The rise of HCE-based mobile payments
Last May, Russia-based Sberbank became one of the first major financial institutions to announce a commercial mobile wallet rollout that integrated Host Card Emulation (HCE) to bypass the secure element in a smartphone to make NFC mobile payments. Sequent Software Inc., a U.S.-based firm that specializes in providing a mobile wallet platform-as-a-service, provided the necessary software to Sberbank to put the bank’s plan in motion.
Since HCE is still a relatively new technology, many financial institutions have struggled to integrate it into their mobile banking apps for various reasons. But with Visa and MasterCard now supporting HCE, more banks have rolled out support both in the U.S. and overseas.
Mobile Payments Today recently conducted a Q&A with Sequent’s Kaushik Roy, the senior vice president of product for the company. I asked Roy and the company about how they view HCE’s progression over the past 12 months and how things will play out in the future.
MPT: When HCE first debuted, there were a lot of discussions in the industry about its security. Many people argued that NFC mobile payments tied to the secure element in a smartphone was the best way to go. In the past year or so, we’ve seen Visa and MasterCard give their blessing to HCE. Where do we stand on the perceived security of HCE-based NFC mobile payments?
KR: That’s a very important question. There is a misperception that tokenization is all you need to make HCE mobile payments secure. In current commercial deployments of tokenization, tokens work more like alternate Personal Account Numbers (PANs). They are kept on a device for extended periods of time (instead of being strictly time-limited tokens), making them almost as valuable as a real credit card number for a crook.
But HCE, by not relying on a hardware-based secure element, requires much stronger on-device software and additional network-based security measures. Banks need to use code-hardening techniques and white box crypto to build a robust on-device software in lieu of secure element to store the tokens. In addition, network-based security measures are needed to prevent man-in-the-middle attacks, eavesdropping or device-cloning.
But in the end HCE mobile payments can be made extremely secure, comparable to chip-based security. Beyond all the measures to secure the transactions, HCE also allows you to evaluate transaction risk in real time relying on multiple additional data points such as location, device ID and other telemetry data.
MPT: In May 2014, Mobile Payments Today spoke to Sequent about Sberbank. Since then, we haven’t seen a lot of banks coming to the market with HCE-based mobile wallets. Some industry observers believe that is poised to change this year. Do you agree, and if so, what is driving this change?
KR: Yes, you are right, that will change dramatically this year. What happened last year was a reality check for banks, networks and vendors alike. Making cloud-based HCE mobile payments happen securely on a commercial level proved to be a lot more challenging than many initially anticipated. Legacy payment infrastructure built to provision and process EMV credit card data on chip cards needed to be adapted to the security and other requirements of cloud-based transactions from mobile devices.
Tokens, for example, can wreak havoc in issuers’ card-linked programs if not properly handled. On-device security must be hardened, and dynamic issuance, TSPs and application management systems need to be integrated with a bank’s issuance and processing systems. All of this is not trivial.
But the advent of Apple Pay completely changed the picture. Banks in multiple countries feel like they need to move forward fast with HCE implementations in order to power their banking apps for payments. There is a lot of concern that they will be permanently disintermediated by major tech companies in mobile payments and lose their direct connection to their customers. After spending years and millions of dollars investing in their mobile banking apps, the last thing they want to do is to lose the investment because they don’t have the desired payment functionality.
MPT: When it comes to the Android environment, multiple options are emerging for consumers to make mobile payments, especially when you examine specific handsets. Galaxy S6 users will have the ability to use Samsung Pay, Google Wallet, PayPal, and other merchant-branded apps. Banks now are getting into the mix. It seems consumers, at least in the U.S., will be overwhelmed with choices. Is this a problem for higher consumer adoption in the future?
KR: As you know, for the last two years Sequent has been actively promoting the idea that any app should be a wallet. A consumer should have the choice to, let’s say, use their Bank of America app for payment anywhere or to use their Home Depot app to pay at Home Depot and receive personalized discounts and offers. The open nature of the Android ecosystem ensures that multiple payment options and technologies will exist and we think this a good thing.
MPT: How do you see this playing out outside the U.S.?
KR: We are starting to see a huge expansion outside the U.S. One interesting thing about the payments industry is how regionalized it is. You may have a few big global networks, but at the end of the day banks have huge power in their specific regions and local regulation plays a huge part in how players work in each country.
For this reason, I expect different mobile payment solutions to have more or less traction in different markets. For example, Apple has a commanding 45 percent market share of phones shipped in the U.S., which allows them to have huge market power when launching Apple Pay. But globally that share goes down to 12 percent and Android’s share of close to 85 percent opens the field to many other players.
HCE has been gaining traction in Europe, especially where Android share is higher, and banks have considerable power in each country. But you can’t forget Samsung, other OEMs and even the MNOs. This will be a very active market in the next several years with regional battles raging between local players.
MPT: How does Sequent fit into all this?
KR: Sequent is extremely well positioned to support and enable this revolution. Sequent provides a secure mobile wallet platform with APIs that make it simple for banks and merchants to turn their mobile apps into wallets for payments at any physical merchant. We do this by handling all the complexity and security of mobile payments behind these simple APIs.
App developers have to understand what Java card security or Limited Use Keys (LUK) is. We handle the tokenization of cards, on-device and network security for issuers and provision their credit cards to mobile phones for use by their banking apps or merchant apps of their choice. That puts banks and merchants in charge of their own mobile payments destiny. And we have gathered our knowledge from multiple wallet implementations.
Most recently, we have enabled the largest mobile wallet deployment in the Americas outside of the U.S., the SureTap wallet in Canada.
MPT: How will the industry shake out in the future?
KR: That is the billion-dollar question. The only thing I can tell you is that there won’t be one winner. We will have consolidation for sure, but I think at the end we will still have multiple options to perform mobile payments in different countries. Some will be local, some will be global. Some will be proprietary and some will be open. In the end, payment is a service and will be another service in the mobile apps that consumers love and trust.