HCE and NFC: threat or opportunity?
Mobile NFC services continued to expand in 2013 but the big question is, will this be amplified or disrupted by the introduction of host-based card emulation (HCE) into mainstream operating systems?
The new version of Google’s Android 4.4 KitKat introduces an additional method of card emulation which allows any Android application to emulate an NFC smart card and talk directly to the NFC reader, without going through a secure element. With the secure element often perceived as a barrier due to complex relationships and costs, it would appear that HCE has the potential to increase global NFC adoption. But this change in process also disrupts existing business models and presents new questions around interoperability, security and performance reliability, writes Pierre Combelles.
First let’s look at the benefits: HCE seems particularly appealing to those businesses that are looking to offer low-level security services. Deployment is simple, cost and time efficient and actually helps foster the adoption and habitual use of NFC, as customers become further acquainted with the concept of tapping their phone to receive information or engage with service delivery.
Conversely, using HCE for payment becomes more complicated because of industry fragmentation and the current lack of recognised standards. HCE has been compared, or seen as an equivalent, to a secure element. This is not the case. It simply provides a channel for an application to dialog with an NFC reader. The issue of performing secure payments without a secure element remains and SIM-based NFC remains a dominant mode of payment that can ensure that no malware can infect the payment message, thereby reducing vulnerability to hacking and fraud for consumers.
However, an Android application linked to emerging cloud based payment solutions and the use of tokenisation (the process of replacing sensitive data, such as a credit card number with a stand-in value known as a ‘token’) may be an alternative; but before they become widely available and trusted, they will have to be evaluated and approved by card schemes, with adequate approval rules deployed. Meanwhile, a hardware secure element, such as the SIM, remains the only certified, standard-based and secure solution to provide customers with mobile payment services.
Furthermore, there are additional issues that users may need to contend with when using HCE and tokenisation. For example, mobile devices require Wi-Fi or network connectivity to get tokens. In some cases, due to lack of credit or no roaming service available, the required connection may not be available, resulting in a customer being unable to pay. Additionally, single use tokens might require a customer to enter a PIN for every transaction, whatever the amount.
Interoperability is a key issue as well, unfortunately HCE doesn’t necessarily solve the complexity between systems. Instead it may bring more fragmentation across handsets as, for instance, applications will work differently depending on the type of payment application and this could adversely impact on the user experience.
The compatibility of HCE with SIM-based NFC services is addressed by KitKat, but in practice it requires careful implementation by OEMs, with mobile operators who already operate live SIM-based NFC services and who have updated these services for them to continue to work on a KitKat device. With more than 40 live commercial SIM-based services in 30 countries around the world, changes to the implementation of the technology can affect millions of users already using these services. Collaboration between operating system development and the service delivery would help to avoid this happening in the future – with the potential additional benefits of lowering fragmentation and upholding service delivery standards in line with current mobile operator customer service.
Without a doubt, HCE will help NFC to be more accessible and versatile to developers and will expedite services to market which, as a result, will drive consumer familiarity and encourage adoption. However today, SIM-based NFC is the only proven secure solution that is commercially deployed to any significant scale. Industrial deployments of HCE/tokenisation solutions are not expected for up to two years and will not be proven until they have been in the market for some time after that.
The maturity of the NFC market, combined with the scale of services, will enable easier resolution of service complexities and result in the faster take up of services. For example simplified TSM specification and APIs for SIM-based NFC services will be available in 2014/15. It will mean service providers can deploy secure, stable and proven mobile payment services in market quickly and efficiently, and will also reduce costs of SIM-based mobile wallets.
HCE presents a suitable choice for businesses that are looking to offer only low-level secure services such as basic couponing or loyalty. As the major hurdle in adoption of NFC has traditionally been the ambiguity in the ownership of the secure element, the introduction of HCE-enabled NFC payments could well be the pivotal factor that could enable NFC to really deliver on its potential and finally justify the belief that the industry has had in it.