Mercator Blog

Is the Security of Host Card Emulation Debatable?
Date: August 29, 2014
Tim Sloane
Vice President, Payments Innovation

Robert Wessels wrote an Opinion in PaymentSource titled “Host Card Emulation is a Secure Option for Mobile Payments” in which he argues that security is a matter of perspective and that on balance tokens make HCE sufficiently secure for the purpose:

“While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, tokens are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets.

Many issuers therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.”

The article also argues that HCE simplifies the business model and that despite some initial concerns the branded networks have embraced the HCE implementation:

“Overall, the benefits that HCE can bring, such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects, are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.” 

Tokens can clearly be an acceptable method for managing risk in a mobile environment where access to the Secure Element has been restricted, but only if properly implemented across all participants in the value chain. For example, will everyone in the value chain have a shared perspective on the meaning of the 00-99 values assigned to the Token Assurance Level identified in the The EMVCo Payment Tokenisation Specification? If these values are implemented and interpreted differently for every issuer, then the cost of managing the environment goes up compared to when the risk is implemented in a common fashion as is done with cards today.

The article suggests that some risk-adverse issuers may want to utilize an alternative hardware device as an SE:

“For issuers that still consider HCE as "too insecure," there may ultimately be a role for what Bell ID has called the "hybrid solution," combining the benefits of the cloud with a physical SE on the device.” 

This is exactly what the Token Assurance Level is designed to support, but if every issuer assigns its own values, how can real-time fraud engines be developed to meet the needs of the industry rather than being custom designed for each specific issuer? Tokens will be deployed, but how they are deployed (per issuer, per network, common across networks) will have a more significant impact on the payments value chain and the cost of managing fraud than many currently think.