HCE: Proving its worth for security
Doug Yeager, the CEO and co-founder of Host Card Emulation specialist SimplyTapp, can point to two milestones that helped cloud-based mobile payments become a more serious security model in the payments industry.
In November 2013, Google Android started supporting HCE in its KitKat 4.4 mobile operating system. As we're well aware by now, HCE enables NFC applications on Android devices to emulate smart cards and financial institutions to host payment accounts in a virtual cloud.
Up to that point, HCE faced skepticism from the industry because its technology bypasses the secure element embedded in mobile phone SIM cards. Banks hesitated to explore HCE at first based on security concerns. But that is no longer the case as financial institutions such as Capital One, RBC and others have integrated payments into their Android mobile banking apps using HCE.
While no security model is foolproof, HCE has proven its worth as a secure method for storing sensitive card data.
"Banks are very conservative and they're not going to do something that puts them at a gigantic fraud risk," Yeager told Mobile Payments Today in a recent interview. "But they're being told by the card networks, for Android, use cloud-based payments and that gives them a comfort level to use HCE."
The networks' support came at a time when HCE faced criticism from the established guard within the mobile industry, particularly the mobile operators and some device manufacturers. Without HCE, a payment card's credentials need to be stored in a secure element that is embedded in mobile phone SIM cards and controlled by mobile operators. This was one reason why the original Google Wallet was limited to one network in Sprint.
The SIMalliance, a trade organization that is a proponent of secure element-based mobile payments, lambasted HCE in a whitepaper last year and said the technology at the time was "immature, unstandardized and, relative to SE-based deployments, vulnerable to malicious attack."
"In the beginning, HCE was sort of laughed at," Maarten Bron, director of innovations for the transaction security division at UL, told Mobile Payments Today in an interview. "People said 'there's no secure element' and 'this will never be secure,' but it took some time for some positive perception to evolve in the industry.
"There were a lot of opinions at the time, some that may or may not have some bias to them."
Yeager said the SIMalliance's skepticism never really hurt SimplyTapp's business.
"Of course there were skeptics from the SIMalliance. That continued, but it was just a matter of time," Yeager said. "The scalability of the cloud-based payments model is so much more favorable to allow a bank by themselves to go to market without working with MNOs."
The networks' support for something like HCE appeared inevitable when you consider what the banking industry has faced in the past few years.
Silicon Valley continues to make inroads with products such as mobile wallets and person-to-person payment apps. Both ride the banks' established payment rails, but individual financial institutions lose some of their branding when a consumer enters a card into another e-wallet such as Apple Pay.
"Going forward, I think Visa and MasterCard and the other networks will soon realize that whatever you see happening with secure element and HCE, it's not so much of a trend," Bron said. "It's more of a sign that the industry is really changing fast and we will see instances of disintermediation and that there will be new tech giants in Silicon Valley that will do new things."
But is the banking industry too far behind at this point when it comes to mobile payments?
Since Visa and MasterCard both published their specifications for HCE-based mobile payments, banks outside the U.S. have been quicker to embrace the technology.
SimplyTapp in May announced the Asian Payments Cloud initiative to the banking and financial services community in the APAC region. Thailand-based Siam Commercial Bank was one of several financial institutions involved in a pilot of its cloud-based payments products.
Sequent, a U.S.-based firm that specializes in providing a mobile wallet platform-as-a-service, has helped some banks overseas launch cloud-based mobile payments.
"I think it's because of the infrastructure being ready," Yeager said about banks' support for HCE overseas. "Banks are maybe more willing to take risks against their competitors overseas to get to be first to market with a new technology."
Yeager expects more support in the U.S. next year.
"We're hoping to see support from big mobile banking platforms to offer HCE," he said. "I think we're to the point where we're not seeing pilots anymore [with this] and people are just developing toward their commercial deals.
"I wish this would've all happened faster, to be honest. The quicker you can get alignment on a model going forward, the better for us, but this industry doesn't evolve overnight. It generally takes even longer than two or three years to get comfortable on payments technology."
Will Hernandez has 14 years of experience ranging from newspapers to wire services and trade publications. Before becoming Editor of MobilePaymentsToday.com, he spent two years as the content manager for PaymentsJournal.com, a leading payments industry news aggregator and information hub published by Mercator Advisory Group. Will spent four years covering the payments industry as an associate editor for multiple publications in SourceMedia's Payments Group based in Chicago.