Host Card Emulation: Why Does It Matter?

An explanation of host card emulation (HCE) first requires a brief overview of near-field communications. Near-field communications, or NFC, requires a mobile device to have the necessary hardware installed, which could be in the form of a SIM card or NFC chipset installed directly in the device. This hardware element is responsible for performing certain security tasks, such as authentication and communication to a reader. NFC requires cooperation from and collaboration with carriers, and the hardware must be compatible with the payment system selected by the carrier.

Host card emulation eliminates the need for hardware special security module within the phone, often called the secure element. Instead, it basically creates a virtual representation of a card that resides in the cloud. During a transaction, the device accesses the cloud via a secure channel, authenticates the device, and passes on card credentials that can be used for a transaction and approval. No physical cards are required; customers only need to "wave" their device at the payment scanner.


Why HCE is Important

Consumers have been using their mobile devices to make payments in increasing numbers. Estimates from the Gartner Group for 2013 projected transactions totaling more than $235 billion worldwide, 44 percent more than the prior year's total. The Yankee Group predicts that the global mobile economy will top $3 trillion by 2017.

However, despite the increased use of mobile devices to make purchases, most consumers continue to complete payments using a more traditional method. They enter their credit card information on the retailer's website, use an electronic payment service (such as PayPal) or swipe a plastic card at the register. A report issued by Yankee Group in February 2014 showed that only 16 percent of the people owning a mobile device had made an in-store payment with their phone during the previous three months.

The slow adoption of mobile wallets has been primarily due to three factors. First, there has been something of a "turf war" over who controls the NFC secure element installed in the device. Control of the element makes the entity a virtual "toll master" for all payment transactions involving the device. The main contenders in the battles have been financial institutions, telecom carriers and equipment manufacturers.

The second factor is exacerbated in part by the first, but it can also be viewed as a separate issue. Merchants are reluctant to invest in a technology without some assurance that the technology will provide a return on the investment. Therefore, unless and until customers demand it -- and unless merchants feel their investment will not become obsolete in the near future -- retailers tend to delay spending. Customers, on the other hand, want to see a new technology in wide use, evaluate its security and determine whether the experience will be seamless and user-friendly.

Lastly, financial institutions must protect their customers. Historically, this has made banks slow to adopt new technology that has the potential to place customers' accounts at risk. It is therefore very telling that both MasterCard and Visa have thrown their support behind EMV and are currently developing standards and specifications for the US market. These EMV chip cards are prevalent in other parts of the world and typically require a consumer to enter a PIN to complete a purchase. Though depending on the amount of the transaction, a consumer may just need to sign or no action if under a floor limit similar to mag-stripe transactions today. By October 2015, according to a report in the "Wall Street Journal," Visa and MasterCard will transfer fraud liability to the store if the store completes a transaction through "swipe and sign" if the card contains a chip.


How HCE Transactions Work

The functionality for purchases made with an EMV card or secure element-equipped NFC device is similar -- but not identical -- to an HCE transaction. With an EMV card, the chip stores the secure information and communicates with the card reader. With a secure element enabled NFC device, the hardware handles all the card data and communication to the reader on the software contained on the hardware itself.

HCE, on the other hand, must rely on service calls to the internet via a secure channel and authenticate to a database hosted to get the payment credentials. Data is sent to the app installed on the mobile device. The app confirms that the information was received from the controlling device, and the process is "spoof-proof." Then the NFC element on the device executes the transaction and the payment credentials are no longer stored on the device..

MasterCard and Visa often rely on payment tokens, transmitted to and stored on the user's smartphone. These tokens carry the same characteristics of a typical credit or debit card, but are only valid for a specific length of time and/or number of transactions. Token management can take place in the background anytime that the user is online, such as during the sync process. Visa has also announced that it will employ device fingerprinting to provide additional security.


Beyond HCE for Payments

NFC has the potential to provide much more than point-of-sale touch-less purchases. For example, it could provide the functionality to allow a shopper to press a button on a label to learn more about the product. It can provide much of the same functionality as iBeacons, but since the customer must initiate the action, rather than having an unsolicited message pushed to their device, the engagement experience is better targeted and less annoying to some shoppers. Merchants can also use NFC for customer loyalty programs, special orders and coupon delivery.