Blog: Secure Elements vs. Cloud-Based HCE: What’s More Secure for NFC Mobile Payments?

With the introduction of host card emulation (HCE) in 2014 and last fall’s reveal of the iPhone 6, near field communication (NFC) technology is making a strong move to fulfill its promise to be the dominant “physical world” payments technology.

The reinvigoration of interest in NFC is raising the stakes for enabling technologies that make secure mobile payments possible. And as discussions move from “if” to “when,” implementation issues come to the forefront, with no issue bigger than security. That’s especially true between the proponents of on-device secure elements versus cloud-based cards HCE.

The arguments for superior security from both sides of the debate lead me to reflect on an old saying that goes “absolute security is only attainable when you’re protecting something absolutely worthless.” No matter the effort to protect something, any security can be defeated given enough time, money and technical resources. In other words, there is no perfect security, just better or worse security. So which security is better—hardware-based secure element or cloud-based HCE? From a security perspective, both of these competing technologies have persuasive arguments in their favor.

The Secure Element

Years of effort have gone into developing a trustworthy mobile payment solution that relies on highly secure, tamper-resistant secure elements (SE). A secure element can be thought of as a smartcard in the phone isolated from tampering by a restricted access interface and strong encryption. The standard in Europe for more than 20 years, EMV smartcards—so called “chip” cards—have virtually eliminated many types of fraud still common in the U.S., which is finally adopting EMV standards. Based on proven EMV smartcard technology, secure elements are very tough nuts to crack. They’re tested against a set of requirements defined by the payment networks and only those that can satisfy the evaluation criteria are allowed to store payments credentials. Extreme efforts and corresponding time and money are required before there’s any hope of success with limited value to the successful attacker.

Additionally SEs have the added benefit that the fraud opportunity is limited to each device. That is only a small amount of data is stored on them (single customer credentials and device specific cryptographic information). This restricts the opportunity of any hacker to the value of each device. In other words, to get lots of fraud value the hacker must compromise many individual devices.

HCE, Tokens and Device Fingerprinting

HCE assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or “cloud” databases. These databases must be managed to a high security standard. The security requirements are a very high level, exceeding common security (e.g., PCI DSS) and equivalent to card personalization bureaus. They have to be; the concentration of payment information and credentials is a very attractive target.

Preventing unauthorized access in HCE depends on four pillars: limited use keys, tokens, device fingerprinting and transaction risk analysis. Limited use keys expire quickly, preventing their misuse. Tokens reduce risk by replacing the PAN with limited use data that passes seamlessly through the payment system. Device profiles (fingerprints) validate the phone. Data analysis provides real-time transaction assessment to identify unusual activity. In short, HCE security relies on managed intelligence at the device and systems levels by leveraging the “always-on” and “big-data” ecosystems. The more data used to measure and analyze, the better the overall security.

Regardless of technology, an on-device a client must control secure storage, should collect locally available data, perform risk assessment (according to pre-defined rules) and trigger updates. The backend is constantly communicating with the client, testing the information and validating actions according to the risk tolerances of the card issuer. HCE benefits more since it’s designed to utilize these backend systems more effectively, but SE is less reliant on “always on” networks.

Apple Pay: All the Above

Apple has demonstrated that aspects of both secure element and cloud-based technology can be combined into one solution. Apple Pay uses the secure element to store tokens and the payment client and adds biometrics with Touch ID for multifactor authentication. It enables Apple to use the power of local and backend data for risk management, while removing all doubt about the security of a token or credential. By using the best of both worlds and adding a few new wrinkles, Apple has built a strong system. It is a fair estimation that Apple Pay will earn a “Pass” on the security test.

So, Which Is Better?

Actually, that’s the wrong question. The real question is whether either technology reaches the level of security needed to protect payment data. The introduction of Apple Pay, a hybrid solution, shows that a secure element versus HCE debate is too focused on technology and not on an overall effective solution. In fact, where the debaters lose sight of the objective is in having a debate at all. This isn’t a competition, it’s an examination graded only as “pass/fail.” Depending on how they’re deployed either can pass (or fail).

Bottom line is that if you’re fortunate enough to have an SE, then use it. But if you don’t have use of secure elements, then focus on HCE, which is expected to be supported by the great majority of smartphones. Banks and merchants can deliver secure mobile payments to consumers today using HCE with tokenization, device fingerprinting, risk modeling and robust on-device software. You may have the added advantage of delivering services through your own branded apps instead of a wallet, preserving your consumer connection.

What banks and merchants must adapt to is an environment where secure elements and cloud-based HCE will co-exist. The key is to understand the strengths and weaknesses of each and deploy solutions that can leverage both, because that’s the only way 100 percent of consumers will be served.

Lance Johnson is the chief security officer of Sequent. A 30-year veteran in banking and payment services, Lance spent more than 20 years at Visa as the senior vice president responsible for payments risk and fraud control operations and later as senior business leader for payment system risk strategy and policy. Lance was instrumental in the creation of the PCI Security Standards Council and sat on its Board of Directors from its founding until the end of 2010. He may be reached at [email protected].

In Blogs & Viewpoints, prepaid and emerging payments professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed are not necessarily those of Paybefore.