What is Card Emulation?

The significance of HCE is the independence

from secure element it gives issuers that want
Card emulation is about making mobile phone
to enable apps for mobile payments.
act like a smart card. This allows, for example, a
mobile phone to be used in payment
transaction at point-of-sale instead of a
contactless smart card.

Prior to Host Card Emulation, an actual smart

card device (e.g. a secure element such as SIM)
was required to be accessible to mobile phone
and was used to store the card payment
application. The payment app in the secure
element provides transaction and risk logic such
that the payment application itself is involved in Security Considerations – Tokenization and
the process of approving or declining a Point-to-Point Encryption
transaction, managing critical data in the
temper-resistant environment of the secure Tokenization – HCE allows payment application
element. residing on the mobile handset to emulate
cards on NFC interface, however, HCE doesn’t
Host-based Card Emulation provide the way to secure these applications in
absence of a hardware secure element.
Android 4.4 introduced another method of card
Tokenization is the process of substituting the
emulation that does not involve a secure
Personal Account Number (PAN) with a single or
element, called host-based card emulation
limited use “token PAN”, where the use can be
(HCE). With HCE, the secure element is not
limited by consumer device, channel or
required. The payment application is held in the
merchant. This ensures that even if a “token
mobile phone operating system (the device
PAN” is captured it will have limited and
“host”). This allows any Android application to
possibly no value. Tokenization is a layer that
emulate a card and talk directly to NFC reader.
can be applied on top of HCE.
A standard EMV payment transaction is
To employ tokenization, issuer calls a Token
performed from an application residing in
Service Provider (TSP) to generate Token PANs
mobile phone’s host operating system and the
(and payment keys) which would be delivered
POS sees a mobile app which looks like a mobile
to mobile app and used in HCE transactions.
payment card. The NFC controller is connected
When these transactions are processed through
to the application through the mobile OS. The
payment network, TSPs would be called to
integrity of the transaction is managed by using
convert token PANs back to real PAN to allow
the transaction cryptograms that can only be
issuers to process the transaction.
verified by the issuer or by using data in
different channels like secure code (such as
OTP).
 and POS applications to ensure that they
comply with PCI DSS.

The HCE Payment Ecosystem

The HCE ecosystem for mobile payment

ecosystem is illustrated as below-

There are 3 types of tokenization-

1. Website tokenization occurs when customers

enter their Personal Account Number (PAN) on
merchant website, but the merchant never sees
the PAN as it is immediately tokenized by
processor in software vault.

2. POS terminal tokenization occurs when

cardholder’s PAN is tokenized as soon as card is
swiped or tapped at POS terminal.

3. Network tokenization involves a card

network like MasterCard or Visa or a mobile
wallet service provider tokenizing a
cardholder’s PAN and the token being stored
securely on user’s mobile device or in a HCE The relationships needed for processing HCE
cloud based software vault. payment transactions remain similar to
traditional card payments with inclusion of TSP
for tokenization. The issuer is responsible for
Point-to-Point Encryption choosing the security scheme to be used in HCE
apps and the use of EMV tokenization is
Point to point encryption (P2PE) involves optional. The issuer maintains its relationship
encrypting transaction data from the point of with the card scheme for the payment product
interaction with the merchant’s POS device issued. Customers download HCE payment apps
until the data reaches the P2PE solutions to their devices from the app store. The
provider’s secure decryption environment. The payment application provider may publish the
transaction message including the cardholder’s app to the app store on behalf of the issuer or
token is encrypted and sent to the acquirer and the issuer may publish themselves.
the card network in encrypted form. The P2PE
solution should be compliant with PCI DSS
(Payment Card Industry Data Security
Standards) and related card data security
standards such as PA-DSS (Payment Application
– Data Security Standards) which assesses ATM
Customer Journey

With the need of provisioning of payment

credentials frequently and ensuring strong
customer authentication, issuers need to be
careful not to introduce usability issues. The
user experience for the payment transaction Download App
with the merchant through an HCE application
can be illustrated as –

HCE Business Benefits! Install App

One -Off Service

By deploying services to HCE, no intermediaries

Provisioning
are needed to access the secure element. This Connect to Issuer
Process request for
narrows down the gap between issuers and service
customers ensuring consistent brand and end-
user experience. HCE allows service providers to Perform Identity
Verify customer
and Verification
be in control of costs, security partners and and device
process
management of a mobile payment solution.
With HCE, the issuer builds a user interface so Generate static
has a control over how the cardholder interacts data (account level)
with the service. The freedom and control an
issuer has on HCE solution allows them to Personalize Provision
innovate in market place, for e.g faster application static application static
data data
merchant checkout solutions and loyalty
scheme integration. HCE also offers on-device Generate dynamic
risk management. Enhanced security means data(transaction
level)
better customer satisfaction and higher
adoption in long-term.
Download dynamic Provision dynamic
The Challenges! data data

There are challenges with mobile devices that

Perform Receive
have limited security against malware threats transaction transaction
Dynamic Data

like sniffing card data while on the other hand

Provisioning

POS
rich contextual data creates new risk Network
management opportunity for issuers. De-tokenize PAN
Customers want the choice to pay using a bank
app, a merchant app or any other favorite app.
This expectation requires a management Authorize
transaction
platform to enforce configuration and business
rules which can define which apps can access
which credentials so that right apps can
perform point of sale and user experience is
seamless across multiple apps. Sources:
[1]https://developer.android.com/guide/topics/
connectivity/nfc/hce.html
[2]http://cs.stanford.edu/people/eroberts/cs201
/projects/2010-
11/DigitalCurrencies/disadvantages/index.html