Digital Transactions Authoritative, insightful and timely information for payments professionals
Near-field communication for payments has floundered for years. Now, host card emulation promises to revive it by cutting out the mobile carrier.
By John Stewart
If zoologists studied payments critters, they would be astounded at the gestation period of near-field communication. Here is a powerful technology that has languished in the payments womb for nine years, and it’s still giving its mother birthing pains.
Now, though, a dose of technical oxytocin may be on the way, and the side effects could be wide-ranging for banks, merchants, mobile wallets, and the business of processing digital transactions based on non-physical cards.
You may have heard of it by now. It’s called host card emulation, and though it’s a new term for most of the digital-payments industry, its electric effect is such that it has already acquired its own shorthand acronym, HCE, and its own outsize momentum.
“HCE makes mobile payments more of a reality,” says Lora Vigil, a former Nordstrom Inc. executive who now advises merchants on point-of-sale technology as a partner with her own firm, Greenwood Village, Colo.-based Mantrana Partners. “We’ve been speaking with a few potential clients. We expect [HCE] to shift from ‘what is it’ to ‘how do we implement it?’”
Financial institutions appear to be excited about HCE as well. “What we’re seeing is quite a lot of enthusiasm for enabling transactions from a mobile device,” says James Anderson, group head for mobile payments at MasterCard Inc. “Now [banks] see a way forward.”
The major NFC wallet providers are already lining up to use HCE. Isis, a creature of the country’s three largest mobile carriers, will probably run loyalty and offers programs via HCE, at least as a test, says Scott Mulloy, chief technology officer. “We’re in proof of concept now,” he says. “TBD on any production rollout.”
Google Inc., whose Google Wallet launched three years ago to much fanfare and then promptly flopped, won’t comment in any detail but officials confirm the online search giant has adopted host card emulation as its NFC architecture. That’s not surprising, given that its own Android mobile platform has catapulted HCE from drawing-board concept to looming reality in a matter of six months.
‘An Overwhelming Problem’
This new flavor of NFC has captured the industry’s imagination because it appears to liberate banks, merchants, and other service providers looking to offer mobile wallets from the sway of mobile network operators and device makers.
The mobile carriers control the SIM card, and handset makers the embedded chip, on which, up to now, NFC has depended. That makes carriers, in particular, the gatekeepers for mobile payments using NFC, allowing them to grant or deny access to consumers’ phones and to charge fees to wallet providers for that access.
The carriers’ grip on the so-called secure element in mobile phones has long irritated wallet providers and thrown up roadblocks to NFC’s progress. Google, for example, stumbled early on with Wallet because it was effectively boycotted by the major mobile networks.
Banks that wanted to introduce NFC wallets were put off by access fees and related issues. “Either you didn’t have access at all or it was pay to play,” gripes John Schulte, chief information officer at Mercantile Bank of Michigan. “As an individual bank, we couldn’t come up with something that would work across all secure elements, so you say, why bother? It was an overwhelming problem.”
Officials with AT&T Inc. and Verizon Wireless, the country’s two largest mobile carriers, did not reply to requests for comment for this story.
Already, vendors are capitalizing on the emergence of HCE with products that make it easier to deploy. In April, for example, Sequent Software Inc. introduced a solution that lets banks inject their wallets into apps created by other developers. The solution lets banks’ cardholders readily access their “cards” to make payment within a wide range of apps without having to enter payment credentials.
‘Is NFC Cool Again?’
But host card emulation has its downsides, and many observers are quick to say it has much to prove. Decoupling NFC from the secure element, for example, disturbs some observers who fret about transaction security in the wake of a rash of high-impact data breaches, including one at Target Corp. that involved 40 million cards.
That worry has prompted organizations ranging from Visa Inc. and MasterCard Inc. to EMVCo LLC, the international standards body for EMV chip cards, to devise standards that provide for account numbers to be masked by tokens and tokens to be accredited by single-use cryptograms in HCE transactions.
Nor are all potential issuers and acceptors convinced that HCE will lift NFC out of its doldrums. Other technologies have emerged, after all, including a very promising technique that depends on Bluetooth Low Energy to instantly link customers’ handsets with stores as soon as they walk in. That lets merchants send offers, for example, just when customers are standing in front of the relevant merchandise.
With or without host card emulation, “if you did a side-by-side comparison of NFC and BLE, BLE would whip its butt every time,” cracks a restaurant-company executive who asked not to be named.
In its essence, HCE relies on a cloud configuration to link to consumers’ mobile devices and serve up payment credentials, offers, and other data. This basic idea isn’t new. The NFC Forum, an industry standard-setting group, wrote requirements in 2008 for a host-based form of NFC, and included necessary features for HCE development into a specification it published in 2012.
Research in Motion, the company behind BlackBerry, included HCE in its operating system starting in 2011, and in December the Tim Hortons coffee chain launched a BlackBerry-based HCE program for its closed-loop Tim Card in 3,500 Canadian and 800 U.S. stores. It is said to be the first commercial deployment of host card emulation.
