Mobile Payment Security – Challenges, Trends, Recommendations, and Tips
It’s been just over a year since Mobile World Congress 2014 and possibly the most significant announcement in the short but eventful history of Host Card Emulation, HCE to friends. Since Android 4.4 HCE had been implemented within Android but it is fair to say that Visa and MasterCard throwing their weight behind HCE was critical to the continued growth of the architecture. At this one year anniversary it may be appropriate to examine what’s the latest with HCE and perhaps get a view of what’s coming up next.
Visa seems to be progressing steadily on this front. In Europe alone there are an estimated 30 banks likely to go live with significant HCE based implementation over this year alone. In the words of Sam Shrauger, SVP, digital solutions, Visa “2015 is the year in which fast and safe mobile payments based on Visa technology will proliferate across the world”.
The evidence is that MasterCard has also put its money where its mouth is. The use of mobile devices instead of card based payment options is growing steadily worldwide and MasterCard has clearly seen that coming. They recently announced that in 15 key countries pilot projects were already underway for HCE and Cloud based secure contactless and remote payment transactions. MasterCard is seeking to make contactless mobile payment options more widely deployed globally through MasterCard Cloud Based Payments. Licensees numbering in the hundreds across countries including the USA, Australia, Canada, Germany and France have already come on board. Among MasterCard’s most important markets where HCE based payments are now available is China. Clearly the world is watching and no longer waiting.
Given some high profile vulnerabilities within the Android eco-system driven by enthusiastic malware developers there have been security concerns about HCE. Part of this is driven by an unfavourable comparison with Apple Pay and the hardware secure element based solution. That being said HCE’s implementation of Tokenization seems to borrow heavily from Apple’s concept of the device account number and with the transaction triggered one-time account number seems to act in much the same way. This seems to be satisfying users for now.
Tokenization is getting some important stimuli also. For one Visa has announced that it will not charge card issuers and other providers any fee for using their tokenization service through this year and possibly even after that. Visa CEO Charles Scharf has recently described tokenization as “the single biggest change that’s been made in the payment networks easily over the past 15 or 20 years”.
Another knock-on impact of the token based solution is that given the increasing popularity of the Internet Of Things there now seems to be a possibility that payments could be embedded into pretty much any personal use device – not just phones. The initial devices looking to leverage this use case are already here. Earlier this year the first white-labelled HCE enabled wristbands from wearables technology company WireCraft were announced. Vendors using the innovative technology for payments and even wider use-cases are sure to follow.
The other big development coming up just over the horizon is the release of the Android Pay API. Gooogle tells us this is likely to come about in May this year – so not that far out. Attendees at Google’s I/O Conference expect to get a view of the service that is expected to support Google Wallet as well as mobile payment options from premier handset makers. The API, of-course, uses HCE and is expected to enable mobile and in-app purchases and also other, move conventional, payments.
The adoption of mobile based payments is taking off and HCE seems to be driving much of that momentum. The market is at an interesting stage and for us being connected with the technology space is a buzz like no other – there’s a wild ride up ahead and we are ready!
Related posts
