Business Problem:
NFC
is a short-range wireless technology that allows communication between two
devices over short distances of up to ten centimeters. Based on this
technology, devices like mobile phones are able to communicate. This technology
combined with enhanced security mechanism form the foundation of proximity
based mobile payments.
Mobile Wallets enables payments
through Smartphone and already 25% of phones equipped with NFC capability can
take advantage of this technology. However there are additional players in
enabling a seamless payment in addition to the regular payment processing chain
players. Additional validation for ensuring secure payments include Banks,
Trusted Secure Manager (TSM) providers, Mobile Network Operator (MNO) TSM
service. All these players ensure
the user, the device, subscription plan is valid. MNO TSM service creates a
security domain in the secure NFC chip and establishes keys, the payment service
providers to include payment information in the security domain installed by
the MNO then use these Keys. The security if ensured by storage, management and
validation of the subscription, key and payment information storage in the
tamper proof NFC chip. The physical presence of a secure element in the device,
and inherent dependency between the TSM providers and Telco TSM services
introduces complexities that make it difficult and expensive for actors in an
NFC ecosystem to interact efficiently.
NFC and HCE:
To overcome the challenges around
managing dependency between the TSM
providers and Telco TSM services HCE as a software construct was introduces to
emulate NFC behavior but augmenting the
TSM enabled security validations
by a cloud services called Cloud based Secure Element (Cloud SE). HCE is a feature of the mobile
operating system that allows for the secure element to be present outside the
mobile device. By moving the secure element to a cloud or managed environment,
the complexities and associated costs can be minimized. Mobile payment
applications can utilize a secure element without any third-party involvement
like Telco TSMs. Because HCE is a
software construct it does introduce software centric considerations
around digital threats, vulnerabilities and compromises. So all threats to a
Mobile application such as Malware, Phishing, rooting of devices, and perils of stolen devices can be
applied to the HCE threat matrix. So there is an inherent trade off from
ecosystem complexity to complexity involved in securing the application. Visa
and Mastercard have endorsed HCE,
with Visa updating it’s PayWave specification and Mastercard it’s PayPass
specification. With Payment tokenization as a EMVCo specification, which favors HCE and other proximity
technologies as the risk model shifts from physical cards to token assurance.
HCE Technology:
Host Card Emulation, or HCE, removes the need for a secure
element by allowing providers to literally emulate an NFC smart card. HCE
relies on three operational modes of NFC chip and antenna on the device.
a.
Reader/write
mode – to read/write data from/to a Tag or NFC sticker
b.
Peer-to
peer mode – which is essentially communication between two NFC enabled
peers.
c.
Card
Emulating mode - This the mode used by HCE, to emulate smart card and to
function with some secure element, either on the device or in the cloud.
First two modes are routed the
Mobile Operating system (Mobile OS) to be processed by the Host and
applications can benefit from the input.
The third mode Card Emulating mode is routed to Secure element. Android
Kitkat changes this to mimic the behavior of other two modes, which while
simplifies the application design, but it does introduce security
considerations.
Understanding
that with HCE:
a. NFC based Hardware Secure Element solution is more secure than
HCE
b. Complexity for issuers and consumers is
vastly reduced and risk mitigation techniques
c. There are ways
to limit security exposures such one-time/low TTL tokens to porting high value
transactions through the SE for further validation/authentication -- but this
will add to solution design, and time --- of payment execution which is a huge
concern in Mobile payment industry -- essentially a round trip cost and
processing in the cloud.
d. What HCE does
is reduce the cost and complexity in payment solution, and does HFC based SE
that does provide added security worth the cost? Right now adoption is low so
there is little or no metric on fraud...
e. Android KitKat
supported HCE --- not aware of any other adoption outside of Android KitKat
HCE
Technical concerns:
1. Security --- device can be Jail
broken/rooted, concerns around Malware etc.
2. Security/Time -- RTT cost SP in
cloud and implementation of One time password (OTP)/low threshold TTLs etc.
3. Security -- embedded in solution design
that has a cloud solution or commonly known as Tokenization. Tokenization is
often used as a mechanism to overcome timing issues of Cloud-based SE
solutions. This means that the tokens need to be stored in the application,
where they are still at risk -- same old concern around.
HCE Technical Merits
1. An
abstraction layer created a much richer eco system of solution development as a
very low cost
2. Less
players and less complexity -- no need for Telco and SE service providers
3. Growing
number of devices with NFC but the OS ( Android supports it.. we need to see if
Fire/Tizen and other emerging players do the same, Jury is out in iOS support
and expected in 6, but the NFC controller -- which is NOT a standard yet, needs
to be there)
4. Adding a
secure execution container may mitigate risks,
Technology
Components:
NFC
controller -- this
is a sort of routing service that app needs to register, which allows the
user to control the payment routing. --- If this is compromised then, all HCE
based apps are compromised -- BTW today this method is ONLY available in
Kit-Kat --- which may add to fragmentation if not adopted by others.
SE -
secure element -
hardware such as a Micros SD card, SIM card or any other custom embedded/specific
card, -- this specificity bring the complexity ( as a service provider must
interact with some entity to provide secure service) and adds to fragmentation.
Smart Card
reader --- this is a
external device owned by Merchant, companies like FirstData who acquired
Clover and Square are going after tighter integration with Devices.
NFC
antenna -- most NFC
functions such as a Peer-to-peer /read-write mode etc, are handled by Host or
Mobile OS.
Mobile Application – Payment/Wallet – Mobile application that employs secure digital/wallet
technologies either embedded as an application function or included as a
dedicated application.
Thoughts:
HCE might accelerate the introduction
of NFC services, because it provides an alternative for NFC based solution
albeit, more-simple-but-less-secure way to provide host card emulation service.
In this way, it has great added value for merchants, service providers and
e-commerce/m-commerce operators, that can accept a trade of reduced level of security in
exchange for an improvement of other factors such as time to market,
development costs and the need to cooperate with other parties.
References:
