With Apple Pay, Where Do HCE and Tokenization Stand?

This year has taken mobile payments to a whole new level, and NFC, tokenization and the cloud have become the talk of the town. But when it comes to enabling mobile payments, does Host Card Emulation (HCE) still have an important role to play? MPD CEO Karen Webster recently sat down with Bell ID CEO David Orme to find out, and talk HCE’s benefits, security risks and its place in the future next to the more tamper-proof hardware that secures Apple Pay.

KW: Let’s talk about the variety of interesting issues associated with payments today as they move to NFC and the cloud using tokenization. Before we get into the details, what’s Bell ID’s interest in Host Card Emulation (HCE)?

DO: Well we feel we’re one of the pioneers in HCE, and it’s something that we’ve worked for a few years on with BlackBerry, who had their own version of HCE called Software Card Emulation. We always thought it was a great way of overcoming some of the difficulties in the Trusted Service Manager (TSM) world, which the complexity of dealing with a mobile network operator and getting a bank to cooperate with that operator. We knew that TSM also involved around an 18-month integration. We saw HCE as a better way and a quicker way to offer mobile payments to our issuer client base.

KW: So are there vulnerabilities from your perspective? I know there are critics of HCE who have made a number of comments about what happens if cloud connectivity gets lost, and other things. What are your concerns?

DO: We’ve talked to our issuer community about security and connectivity. Their feedback to us is that they see HCE as less complex and less costly, but they’re also some security issues that they need to mitigate against. Let’s be clear – there isn’t anything more secure than the SIM or an embedded secure element as is the case in Apple Pay. That’s a tamper-proof hardware device, but that comes with a complexity and cost that I think many of our issuers can’t overcome.

HCE, even with some risks, is a more possible and faster way to market. We’ve been working with issuers for many months to overcome the challenges of HCE, and we think we’ve been successful. We’re leveraging parts of Android devices that allow us to securely store keys, and we secure the communications between our cloud server and the device. I think cloud could easily be a much misused term, because certainly when Bell ID talks about cloud, we want people to think of it as a secure server, either inside the issuer with all of the protection that issuers are good at deploying or inside a PCI compliant data center in a service provider certified by MasterCard or Visa.

Let’s not forget that all of the schemes have embraced HCE – there are various degrees of completion with their specifications, but all of them are very keen on HCE. I think that’s given our community the confidence along with the ease of deployment and the time to market. They’re balancing those thoughts against the security issues.

KW: It’s interesting – there’s no such thing as a perfect solution. While HCE offers speed and less cost, there have been concerns expressed about security vulnerabilities especially since the Android ecosystem tends to be the target of a lot of malware. But you’re saying that issuers don’t feel as though that’s a significant risk – are doing on your end to help management? 

DO: Yes, and we’ve carefully assessed the security issues and we can mitigate them. It’s not a perfect solution, but we’re fully compliant with the scheme mandates. The single-use keys, for instance, that are mandated by MasterCard. Even if a token is compromised, it’s only got a single use, and it’s very limited value at the present time. We’re also looking at things like white box cryptography, and many other things that will mitigate those risks. I believe that issuers are balancing those out with benefits – while they know there are some risks associated with HCE, but the cost of doing other things, they still go ahead with it.

We’re seeing hot spots of HCE activity in Australia, New Zealand, Spain, Scandinavia, and other areas across the world. Many see HCE as an attractive proposition as an entry into mobile payments.

KW: You talked about Apple Pay – that’s of course an enormous topic of conversation with respect to mobile payments. Apple Pay is also one of the first real commercial uses for the tokenization scheme that the networks have invested in. You also used the word “token.” Help us understand how tokens in an HCE environment are different, or maybe the same, as tokens in the Apple Pay environment.

DO: Sure. Tokenization, or token service providers (TSP) and token vaults, are the hot subject. Apple Pay has been a massive endorsement of NFC technology, the thing we’ve all been waiting for. Again, for many of our issuer customers, that’s been a big tick in the box. We’re not dismissing other technologies – BLE or QR code, but Apple Pay has given a big boost to NFC. In terms of the way in which issuers are approaching tokenization, obviously everyone’s concerned about keeping the real card information secure. That’s contained inside a PCI compliant vault, firewalled, with many of the authentication processes that our issuers use.

There’s multiple layers of protection to keep that data very secure – I think that’s what driving tokenization to be the way to go, not exposing the real card data and using limited or single use keys mandated by the schemes. You can provide tokens for multiple channels, and you’re keeping the real card data secure – that’s why I think there’s been a proliferation in interest in deployment in tokenization.

KW: Are you saying that in the HCE environment, in the Android operating system, that the scheme works almost identically in that there’s the equivalent of a device account number that’s a token, and a one-time use account number triggered when a transaction is being made?

DO: Yes, it’s the same identical process. The tokenization and de-tokenization and the fact that issuers can leverage the existing host infrastructure is definitely the way to go and I don’t see any changes or differences between what the schemes are mandating and the way Apple Pay is going.

KW: And the TSPs in the Android/HCE world – are they the networks? Are they the issuers? I know it’s a combination of both in the Apple operating system.

DO: We tend to deal with individual issuers who may issue MasterCard and Visa and AmEx, or just one. We ensure that the solution is compliant to each of their specifications for HCE and we make sure that the tokens are either available from us or from a third party. I think you’ll see that the schemes are pushing very hard, and I’m sure all of them will be offering this as a service. Alongside them, we’ll be offering tokenization, de-tokenization, and something to ensure that the banks’ to process those and clear them will be done with minimum change to the existing infrastructure.

KW: It’s interesting how this phenomenon has really created lots of possibilities around the use of tokens and tokenization. It really does make this whole notion of the Internet of things, having the ability to embed payment in just about any connected device, a lot easier and more secure. Let me ask you about consumers – do they care about this stuff? Or are issuers just doing this that they want to make sure consumers are protected before they ask about it?

DO: I think that for most consumers, their banks are very trusted. It’s an entity that they regard highly. I would love to have payment enabled in my phone – I know it’s coming, and I know many people I know would also love that as well. They’re waiting for their banks to provide it. But I think you have to go beyond payment for the consumer with things like transit, for example – the London underground in the UK also accepts contactless payments. We’re building an NFC system for hotel room keys for one of our partners.

Certainly loyalty is another aspect that consumers want on their device – the convenience of having it in the phone. It’s just been such a long time coming. For the issuers, the business case is challenging, especially when you’ve still got the costs of the plastic card. As an issuer, it’s about customer loyalty and retention, and defense mechanisms against others. But I do feel at the same time that there’s a pent up demand for consumers. It’s quite a tough situation for issuers to balance the two – the cost and risk mitigation of HCE versus the customer base. But it’s really about going beyond payment.

KW: What do you see in terms of what issuers are looking at when going beyond payment? Is it going beyond payment with other types of services, or with security features? 

DO: Many of our issuers have a relationship with a customer through their mobile banking. There’s authentication that goes on to verify that it’s the right customer and right device. Many of our issuers are leveraging that to authenticate the consumer. What’s interesting many of our issuers beyond payment is loyalty, and definitely transit, which is a big deal because it drives daily use. The other thing is that it has to be easy to do for the consumer, which is one of the appeals of Apple Pay. It’s a relatively straightforward process to adopt mobile payments and other apps beyond that, and that has to be echoed in the Android world.

Gift cards is another big area – the ability to purchase them and donate them to a family member. Delivering hotel room keys to mobile devices, as I mentioned, is also popular.

KW: I do agree that the real focus on everyone’s part will be the habituation to getting consumers to use their mobile phones for things for which they used to use cash or cards. It seems like 2014 is the year that things got very serious very quickly in mobile payments. Do you agree?

DO: I couldn’t agree more. As I said, we’re seeing hot spots all over the world in areas where TSMS exist but issuers are put off by the cost and complexity and time it takes. They’re prepared to mitigate the risks there are in HCE – they still want to go ahead and use it, there’s still demand for consumers. There’s a tough business case for it but we’re seeing HCE blossom in areas around the world.

I know MasterCard mandated contactless POS now for Europe, and I’d love to see more investment in the infrastructure. That’s another factor that everyone has to bare in mind. I get the contactless payment in my mobile, but where can I actually use it? In places like Canada, for instance, a lot of the supermarkets and gas stations are equipped, but there are some real differences across the globe. I’d love to see Visa and MasterCard do more to promote contactless.

I can imagine, for merchants, this must be tough. They’ve upgraded from magstripe to EMV, and now they’re going contactless and maybe to QR codes. There are some big investment decisions for them to make.

But I think HCE is the answer. It’s a quicker way to market – yes there are some things to consider like security, and yes it has to work for other applications as well. And I really endorse your feelings – this is the year to make things happen.

David Orme
CEO at Bell ID

David has a strong track record in leading companies that undertake high value, large, complex and critical project implementations demanding close cooperation and partnering in niche markets.

He is an experienced all-rounder supporting the Company’s key sales and marketing management personnel and their business development activity. He has a wealth of experience in concluding commercial contracts and believes that his team can drive real benefit for the end user, the partner or the reseller from Bell ID’s solutions.

David mentors an outstanding team of the world’s best experts in smart card, application and cryptographic key management software. As the market leading provider, Bell ID is continually investing to expand its product portfolio and improve the return on investment for customers.

David graduated from Leeds University with a business degree in 1985; before starting his career with Thorn EMI and its electronic security subsidiary. In 1992, David joined Bell Security Limited and together with the founders successfully took the company through IPO with a full listing on the UK Stock Exchange in 1999, the listed entity being Bell Group plc.

He later joined the board as Chief Operating Officer until leaving to take up the same role at Quadnetics Group plc, another major UK electronic security company. David joined Bell ID in November 2007.

Listen to the full podcast here.