10. Juli 2017

How Does HCE Address the EMV Goals?

2017_07_HCE-payment

Not a day goes by without new mobile payment apps popping up or the Original Equipment Manufacturers, also called OEMs, launching their own mobile wallets (Apple Pay, Samsung Pay, Android Pay) in additional countries. Especially Switzerland plays an interesting role by focusing on the payment solution TWINT to solve the local mobile payment needs. However, regardless of the payment app and underlying technology, all solutions need to balance usability and security in order to justify a valid business case.

This article introduces Host Card Emulation (HCE) as the standard technology stack for your Android-based payment app and addresses how it meets the main EMV (Europay International, MasterCard and VISA) goals to ensure secure payments at the Point of Sale (POS).

Understanding the role of Host Card Emulation

HCE is the term used to describe the entire ecosystem of mobile payment solutions on Android-based devices, which do not have access to a Secure Element (SE) or a Trusted Execution Environment (TEE). Usually, SE and TEE rely on proprietary hardware security to store and access sensitive keys such as the Card Master Key (CMK), whereas HCE solves this by using mobile device software in combination with a remote server.

There are various stakeholders in the HCE ecosystem, which play an important part in providing a seamless and secure payment experience to the cardholder. Ranging from a secure payment app that builds the user interface to initiate a mobile payment, to a trusted Wallet Service Provider (WSP), and finally a Tokenization Service Provider (TSP) that replaces the PAN with a payment token (DPAN).

Whenever we think of Host Card Emulation, we tend to focus on transaction flows rather on what “card emulation” actually stands for. The secure payment app is the equivalent to the card program that runs on the plastic card’s contact chip. As a result, the payment app ensures that a valid EMV transaction is sent to the Near Field Communication (NFC) reader at the Point of Sale.

As EMV transactions evolved towards being recognized as the more secure solution compared to magnetic stripe based payments, all HCE participants, such as software and hardware vendors, card issuers and card schemes, have aimed for the same security levels and market acceptance.

Does HCE live up to the EMV standards?

The main goals of EMV are to reduce fraud by the following measures:

  • Validating authentication of payment card (chip),
  • requesting cardholder verification,
  • validating transaction integrity, and
  • using risk management parameters.

Validating authentication of payment card (chip):

This means it should not be possible to copy a payment card or compromise the application programs on the chip. How can HCE solve this issue?

  1. After installing on the mobile device, each payment app has its unique instance ID.
  2. Registering the payment app on the device includes the storage of a device fingerprint at the HCE wallet server.
  3. The provisioning of a payment token to the software/hardware key store of a mobile device results in a unique combination of payment app instance ID, device fingerprint, and DPAN.
  4. Before replenishing limited-use Session Keys (SKs), the HCE wallet server validates the combination of the provisioned payment token, payment app instance ID, and device fingerprint.

In essence, the previous described steps make it difficult for a fraudster to request valid SKs from the HCE wallet server for a payment app that resides on a different device.

Requesting cardholder verification

You should be able to confirm that you are the cardholder by a method that is either dependent on the POS, transaction amount or other attributes. EMV allows several Cardholder Verification Methods (CVMs): Cardholder’s signature comparison by the merchant, validation of the PIN by either the issuer or the POS terminal, or “no CVM” at all in case of low value/risk transactions. Now, what does cardholder verification look like for HCE?

  1. Card-Like User Experience (CLUE) – the payment app follows the same user experience as a regular contactless payment: tap and pay. Depending on the country, card schemes and POS terminals, Low Value Transactions (LVTs) sometimes do not require cardholder verification. For a High Value Transaction (HVT), the cardholder still has to enter his PIN at the POS.
  2. Consumer Device Cardholder Verification Method (CD-CVM) – users can authenticate themselves at the device via a fingerprint scan, password or swipe pattern.
  3. Flexible User Experience (FLUE) – this is a combination of CLUE and CD-CVM, but not solely one or the other.

The listed categories above give issuers and banks a flexible set to build a payment experience, which is in alignment with their standards and risk tolerance.

Validating transaction integrity

It is important to make sure that the transaction is not altered on the way between POS, card network, and card issuer. Apart from using various sets of encryption keys and transaction identifiers, HCE exchanges a payment cryptogram based on DPAN-derived SKs to validate transaction integrity on the issuer side.

Using risk management parameters

Each stakeholder within the EMV ecosystem should be able to apply risk measures. Which safeguards does HCE put into place?

  1. Fraud systems are able to inspect the frequency of SK replenishment. In case of malicious behaviour, the HCE wallet server can suspend the DPAN and stop the renewing of SKs.
  2. The payment app can only hold a small pool of SKs which minimizes the number of offline payments (the device has no internet connection) the fraudster could potentially make.
  3. Only allowing the provisioning of payment tokens on mobile devices that provide certain security standards, e.g. version of fingerprint readers, operating versions, etc., will reduce risk as well.
  4. Velocity tracking of LVTs without HVT in between.

This list is not complete, but it gives an idea of options issuers and banks can use to lower the risk of their HCE wallet service.

Conclusion

HCE product companies constantly work on security concerns to maintain reliable payment solutions. It is a fast growing market, which competes with the established OEM pays. However, competition is good, in particular when it comes to security. It keeps the pressure high to not lose the cardholder’s trust.


Martin Fabini
Martin Fabini

Martin Fabini ist seit mehr als 20 Jahren in der IT tätig. Bei ti&m führt er Kunden an neue Business Cases mit neuen Technologien heran.

Ähnliche Artikel

What Can Small Businesses Gain from Data Analytics?
What Can Small Businesses Gain from Data Analytics?

Small businesses need to change their general big data approach. The question they should ask themselves is not “what can we gain from the collected data?” but “what do we need to grow the business and how can data analytics help reach that goal?”.

Mehr erfahren
MAC Token Profile: the Never-Ending Battle over Signatures<br/>
MAC Token Profile: the Never-Ending Battle over Signatures

Mehr erfahren
2017_06_Rimle-Postauto
Autonome Postautos: unterwegs mit der Zukunft

Autonome Fahrzeuge // Die autonomen Postautos haben keinen Fahrer und können dank ihrer leistungsfähigen Sensoren problemlos navigieren. Zum ersten Mal testet ein Unternehmen diese Technologie in der Schweiz im öffentlichen Raum.

Mehr erfahren
Trust 750x410
Assurance nach ISAE 3000 für das ti&m Hosting

ti&m hat das Hosting nach dem ISAE 3000 Standard auf Wirksamkeit der FINMA Rundschreiben RS 2018/3 RS 2008/21 prüfen lassen. Im Interview erklärt Karsten Burger, und Head Innovation Hosting & Application Management bei ti&m, die Hintergründe und welche Vorteile ti&m-Kunden davon bekommen. Zudem gibt er einen Einblick in die Erfolgsgeheimnisse des Hostings von ti&m.

Mehr erfahren
cloud_man_mountain
Von der Hybrid Cloud zur Multi-Cloud – Neue Möglichkeiten für Ihren Erfolg

So. Da haben wir jetzt Private Cloud, Public Cloud und Hybrid Cloud. Und jetzt kommt dann noch eine Multi-Cloud. Wozu? Was ist da überhaupt der Unterschied?

Mehr erfahren