Last week, Alex Rolfe of Payments Cards & Mobile wrote an article titled “HCE – The way to move mobile payments forward fast.” As Rolfe observes, the technology to enable mobile contactless payments has been around for quite some time.
“There were (and still are) various ways of replicating contactless NFC payment functionality on a mobile device,” he stated. “This can be done by writing to the SIM card, the SD card (a data storage device) or secure element (SE). Yet all these methods have one major flaw in their DNA: they involve third parties.”
Meaning, issuers were forced to navigate partnerships, as well as complicated business and technology infrastructure models. This is precisely why mobile payments didn’t really ramp up until the advent of host card emulation, or HCE.
“It was not so much the technology, rather the commercials that held it back. It was akin to a shotgun marriage between two different industries: telcos and retail banking,” Rolfe explained. “Telcos were used to managing SIM distribution. Banks used to manage card products. Simply put: each party needed the other but they could not agree on the commercials and who owned the SIM and the customer.”
As Rolfe points out, HCE, which was implemented by Google in Android 4.4 (KitKat), quickly changed everything in the mobile payments space by allowing card issuers to bypass commercial roadblocks that had previously limited adoption.
“HCE digitizes the card on the phone, generates card numbers and talks to contactless POS terminals. With HCE, there’s no need to rent space on the secure element, reissue the memory card or certify hardware. It cuts hassle, cost and time to market,” he continued. “Mobile contactless payment is now easier to introduce as it runs off the consumer’s phone and existing contactless card acceptance infrastructure. It is easier to provision as issuers can load and update the app and keys directly to the consumer’s device over the air.”
As we’ve previously discussed on Rambus Press, Android Pay uses HCE to replace the physical SE in a smartphone with a virtual SE. Payment tokens and cryptographic keys are stored in the mobile OS, along with the mobile wallet app. For added protection, limited use tokens are stored in a sector of the mobile OS that leverages software-based security, such as white box cryptography, to obfuscate keys. Storing tokens in the code of the cryptographic algorithm also helps prevent exposure of confidential information. These limited use tokens, which are pre-stored in the mobile OS, enable transactions to be completed without network connectivity. The keys are refreshed each time the user connects to a network.
HCE – which does not typically require changes to existing NFC-based smart card infrastructure – has clearly played a crucial role in popularizing frictionless commerce and helping to build an economy of digital trust by enabling mobile payments, digital wallets and smart ticketing apps. Indeed, TD Bank in Canada, Getin Bank in Poland, First Investment Bank AD in Bulgaria, ING in the Netherlands and Banco Sabadell in Spain have all integrated HCE into their mobile wallets. In addition, RBC added support for HCE to its mobile app in September 2015 to replace its SIM card model, allowing customers to load credit or debit cards onto HCE-enabled Android smartphones and pay any POS merchant that supports Interact Flash and Visa NFC contactless payments. Similarly, the Commonwealth Bank of Australia (CBA) has incorporated a mobile payment service for customers into its mobile banking app using HCE.
Interested in learning more about HCE and mobile payments? You can check out our eBook on the subject below.