What really launched HCE, however, was Google’s announcement on Halloween last year that it was including HCE in its new OS, Android 4.4, dubbed KitKat. That meant HCE was coming to millions of phones running Android, the dominant mobile operating platform. Already, KitKat accounts for 8.5% of all Android devices worldwide, a share that’s climbing rapidly as users adopt the new OS.
What’s also new is the term host card emulation, which a small startup in Austin, Texas, called SimplyTapp claims to have devised along with the HCE code Google adopted for KitKat. Ever since the Android upgrade, and especially since February, when both Visa and MasterCard said they had for all intents and purposes blessed HCE, SimplyTapp has been running hard to keep up with inquiries.
“We’re really busy talking to issuers. Everybody’s going full bore,” says Doug Yeager, the startup’s chief executive, who adds the company expects to launch its first pilot with a bank in South Africa. “Is NFC cool again? I don’t know if it’s cool again, but it’s viable.”
Centrality of Tokens
So, how does host card emulation make NFC “viable?” The answer has to do with how HCE appears to simplify the deployment of mobile-payments applications.
For these applications, NFC has up to now relied on a configuration called card emulation, so called because it makes the mobile device appear to the point-of-sale reader as if it were a contactless card. In this configuration, data sent from the point-of-sale contactless reader are routed to the secure element via the NFC controller chipset, bypassing the handset’s operating system.
The secure element locks down information required to complete the transaction, including the consumer’s card-account number and other data. When the SIM card is the secure element, as it often is, that hands control of the transaction over to the mobile operator.
Now substitute host card emulation. The NFC chipset still receives data from the POS reader but routes them instead to an NFC service manager, which is part of the Android OS. This lets any application on the phone act on the instructions. Payment credentials, meanwhile, reside on a remote server to be downloaded to the app only as tokens. So instead of bypassing the phone’s OS, host card emulation bypasses the phone’s secure element, a feat not easily done before on a mass scale.
This bypass, however, means tokenization of card credentials is a crucial element of HCE. Both Visa and MasterCard require it in specs Visa released in February and MasterCard expects to publish at the end of this month.
Tokens are randomly generated strings of characters that replace the actual primary account numbers assigned to payment cards. The idea is that, since they are not derived mathematically from those account numbers, they can’t be “cracked” and are useless to data thieves.
Further specifications from the card networks and EMVCo, the standards company that includes Visa and MasterCard along with other major payments networks, provide for a single-use, unique cryptogram for each transaction. This cryptogram, generated by the mobile device based on data elements from the token, is intended to ensure the transaction is being performed by the actual cardholder. The mobile device passes all of these data elements to the contactless terminal as part of the authorization message.
As a further security measure, the tokens can be limited to use at a specific merchant or within a particular channel, quick-service restaurants, for example. To guard against loss of cellular or Wi-Fi signals, multiple tokens can be downloaded from the cloud server for offline use. “You’re loading your phone with bullets ahead of time,” says SimplyTapp’s Yeager. “Your transactions are already staged.”
‘A Glimmer of Hope’
Now that such specs are out, or soon will be, business is heating up for vendors like SimplyTapp and Sequent Software. SimplyTapp hopes to sign up financial institutions to incorporate HCE into their mobile-banking apps, and is in talks with more than a dozen banks outside the U.S. “All the major U.S. banks are still in the learning phase,” says Yeager.
Right now, these “major banks” are playing it close to the vest. Capital One Financial Corp. participated in a host card emulation pilot MasterCard ran last year but refused to talk about HCE when contacted for this story. JPMorgan Chase & Co. also declined to comment, as did American Express Co.
PayPal Inc., though, has apparently executed something of a turnaround on NFC since the emergence of host card emulation. John Donahoe, chief executive of PayPal parent eBay Inc., once famously dismissed NFC as standing for “not for commerce.” But PayPal president David Marcus blogged in April that he’s changed his mind about NFC.
With Google’s decision last fall to incorporate HCE, debilitating disputes over control of the secure element seemed to become a thing of the past, opening up opportunities for NFC, Marcus wrote. “For the first time ever, I saw a glimmer of hope for NFC in some shopping configurations,” he said.
Merchants, too, could come on board now that a cloud format for NFC is available. “They didn’t see an easy path for integrating NFC in their own mobile applications. Now, it becomes a very real possibility,” says Pedro Martinez, head of global partnerships for mobile financial services at Gemalto Inc., an Austin, Texas-based company that serves as a trusted service manager for NFC applications. TSMs take care of such functions as provisioning card credentials for mobile payments.
The impact of HCE, or at least its potential impact, has led analysts to bump up their projections for NFC. The U.K.-based research firm IHS Technology, for example, recently projected global shipments of NFC-equipped handsets would more than quadruple over the next five years, to 1.2 billion units. HCE “will have a positive role in the size of the NFC market moving forward,” says Don Tait, senior market analyst for digital ID and IT security at IHS.
‘A Perfect Storm’
This opinion, however, is far from unanimous. Some skeptics point out that HCE remains in its infancy. It hasn’t been tested in a full-scale, real-world deployment, raising questions about its readiness for commercial use. “These things take time and have to be baked,” says Randy Vanderhoof, executive director of the Smart Card Alliance, a trade group based in Princeton Junction, N.J.
Some, too, aren’t so sure cutting out the secure element is a good idea. While conceding that “there has been resistance to participate in secure-element models,” Vanderhoof points out that tokenization for HCE won’t come at zero cost. “Those [tokenization] costs aren’t factored into the equation yet,” he says.
And while HCE may cut them out of the picture, the mobile carriers could yet have something to say about NFC in its HCE mode, Vanderhoof adds. The carriers, he says, retain immense influence over device makers and the choices consumers make when buying handsets.
“Who’s going to provide an incentive to the [mobile network operators]?” he asks. “They represent the primary marketing channel for how those phones reach the market. They control the make and the model, and what features those models support.”
But even Isis, controlled by three large carriers, is willing to give HCE a try. Mulloy says a big reason for this is that he fears running out of room on the secure element for payment applications. He figures he can free up space by moving loyalty apps, which require less security, over to the cloud.
Isis can get the equivalent of anywhere from 15 to 20 cards on the secure element, Mulloy estimates. “My hardware-based model isn’t going to support less-secure loyalty credentials,” he says.
At SimplyTapp, they’re just glad for the business. Yeager says the carriers’ grip on the secure element may have been the best thing that happened to his fledgling company. It spurred his engineers, he says, to find a readily reproducible workaround. Looking at the timing of that launch with Google, he adds: “It was a perfect storm.”
—With additional reporting by Jim Daly
Sequent’s Twist on HCE: Extending Cards to Any App
Sequent Software Inc. in April launched a solution that will let card issuers take advantage of so-called host card emulation, a protocol that allows issuers to provision digital cards for mobile payments while bypassing the phone-based secure element.
A key feature of the new solution is that issuers will also be able to embed their digital cards in mobile apps created by other developers.
The Mountain View, Calif.-based company, founded in 2010, thus becomes one of the first vendors to enable a form of mobile payments that many observers say is reviving the prospects for near-field communication (NFC), a technology that lets consumers pay by waving or tapping their phones near or on a contactless reader.
With host card emulation, NFC relies on cloud storage of card credentials, rather than storage in the secure element, a chip usually controlled by the mobile carrier. In bypassing the secure element, issuers avoid carriers’ fees for access to the phone, a cost many experts say was hindering NFC development.
Last fall, host card emulation, or HCE for short, became a practical reality with Google Inc.’s release of its latest mobile operating system, Android 4.4, which supports the protocol.
Now Sequent executives say that with the company’s new HCE-based digital issuance software, issuers will be able to provision cardholder credentials from a cloud configuration in compliance with new specifications set out by Visa Inc. and EMVCo, a standards body controlled by Visa, MasterCard Inc., and other card networks. The specifications include rules for masking card credentials with one-time tokens that would be useless to thieves if intercepted.
“We’re trying to solve for ubiquity and scale,” says Robb Duffield, chief executive at Sequent. Scalability improved in April, he adds, when Visa approved the company’s digital-issuance platform, which enables provisioning to secure elements as well as host card emulation.
“We want to interoperate with any form factor, cloud being the most relevant today,” Duffield says. “Our Visa approval is very important. This is still a payments industry. You still have to get the approval of Visa, MasterCard, American Express, and EMVCo.”
MasterCard is working on its own set of HCE specs and expects to release them by the end of June.
The ability for issuers to extend digital cards into partners’ apps will give cardholders instant payment capability. “Some issuers will build back-end systems themselves, but they haven’t cracked the nut yet of how to let the credentials work in any trusted app,” notes David Brudnicki, Sequent’s chief technology officer. “That’s where we come in. We’ve cracked the nut.”
Indeed, some observers see this process reversing the course followed so far in mobile payments, in which app developers like Google and Isis court banks and merchants. Now, these observers say, issuers will have the capability to court app developers.
“We will see issuers working with third parties and retailers to allow consumers to take their payment credential or a token in to third-party and retailer apps for payment,” predicts Cherian Abraham, global consulting practice analyst at Experian Decision Analytics, in an email message.
“Issuers will struggle a little with this, but consumers want the ability to pay for things wherever and whenever, and trying to lock them down to a specific app, even if it is the bank’s own mobile-banking app, seems counterproductive,” Abraham says.
But others caution that, for all HCE’s promise, consumers and merchants first must show interest in mobile payments, something that hasn’t been overly evident so far.
“Before HCE can take off, merchants and consumers need to become more interested and engaged in making point-of-sale payments with their phones at places other than Starbucks,” says Rick Oglesby, a senior analyst at Double Diamond Payments Research.
