An “A versus B”, battle of the bands, one winner takes all discussion is a tried and tested technique for whipping crowds into a frenzy. In this case, it’s Host Card Emulation (HCE) being pitted against the Secure Element approach to securing mobile payments – will it be our red or our blue fighter that takes home the shiny championship belt of widespread adoption?
Although an appealing way to engage an audience, the reality is that we will need to pursue and develop both approaches to suit the diverse needs of banks, merchants and consumers.
In a desire to stimulate conversation around the two models, the similarities are often overlooked. Both still require a wave or tap from the consumer, and no change is required to the merchant’s contactless acceptance capability. The real difference between the two lies in the backend security and risk management infrastructure, controlled by the banks.
The Secure Element (SE) model is analogous to the familiar and long established card world, focused on putting a chip card inside the phone to secure keys and sensitive data throughout their lifetime. In much the same way as a hardware security module (HSM), the chip is tamper-resistant, ensuring no attacker can steal critical credentials.
HCE acknowledges and embraces the fact that the phone – a consumer device – is inherently vulnerable. This approach represents a different way of thinking, shunning a ‘create and keep’ methodology and opting to deliver secure temporary credentials to the phone, for use within a limited time span. This alternative type of security is supported by backend analysis of behavioural and contextual data to help detect any potential fraud.
This has significant implications when it comes to streamlining the consumer experience and minimising friction, in the quest for “zero effort payment”. Increased use of contextual data allows for more flexible risk-based authentication of transactions.
The similarities between the SE and HCE models don’t stop at the user experience. Both endorse NFC and EMV proven technologies, and are increasingly making use of tokenisation – the latest technology for which the industry is striving for standardisation.
Visa and Mastercard released their specs for HCE this summer, followed by Amex just a few days ago, who are continuing to expand their card brand to more third party institutions.
Just one year ago at Cartes, the feeling was that mobile payments were struggling to take off. With the backing of major card schemes, the convenience of contactless underpinned by strong security solutions may be the just the catalyst we need to win critical consumer trust.