Security and Risk Management with HCE is the Biggest Issue

Many payment companies wanted to bypass the need for a secure element and enable any NFC device to make payments. The Host Card Emulation came into light back in October 2013 with the release of the Android 4.4 KitKat version for the Android community. Earlier this year, Visa had introduced new standards to support HCE enabling hosting of Visa accounts in the cloud. MasterCard had also published new specifications and had begun testing HCE with Spain’s Banco Sabadell and Capital One in U.S. during the first half of this year.

When an app uses HCE, communications with the contactless terminal are no longer routed to the SE (secure element). Instead, it is routed through the NFC controller to the device’s host CPU on which the app is running. This method has brought certain risks.

Communication between the NFC controller and the HCE-enabled app can be tracked by malware applications. Malware applications can attack the device’s operating system, which becomes easier if the device is rooted. ‘Denial of Service’ attacks can take place if routing is changed by malware applications. Even cloud storage and backup servers may be attacked to retrieve credentials.

HCE brings 3 key security risks that are not present in secure element based NFC services:

  1. An Android user can root the device. Post rooting, user gets access to all the information stored in the applications on device’s OS. Now that would include sensitive information like payment credentials as well. The payment service provider would want to prevent user from such high level access because malware can also access the data.
  1. Malware might be developed that could root the device. One such malware was discovered back in 2012 named RootSmart. While such a malware had targeted the older Android versions, such malwares are potential risks and not to be ignored. Android’s limited protection can be bypassed easily by rooting the device. Also it has been proven that it is difficult to fix an identified vulnerability in Android due to its long update process.
  1. In case the handset is lost or stolen, a malicious user can access the device’s memory by connecting it to another device. A malicious user could connect to all the information stored within the application and use that to make fraudulent payments.

Smart Card Alliance, a not-for-profit, multi-industry association recently released a white paper on Host Card Emulation in which they have recommended various measures to enhance the security:

White box cryptography

This cryptographic method turns information into a robust form where the critical info is combined with a code so that it can’t be easily derived or distinguished.

Tamper proofed software

It involves the addition of software security to software in order to make it harder for an attacker to change or modify the software statically or dynamically. Upon detecting an attack, it produces a response which makes a program malfunction or communicate the attack.

Biometric factors

Biometric authentication techniques can be added to HCE enabled applications. We already have companies like Huawei and Samsung having a fingerprint scanner right on the device itself. The privacy and security of biometric data is to be considered if implemented in an application.

Device identity solutions

Such solutions involve authenticating handsets to online services. An example of such an approach is the Fast Identity Online (FIDO) Alliance. FIDO protocols use public key cryptography techniques to provide online authentication.

Security frameworks/trusted execution environment

Trusted execution environment (TEE) is a secure area in the main processor or coprocessor of mobile device in which data can be stored and processed. TEE can support safe execution of authorized security software in a trusted environement.


End-to-end encryption (E2EE) or point-to-point encryption (P2PE) can be used to ensure that data is encrypted at the reader and protected during transmission. The Payment Card Industry Security Standards Council (PCI SSC) has already developed standards for P2PE.


It is the process of substituting a random value for a high value credential. It can be used to mask the identity of a card. EMVCo recently announced a tokenization specification for payments which includes cryptograms that can isolate HCE-based NFC use cases.

Additional security provided by an SE

A hybrid model is possible which involves the use of a secure element along with a cloud-based solution. The security of the SE can be enhanced via TEE and allow only trusted applications to access the TEE.

Currently, HCE is only supported on Android and Blackberry and still needs to mature and harmonized across different device vendors. It has far-reaching implications but such risks and security issues have to be addressed in order to make it a success in the market.