazy lol. Cant wait for the functionality to coms to my phone.

  • Tom Z

    I use it nearly every day on my Moto X via Verizon. Haven’t had a problem yet…

  • Bwest

    Great article, one of the more descriptive items ive found on the subject ! There’s a few things I’m still not too clear about on HCE. Could anyone create a HCE/card storage solution or is there some sort of accreditation which needs to be conducted?

    With regards to the tokens – are these tokens transmitted via NFC to the POS terminal or, at the time of transaction, does the handset call the HCE cloud environment to replace the token with a card pan and then transmit that via NFC?

    If the former, does this not mean that POS terminals will need firmware upgrades to understand the token being passed to it?

  • Jonathan Fisher

    I really doubt Visa/Mastercard are concerned about security by having “cloud based Secure Elements”… It’s more of a control thing. They want to have a say in what devices get can use NFC payments. Everyone wants in on mobile payments to skim a transaction fee… Google, carriers, banks, hardware vendors, merchants. Lot of “easy” money at stake here, but unfortunately it’s stagnating the industry. As NFC becomes more available though, the real winner would be Apple since they’ve chosen “no thanks at this time.” Imagine Visa signing an exclusive deal with Apple to lock out mastercard of secure payments on the iphone… Oh yah, cloud based secure elements. All about security, not about strangleholds on competition.