What is Host Card Emulation (HCE)?
Host card emulation (HCE) is a technology for securing a mobile phone such that it can be used to make credit or debit transactions at a physical point-of-sale (POS) terminals. With HCE, critical payment credentials are stored in a secure shared repository (the issuer data center or private cloud) rather than on the phone. Limited use credentials are delivered to the phone in advance to enable contactless transactions to take place.
This approach eliminates the need for Trusted Service Managers (TSMs) and shifts control back to the banks. However, it brings with it a different set of security and risk challenges.
- A centralized service to store many millions of payment credentials or create one-time use credentials on demand creates an obvious point of attack. Although banks have issued cards for years, those systems have largely been offline and have not requiring round-the-cloud interaction with the payment token (in this case a plastic card). HCE requires these services to be online and accessible in real-time as part of individual payment transactions. Failure to protect these service platforms places the issuer at considerable risk of fraud.
- Although the phone no longer stores payment credentials, it still plays three critical security roles, all of which create opportunities for theft or substitution of credentials or transaction information.
- It provides the means for applications to request card data stored in the HCE service.
- It is the method by which a user is authenticated and authorizes the service to provide the payments credentials.
- It provides the communications channel over which payment credentials are passed to the POS terminal.
- All mobile payments schemes are more complex than traditional card payments, yet smart phone user expectations are extremely high.
- Poor mobile network coverage can make HCE services inaccessible.
- Complex authentication schemes lead to errors.
- Software or hardware incompatibility can stop transactions.