Since the introduction of the first android phone with Near Field Communication (NFC) capabilities in 2011, mobile and contactless payment technology have shown immense potential for banking and payment industries. As more mobile payment technologies hit the market, the payments industry continues to get one step closer to a new, better world that no longer requires plastic credit cards. NFC is one of many technologies that offer card issuers the opportunity to provide customers with a secure, customizable, and contactless user experience. However, card issuers and consumers alike have been hesitant to adopt this technology for a variety of reasons, ranging from the misconception that it is too complicated to fear of security risks.
Thus, to make mobile payments easily accessible to card issuers, Host Card Emulation (HCE) technology was incepted. It is a software architecture that creates a secure communication channel between an NFC terminal and remotely-hosted payment credentials. With HCE, consumers’ phones serve as secure proxies for payment cards, transit cards, room keys, event passes, and more.
Here, we will look upon HCE as a standard technology stack for an android-based payments app and address how it meets the main EMV (Europay International, MasterCard, and VISA) goals to ensure secure payments at Point of Sale (POS).
Role of Host Card Emulation
HCE is the term used to describe the entire ecosystem of mobile payment solutions on Android-based devices, which do not have access to a Secure Elements (SE) or a Trusted Execution Environment (TEE). SE and TEE generally rely on proprietary hardware security to store and access sensitive keys such as the Card Master Key (CMK), whereas HCE solves this by using mobile device software in combination with a remote server. Furthermore, there are various stakeholders in the HCE Ecosystem, which play an important part in providing a seamless and secure payment experience to the cardholder. The services range from a secure payment app that builds the user interface to initiate the mobile payment, to a trusted Wallet Service Provider (WSP), and finally, a Tokenization Service Provider (TSP) that replaces PAN with a payment token.
The secure payment app is the equivalent to the card program that runs on the plastic card’s contact chip. As a result, the payment app ensures that a valid EMV transaction is sent to the Near Field Communication reader at the Point of Sale. All HCE participants such as software and hardware vendors, card issuers, and card schemes, have aimed for the same security levels and market acceptance, as EMV transactions have evolved towards being recognized as the more secure solution compared to magnetic strip based payments.
Main Goals of EMV
The main goals of EMV are to reduce fraud by using the following measures.
- Validating authentication of payment card
- Requesting cardholder verification
- Validating transaction integrity
- Using risk management parameters
Validating Authentication of Payment Card
According to a source, the number of transactions using credit cards at POS terminals in India grew by 23% year-on-year, while it increased by 14.6% for debit cards for the 12 month period ending July 2019. This extensive use has posed security concerns about the authentication of the card. t should not be possible to copy a payment card or compromise the application programs on the chip. HCE technology solves this issue. With HCE, each payment app has its unique instance ID after installing it on the mobile device. Registering the payment app on the device includes the storage of a device fingerprint at the HCE wallet server. Furthermore, the provisioning of a payment token to the software/hardware key store of a mobile device results in a unique combination of payment app instance ID, device fingerprint, and DPAN. Moreover, before replenishing the limited-use session keys, the combination of the provisioned payment token, payment app instance ID, and device fingerprint is validated by the HCE wallet server. Thus, these steps make it difficult for a fraudster to request valid SKs from the HCE wallet server for a payment app that resides on a different device.
Requesting Cardholder Verification
The cardholders should be able to confirm that they are the cardholders by a method that is either dependent on the POS, transaction amount, or other attributes. EMV allows several cardholder verification methods—cardholder’s signature comparison by the merchant, validation of the PIN by either the issuer or the POS terminal, or “no CVM at all” in case of risk transactions. For HCE, the cardholder verification is as follows,
- Card-Like User Experience (CLUE) – This payment app follows the sane user experience as a regular contactless payment, viz tap and play. Depending on the country, card schemes, and the POS terminals, Low-Value Transactions (LVTs) sometimes don’t require cardholder verification. However, a cardholder still has to enter his PIN at the POS for a High-value Transaction.
- Consumer Device Cardholder Verification Method (CD-CVM) – the users can authenticate themselves to the device via a fingerprint scan, password, or swipe pattern.
- Flexible User Experience (FLUE) – It is a combination of CLUE and CD-CVM. It is not solely one or the other.
These categories give the issuers and bank a flexible set to build a payment experience, which is in alignment with their standards and risk tolerance.
Validating Transaction Integrity
It is very important to make sure that the transaction is not altered on the way between POS, card network, and the card issuer. HCE uses various sets of encryption keys and transaction identifiers, as well as exchanges a payment cryptogram based on DPAN-derived SKs to validate transaction integrity on the issuer side.
Using Risk Management Parameters
Within the EMV ecosystem, each stakeholder should be able to apply risk measures. HCE puts several safeguards in place. With HCE, the fraud systems are able to inspect the frequency of SK replenishment. In case of malicious behavior, the HCE wallet server can suspend the DPAN and stop the renewing of SKs. Moreover, a payment app can only hold a small pool of SKs thereby minimizing the number of offline payments the fraudster could potentially make. Furthermore, HCE only allows the provisioning of payment tokens on mobile devices that provide certain security standards, e.g. version of fingerprint readers, operating versions, etc. HCE also provides velocity tracking of LVTs without HVT in between.
To conclude, HCE product companies are continuously working on security concerns to maintain reliable payment solutions. The card payment market is growing at a rapid pace, and the growing competition is good particularly in terms of security, as it keeps the providers under pressure to not lose the cardholder’s trust.
Also read: Payment Card Industry Compliance: An Overview
Read Full Magazine: The 10 Leading Payment and Card Solution Providers of 2020