CONTINUE TO SITE »
or wait 15 seconds

Article

What host card emulation means for mobile payment security

The EMV card is a physical asset that provides security via encryption. The next step is to duplicate this security virtually.

July 25, 2014

By Simon Keates, Thales e-Security

Mobile payments offer ease and convenience for consumers, yet security concerns hinder this technology from enjoying widespread use. Consumer confidence in providers' ability to protect cardholder data is the determining factor in whether mobile payment services succeed or fail. The EMV card, with its secure microchip for transmitting data, is a physical asset that provides security via encryption. The next step is to duplicate this security virtually.

HCE (host card emulation) has been a boon to the mobile payments industry, reducing costs and lowering barriers to entry. Organizations that desire to use mobile payments can now do so without high up-front costs and complicated partner relationships. Before HCE came along, organizations had to either store credentials in a specialist security chip (Secure Element (SE)) in the phone or use Card On File credentials in the cloud. The SE option essentially turns the phone into a mobile wallet, with the SE acting as the chip on an EMV card. The "cloud" option simply allowed the storage of basic payment information, such as Card Number and Expiry Date or Sort Code and Account Number, on the Internet. SE is no longer necessary since the introduction of HCE because the full payment card data — an exact representation of the card using only software — no longer needs to reside on a physical chip.

Certain criteria must be met in order to move the storage of card data from the chip to a secure environment in the cloud, and these criteria can cause problems. To complete a transaction, your phone will have to connect to the Internet, wait for encryption to take place, and receive a response. Even in a best-case scenario, this will be difficult to complete in the time required by card schemes. Of course, without a signal, it would be impossible. The solution that is being proposed to combat this uses a concept called "tokenization." Instead of having to connect to the Internet every time you spend, limited-use virtual cards would be stored on your phone.

A virtual wallet is convenient for shoppers — and for identity thieves. The potential exists for criminals to clone the phone and request the card information, or even write malware to reside on the phone that will send the virtual card to the thief in the blink of an eye.

Updating authentication and assessment

The strength of the authentication mechanism for mobile payments is what will determine how secure those payments are. We must be able to bind the identity of the user to the authorization of the transaction. While banks are thoroughly familiar with data protection requirements, challengers with less data handling experience will need to be mindful of authentication and risk assessment.

The smartphone itself can assist with risk assessment of transactions and user authentication as well. Features such as GPS data, 3G location, proximity to Wi-Fi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not unassailable, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers if it seems highly likely that it's the approved user, and introducing barriers to disrupt the payment journey if in doubt.

All this analysis depends on data — reams of personal data that represent an attractive target for hackers and must be protected against attack. Protecting all this stored personal data goes well beyond the usual password database issue in terms of both volume and sensitivity — authentication is moving from being a "password problem" to a "big data problem." Information must be carefully encrypted, to neutralize it and minimize the impact of its loss or theft.

The rapid evolution of the mobile payment industry is being spurred by the advent of HCE. It has opened the floodgates to organizations that could not formerly afford the technology. This will create an increase in user data, all of which must be protected. In our digital, global, connected world, we must use every available resource to ensure ease of use, simplicity and security of mobile payments. Only then will consumers place their trust in the technology and adopt it on a broad scale.

Related Media

Marketing
From storefront to screen: A modern retailer's guide to leveraging technology for success
AI
AI-powered digital avatars: The next frontier for retail CX
Technology
Augmented reality and virtual reality: Reimagining try-before-you-buy
White Paper
Living on the Edge: Why Edge Processing is the Future of In-Store Camera Intelligence
Presented by Toshiba Global Commerce Solutions, Inc.
Recent Posts
Southwest Airlines debuts free inflight WiFi to rewards members
TravelCenters of America expands self-service kiosks strategy
DSW debuts Uber Eats delivery option
Microsoft, Revolve launch AI-driven fashion experience
Retail hiring facing urgent demand, hiring process challenging


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'