HCE Boosts Mobile, But Security Questions Persist

Visa and MasterCard's support for host card emulation (HCE) is a boost for mobile pay, though there are still security concerns.

HCE is a a version of Near Field Communication (NFC) that requires the traditional ecosystems of mobile network operators (MNOs) and SIM card makers to communicate.

As a result of the card networks' moves, the SIMalliance published a first version of the document titled, “Secure Element Deployment & Host Card Emulation.” This document not only discusses the different case studies where HCE could be a legitimate alternative, but also highlights that this solution is not mature and not as secure when compared to traditional NFC transactions that are coupled with a secured element.

Many other alliance or consulting firms already published white papers stating that HCE is finally in an early stage of maturity and that there is a long road to reach a trustworthy and recognized payment solution.

Frost & Sullivan believes that the networks' HCE announcement is good news for service providers because it will propose an alternative that is easy to deploy in a short time frame. HCE is a strong driver that can accelerate the deployment of other payment solutions (or other services such as transportation, loyalty or Identity) and it has already forced the ecosystem to rethink the entire payment roadmap and portfolio strategy.

Even if the payment ecosystem appears to be global at a first view, the reality is that many technologies and networks coexist. Due to a lack of common rules, hackers can deploy innovative strategies to overpass existing security mechanisms. All the network can be targeted, and the payment card itself is subject to false cards such as YesCard. Automated teller machines (ATMs) can be modified to perform skimming attacks. More recently, POS terminals were idenitied as a sensitive part of the payment network and thus subject to fraud.

HCE finally creates a new layer of services, alternatives, and answers, but also a long list of questions. As long as the payment industry will not have a single network, a single protocol and a common set of rules, potential hacking will be possible by using sophisticated or innovative attacks. Cloud-based payment solution platforms will be targeted to access sensitive information or to perform fake payment requests.

Cloud platforms should then be the priority from a security perspective and should be designed to defend against attacks with the latest cyber security technologies. Data encryption is only an additional security measure to protect communications and data exchanges and are not the single solution.

Jean-Noel Georges is global program director for information and communication technology at Frost & Sullivan.