Christian Damour, Product and Services Manager – Security at FIME
Smartphones are central to our daily lives. We manage our personal and business affairs, watch movies, track our health and, increasingly, make payments. Adoption of mobile payments is rising considerably worldwide, with predictions estimating it’ll be the second most popular way to pay by 2022.
For banks and other issuers, delivering mobile payments is becoming increasingly imperative. There’s a crucial choice to make, though – support the Giant Pays or go it alone.
While ‘flying solo’ may make it more complex, it offers banks a whole host of benefits, including increased control, brand recognition and security. Host Card Emulation (HCE) is one compelling option for banks to develop, launch and maintain their own payment apps for Android customers quickly and cost-effectively. Its caveat, however, is the need for a robust, security-driven implementation plan to ensure a successful app launch from the get-go.
So, what is HCE and how can banks best use it to power their way to the path of mobile payment success?
The A-B-C of HCE
In a nutshell, HCE enables a smartcard to be mimicked on a mobile device using software, meaning transaction data and card credentials are stored in a cloud server, rather than inside the mobile device. This provides greater flexibility and processing power, considerably reducing the cost of deploying mobile payments.
Google first enabled HCE back in 2014. Since then, it’s been selected by several banks (and even Russia’s national payment scheme, MIR) to deliver cloud-based payments without relying on third parties.
Why choose HCE?
Ease and convenience of services is top priority for consumers when choosing a bank, so nailing the UX of any mobile payments solution is key. By utilizing HCE, banks and retailers can retain control over this all-important UX, as well as being able to increase brand visibility and foster loyalty. Looking longer term, it also ensures these stakeholders retain ownership of valuable customer data that can be used to inform the development of products and services.
From a technical perspective, launching HCE apps is a considerably more streamlined process. For example, issuers don’t have to contend with hardware security certifications, as software HCE apps undergo simpler, less expensive functional and security certifications. It also removes the challenge of managing multiple complex and costly relationships that, say, a traditional SE-based solution, creates.
Start with security!
Now, back to that caveat mentioned earlier. While Android offers some security features, such as sandboxing, these are notoriously vulnerable. Its rich OS and unsecure software mean that if rooted, all apps and data are accessible. In short, relying on Android’s security features is simply not enough.
The answer? Layers of security.
To launch HCE solutions effectively, security must be a priority from the start to mitigate concerns surrounding Android device security.
36% of US smartphone users don’t use mobile payments because they are worried that their data is not secure, so security can also operate as a marketing tool to differentiate and gain market share. Crucially, however, a lack of security can leave banks vulnerable to a whole host of customer relationship and reputational challenges if apps are compromised, not to mention potential fines. Plus, the later security bugs are found, the more expensive they are to correct.
Banks and other issuers cannot afford to be among the 43% of Android apps found to be at a high security risk. But they don’t have to go it alone. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of data, money and consumer loyalty. Seeking support from the very start of projects also mitigates costly and unexpected delays and challenges, streamlining that all-important launch time.