Is Host Card Emulation (HCE) the big enabler for Mobile Contactless Payments? – December 2015

An SPA Position

Host Card Emulation (HCE) simplifies Near Field Communication (NFC) implementation by eliminating the requirement of a Secure Element (SE) to store mobile payment applications. But HCE also increases the threat for payment credentials to be captured in the mobile device with the subsequent risk of payment fraud.

In this paper, SPA discusses some of the most significant issues related to the security, roll-out and management of payment applications using HCE, and offers recommendations to move forward with a competitive market for mobile contactless payments using both SE and HCE.

This paper does not intend to provide a detailed technical analysis on HCE security.

The following definitions apply in this document:

Mobile Device refers to mobile phones and smartphones equipped with an NFC controller and host payment applications using either one or more SE, or HCE functionality, or both.

We refer to Android OS mobile devices, because HCE is the NFC functionality of the Android OS.

Secure Element (SE) refers to a chip emulating a card in a mobile device and accessed using the NFC mobile controller.

The Secure Element is isolated from the mobile operating system and hardware, and therefore provides the security features of a certified smart card to a mobile device: secure storage, an isolated and secure execution environment, and hardware-based cryptography. The SE also stores cryptographic keys and execute protocols for the remote management of the mobile payment application.

Card Emulation (HCE) refers to a software module embedded in a mobile device emulating a card and accessed using the NFC mobile controller. The HCE is not a secure environment, meaning that other applications resident in the mobile device, malicious or not, may compromise the integrity of payment applications. To mitigate this risk, specific security mechanisms are required. They are discussed hereafter.