With the introduction earlier this year of Host Card Emulation (HCE) and last month’s reveal of the iPhone 6, Near Field Communication (NFC) technology is making a strong move to fulfill its promise to be the dominant “physical world” payments technology.
The reinvigoration of interest in NFC is raising the stakes for enabling technologies that make secure mobile payments possible. And as discussions move from “if” to “when,” implementation issues come to the forefront, with no issue bigger than security. That’s especially true between the proponents of on-device secure elements versus cloud-based cards HCE.
The arguments for superior security from both sides of the debate lead me to reflect on an old saying that goes “absolute security is only attainable when you’re protecting something absolutely worthless.” No matter the effort to protect something, any security can be defeated given enough time, money, and technical resources. In other words, there is no perfect security, just better or worse security. So which security is better — hardware-based secure element or cloud-based Host Card Emulation? From a security perspective, both of these competing technologies have persuasive arguments in their favor.
The Secure Element
Years of effort have gone into developing a trustworthy mobile payment solution that relies on highly secure, tamper-resistant secure elements (SE). A secure element can be thought of as a smart card in the phone isolated from tampering by a restricted access interface and strong encryption. The standard in Europe for over 20 years, EMV smart cards — so called “chip” cards — have virtually eliminated many types of fraud still common in the US. In fact the US is finally adopting EMV standards. Based on proven EMV smart card technology, secure elements are very tough nuts to crack. They are tested against a set of requirements defined by the payment networks and only those that can satisfy the evaluation criteria are allowed to store payment credentials. Extreme efforts and corresponding time and money are required before there is any hope of success with limited value to the successful attacker.
Additionally SE’s have the added benefit that the fraud opportunity is limited to each device. That is only a small amount of data is stored on them (single customer credentials and device specific cryptographic information). This restricts the opportunity of any hacker to the value of each device. In other words, to get lots of fraud value the hacker must compromise many individual devices.
HCE, Tokens and Device Fingerprinting
HCE assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or “cloud” databases. These databases must be managed to a high security standard. The security requirements are a very high level, exceeding common security (e.g. PCI DSS) and equivalent to card personalization bureaus. They have to be; the concentration of payment information and credentials is a very attractive target.
Preventing unauthorized access in HCE depends on four pillars: limited use keys, tokens, device fingerprinting, and transaction risk analysis. Limited use keys expire quickly preventing their misuse. Tokens reduce risk by replacing the PAN with limited use data that passes seamlessly through the payment system. Device profiles (fingerprints) validate the phone. Data analysis provides real-time transaction assessment to identify unusual activity. In short, HCE security relies on managed intelligence at the device and systems levels by leveraging the “always-on” and “big-data” ecosystems. The more data used to measure and analyze, the better the overall security.
Regardless of technology, an on-device a client must control secure storage, should collect locally available data, perform risk assessment (according to pre-defined rules), and trigger updates. The backend is constantly communicating with the client, testing the information and validating actions according to the risk tolerances of the card issuer. HCE benefits more since it is designed to utilize these backend systems more effectively, but SE is less reliant on “always on” networks.
Apple Pay: All the Above
Apple has recently demonstrated aspects of both secure element and cloud-based HCE technology can be combined into one solution. Apple Pay uses the secure element to store tokens and the payment client and adds biometrics with Touch ID for multifactor authentication. It allows Apple to use the power of local and backend data for risk management while removing all doubt about the security of a token or credential. By using the best of both worlds and adding a few new wrinkles, Apple has built a strong system. It is a fair estimation that Apple Pay will earn a “Pass” on the security test.
So what is better?
Actually, that is the wrong question. The real question is whether either technology reaches the level of security needed to protect payment data. The introduction of Apple Pay, a hybrid solution, shows that a secure element versus HCE debate is too focused on technology and not on an overall effective solution. In fact where the debaters lose site of the objective is in having a debate at all. This isn’t a competition, it is an examination graded only as “Pass/Fail.” Depending on how they are deployed either can Pass (or Fail).
Bottom line is that if you are fortunate enough to have an SE, then use it. But if you don’t have use of secure elements, then focus on HCE which is supported by the majority of smart phones. Banks and merchants can deliver secure mobile payments to consumers today using HCE with tokenization, device fingerprinting, risk modeling and robust on-device software. You may have the added advantage of delivering services through your own branded apps instead of a wallet, preserving your consumer connection.
What banks and merchants must adapt to is an environment where secure elements and cloud-based HCE will co-exist. The key is to understand the strengths and weaknesses of each and deploy solutions that can leverage both, because that is the only way 100% of consumers will be served.
Written by: Lance Johnson
Lance Johnson is the Chief Security Officer of Sequent. Lance is a 30 year veteran in banking and payment services, having spent spent over 20 years at Visa as the Senior Vice President responsible for payments risk and fraud control operations and later Senior Business Leader responsible for Payment System Risk Strategy and Policy.