Many consumers continue to be wary about adopting mobile payments. And who can blame them? It seems that every week, we hear about the latest security breach that sends us running to reset our passwords or order replacement credit cards. Trust in the technology determines whether mobile payments will rise or fall. Using the cryptographically secure EMV card as an example, how can mobile payment technology replicate this type of security virtually?
When considering the security of customer payment credentials, host card emulation (HCE) has made the industry stand up and take notice. Before the arrival of HCE, the two options were as follows – to store credentials in a specialist security chip (Secure Element (SE)) in the phone, or to use Card On File credentials in the cloud. The first model effectively turns the phone into a mobile wallet, with the SE performing the same function as the chip on an EMV card. The “cloud” option we spoke about several years ago, however, was simply a case of storing basic payment information, such as Card Number and Expiry Date or Sort Code and Account Number, on the Internet.
With the use of HCE, a complete software-based replica of the payment card no longer needs to be stored on a physical chip, rendering the SE obsolete. This eliminates the battle for ownership of the previously all-important Secure Element, lowering barriers to market entry for new players.
There are issues with transferring stored card data from a chip to the cloud. A phone must connect to the Internet, wait for encryption to take place and get a response back. Even in a best-case scenario, this will be difficult to complete in the time that card schemes require. Of course, with no signal, it would be impossible. The solution being proposed to combat this uses a concept called “tokenization.” Instead of having to connect to the Internet every time you spend, limited-use virtual cards would be stored on your phone.
However, this solution creates another huge security issue in the form of a new opportunity for identity thieves. The potential exists for criminals to clone the phone and request the card information or even write malware to reside on the phone that will send the virtual card to the thief in the blink of an eye.
Time to Update Current Authentication Methods
Whether payment security is physical or “virtual,” the key to its success lies in the authentication mechanism. We must be able to bind the identity of the user to the authorization of the transaction. While banks are quite familiar with data protection requirements, challengers with less data-handling experience will need to be mindful of authentication and risk assessment.
Smartphones already contain features that can be employed to assist with mobile security. Features such as GPS data, 3G location, proximity to WiFi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not bullet proof, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers if it’s very likely that it’s the approved user, and introducing barriers to disrupt the payment journey if in doubt.
It must be noted, though, that security challenges still exist when creating a risk-based authentication solution of this kind. Analysis depends on high volumes of personal data, which must be secured against the hackers who would love to get their hands on it. All this personal data needs to be stored, the sensitivity and volume of which take it beyond a password database issue to a big data issue. Encryption is essential to render it unusable to thieves in the event that the security is breached.
The advent of HCE has turned the mobile payment industry on its head and will continue to influence its growth. Our increasingly complex and connected world requires us to use all means possible to create simple and easy-to-use mobile payments. This will engender trust in the technology, which will then reduce consumer resistance and spur the growth of adoption.
Simon Keates is a mobile payment security expert with Thales e-Security