NFC forum has issued a statement yesterday and has given HCE a green flag but advised to use custom approach for security. "As the industry consortium dedicated to the global deployment and adoption of NFC services, the NFC Forum sees HCE as a promising addition to the portfolio of NFC solutions that could potentially accelerate market growth. HCE is supported by NFC Forum specifications, including the NFC Controller Interface (NCI) specification, which in combination with other standards, such as ISO 14443 and JIS X 6319-4, enables HCE implementations. Service providers need to evaluate and determine the best place to store credentials for their solutions, keeping in mind the trade-off between security risks and convenience."
NFC Forum seems to have shown more caution than Visa and Mastercard on security who say that banks or other issuers rolling out Visa payWave or MasterCard PayPass using HCE could expect as much security as if they used NFC sim cards or other secure elements as long as the banks followed the specifications the payment schemes have introduced or are drafting.
As a lot of you would know by now that the key goal of HCE is to bypass the need for an app to access a phone's secure element in order to make an NFC payment transaction. HCE accomplishes this by storing payment information in the cloud rather than on the secure element. So where did it all start? While some startups were working on it, the real momentum came when, with the release of Android 4.4, Google introduced a new platform support for secure NFC-based transactions through Host Card Emulation (HCE), for payments, loyalty programs, card access, transit passes, and other custom services.
Let’s have a look at how various industries, entities are taking positions on NFC:
SIMalliance anticipates that "this capability will bring new creative players into the NFC ecosystem, many of which may not hail from the traditional smart card world. These players will be capable of developing innovative applications that attract new users, creating new NFC use cases and enhancing the NFC service experience of current users."
Visa and MasterCard The two largest payment networks, are signalling firm support for host-card emulation as an option for banks to roll out NFC-mobile payments. Both Visa and MasterCard have announced they will be supporting various NFC payment apps with cloud-backed payment infrastructures, including "Host Card Emulation" (HCE).
On February 19, 2014, MasterCard in a press release announced that it will publish a specification that leverages Host Card Emulation (HCE) for secure near field communication (NFC) payment transactions. The approach will enable consumers to easily use their MasterCard-branded cards on their NFC-enabled phones to make contactless payments.
"The use of HCE provides a very attractive way forward to launch an increased number of NFC-based offerings,” said James Anderson, Group Head, Emerging Payments at MasterCard. He believes host-card emulation might help break the logjam now blocking rollouts of NFC. According to him, “The use of HCE provides a very attractive way forward to launch an increased number of NFC-based offerings”
Visa plans to quickly expand its "Visa Ready Program" to include any app that wants to interact with its payment network using HCE on a KitKat device. It said that it's offering the cloud based payments support as one option for banks that want to introduce Visa payWave applications on NFC phones.
Telecom Operators (HCE eliminates the dependency on carriers, bypassing the secure element for NFC transaction) - Vodafone commented on Visa and Mastercard's support for HCE. Ibo Sanz, in-country mobile commerce director, Vodafone Spain, insisted that for Vodafone it is "good news that there is somebody making this [HCE] homogeneous for everyone and easy to use and we look forward to introducing those services into our wallet"
Banks - Commenting on the HCE pilot in Spain “The most notable feature of this pilot is how easy it is for users to add their credit cards to their phone without having to manipulate any physical secure element or rely on 3rd party service providers,” says Albert Figueras, Director of Credit Cards and Consumer Finance at Banco Sabadell.
Simplytapp - "We believe HCE offers tremendous opportunity for organizations to build deeper more personal relationships with their customers through the mobile channel," says Doug Yeager CEO and Co-Founder of SimplyTapp. "We are bringing a solution to market with our partners that will break down any barriers for issuers." Utilizing host card emulation, SimplyTapp empowers user’s mobile banking application with tap and pay functionality all from within bank's private cloud.
Industry experts - Nick Holland, senior analyst of payments at Javelin Strategy & Research "Host card emulation may also provide some fraud mitigation. We will see a more holistic response to effectively dealing with card fraud and plugging the gap, when fraud migrates to card-not-present transactions"
Thom Janssen, Managing Consultant with UL Transaction Security says “HCE may accelerate the introduction of NFC services, because it provides an optional ‘more simple but less secure’ way to provide an NFC card emulation service. It has great added value for service providers that can accept a reduced level of security in exchange for an improvement of other factors such as time to market, development costs and the need to cooperate with other parties.”
Tom Noyes says “HCE Apps will replace the SE based card emulation apps. “Replace” is more from a business context than from a technical one. SE based applications (like a door key, or healthcare card) could still survive.. but why would anyone want to pay the MNOs RENT if you don’t need to.”