This new technology gained celebrity status this year when Google announced support for HCE in the KitKat OS. Suddenly with Host Card Emulation and cloud issuance millions of phones could be enabled for payment with a simple app update; a real game changer. It is no coincidence that Visa and MasterCard announced work on HCE specifications this year as well. This innovation opened an alternative path to contactless payments and other services that had no reliance on secure elements, but how does it actually work?
The combination of always online devices and cloud computing suggested that placing cards in the cloud was a viable option for a more open and scalable solution for mobile commerce and issuers. Placing cards in the cloud was the easy part – two other key concepts have to come together to make an end-to-end solution. First the phone Operating System (OS) must allow communication from a contactless reader at a merchant Point of sale (POS) to go somewhere other than the secure element. Second, a Host Card Emulation client app is required to provide security, manage transactions, and utilize metadata about the user, phone, and merchant POS to perform dynamic risk management.
The role of the phone OS in Host Card Emulation is to provide two possible communication paths for NFC commands from the POS contactless reader based on the AID of the app requesting the transaction. The phone OS will use the AID passed from the phone’s NFC controller to route NFC commands to either a secure element or to a trusted app managing the host card emulation. Android’s KitKat OS enables the second route through an HCE service that can be called by issuer apps on the phone. When a user presents a cloud-based card for transaction, NFC commands are routed to the HCE client app for verification and authorization processing though a mobile application management platform (MAP). The MAP in turn connects to the issuer backend and payment system as needed to complete the transaction. Also part of the ecosystem is a cloud server managing the issuance of card data and cloud account lifecycle and a cloud transaction processor. A trusted tokenization system is a shared resource used to generate and de-tokenize tokens representing actual card data in the issuer backend.
Host Card Emulation services in the OS unlock the intelligence of the HCE client app to support multi-level security methods called for by the Visa and MasterCard HCE specifications. Security against authorized account access in HCE depends on four key concepts: limited use keys, tokenization, device fingerprinting, and dynamic risk analysis. Limited use keys (LUK) are derived from a master domain key shared by the issuer and the cloud card management vendor. Replenishment of the LUK is driven by thresholds, such as time to live and number of transactions, set in the mobile application platform. Tokenization reduces risk for banks by replacing the PAN with a tokenized pseudo-PAN used in the payment system without impacting the acquiring side. Device profiles or “fingerprints” are intended to ensure transactions are initiated only by authorized user devices at recognized POS locations. Finally, user/device/account data is used to perform risk assessment for the transaction in real-time through the client app, MAP, and issuer backend. Sequent’s Digital Issuance solution for the cloud and HCE provide most of the functionality a bank needs to perform Host Card Emulation-based transactions securely at merchants.