Welcome!

News Feed Item

Consult Hyperion and the GSMA Publish Report Contrasting HCE and SIM Secure Element Approaches to NFC Payments

Digital payments experts Consult Hyperion, in conjunction with the GSMA, today published a guide to help banks and mobile operators understand the Host Card Emulation (HCE) and SIM Secure Element approaches for NFC payments. The guide, “HCE and SIM Secure Element: It’s not Black and White”, follows the recent introduction of HCE into Android 4.4 (KitKat) and concludes that the SIM Secure Element and HCE approaches to NFC payments each offer important benefits for financial institutions. Further, they should not be viewed as mutually exclusive and a combination of the approaches may be appropriate for differing applications and markets.

“This paper provides a balanced analysis for financial institutions of HCE as an alternative proposition for NFC payments, alongside the existing SIM approach,” said Alex Sinclair, Chief Technology Officer, GSMA. “The recent inclusion of HCE into Android opens up the possibility of performing NFC payments without using a SIM Secure Element and HCE could also potentially remove complexity associated with SIM-based NFC payments. At the same time, SIM-based NFC offers a proven secure solution that is being commercially deployed today. The challenge for the mobile operator community is to simplify the provisioning process, further accelerating deployments of SIM-based NFC on a global basis.”

“MasterCard has been technology agnostic, enabling mobile payments in a way that allows current card accounts to be used seamlessly and securely from consumers’ favorite electronic devices,” said James Anderson, senior vice president of emerging payments, MasterCard. “We have deployed SIM and Secure Element-based solutions through partnerships with mobile network operators, OS providers and handset manufacturers, while recently adding support for cloud-based payments. This paper will help both the mobile and payments industries understand the strengths of each approach and allow them to choose the options that align with their business strategies.”

Report co-author Steve Pannifer, Head of Delivery at Consult Hyperion said: “The inclusion of HCE into Android has generated a lot of excitement that can only be good for NFC payments. This, combined with the efforts to streamline SIM Secure Element based NFC evident in many markets, will enable NFC payment products to be rolled out with renewed vigour. We hope that this paper will encourage banks and mobile operators to collaborate further in bringing NFC payments to the market. We believe the mobile operators have an important role to play, particularly in providing mobile security and authentication services that are paramount in any payments service.”

The guide shows that whilst HCE does indeed simplify some aspects of the NFC ecosystem by allowing mobile NFC payments to be performed without using a SIM Secure Element, this is only part of the landscape. HCE requires a new approach to security in terms of ecosystem integration, risk management and certification processes. In contrast, SIM Secure Element processes are well defined and mobile operators are actively working with the ecosystem to simplify them further.

The report examines the heritage of SIM-based NFC, the lessons learnt from the first deployments and the actions that have been taken to allow service providers to deploy secure, stable and proven mobile payment services at scale. The guide finds that whilst there is significant interest around HCE, the SIM Secure Element approach for mobile payments still has many complimentary advantages and it will be down to the banks to carefully review their needs in each of their operating markets.

“Both the People’s Bank of China (PBOC) and China UnionPay have released mobile payment specifications, which require a Secure Element to support NFC mobile payments, in order to provide a secure and reliable payment service. China UnionPay has worked very closely with Chinese operators on large-scale commercial NFC services based on the SIM as Secure Element. In conjunction, China UnionPay is working actively on a feasibility study of new technologies including HCE,” said Jiang Haijian, Deputy General Manager, Mobile Payment Dept., China UnionPay.

Consult Hyperion suggests that there are a number of key points for banks to consider as they plan mobile NFC payments:

  • Understand your local environment: The local conditions will play a big role in determining the best approach
  • Understand your target transactions: It is possible that HCE will be less suited to certain transaction types (e.g. offline, high value) than SIM Secure Element.
  • SIM Secure Element and HCE are not mutually exclusive: The most effective solutions over the medium term may be hybrid models where, for example, the SIM is used to address the security and authentication gaps in HCE.
  • Build flexibility into your strategy: There is likely to be considerable overlap between SIM Secure Element and HCE in terms of the systems and capabilities that are required
  • Collaborate with the industry: Until there is a level of standardisation around HCE, there remains the risk that banks could adopt solutions that are insufficiently flexible or lock the banks in.

David Baker, Head of the Card Innovation Payments Unit at the UK Card Association notes: “While Host Card Emulation has been hailed as a potential game changer for card-based NFC proximity payments, this report gives valuable advice and guidance on the issues the industry must address -- and highlights the real need for collaboration between ecosystem partners to ensure greater adoption of mobile payment services.”

The full report can be seen here

Note to Editors:

HCE is a recent feature of Android that allows an Android application to emulate a contactless card via the NFC interface of the handset; previously, this was reserved to applications stored in a secure chip or Secure Element, typically the SIM card, with similar security features as chip-and-PIN plastic cards. HCE opens the way to payment applications without a secure element, but such applications need to reach a satisfactory level of security. In order to achieve this, card schemes are developing a “tokenisation” approach, whereby the payment card identifier is replaced by a single use or limited use “token”. This reduces the impact of data breaches significantly: if a “token” is compromised it will have limited and possibly no value.

The guide was commissioned by the GSMA, 5 New Street Square, London, EC4A 3BF, United Kingdom. Any opinions, findings, and conclusions or recommendations expressed in the material are those of the author(s) and do not necessarily reflect those of the GSMA or its members.

About Consult Hyperion

Consult Hyperion is an independent information technology consultancy that has spent over two decades advising leading organisations around the world. Consult Hyperion helps these organisations to reap real benefits from technological change in the field of secure electronic transactions ranging from retail payments to mobile wallets to contactless transit ticketing. Consult Hyperion is uniquely qualified to advise on turning great business ideas into working systems that can help customers, and to evaluate new business concepts, develop new products and services from specification to customer roll-out, and to test and certify complex systems.

The four main sectors the company operates in are; financial services, with card schemes, banks, retailers and others; telecommunications and media, advising world leading companies; technology, to support some of the largest IT companies, and in the public sector and transit where projects include transit operators, government and law enforcement.

For more information visit Consult Hyperion, follow on Twitter @chyppings and keep up to date with the latest debate at Tomorrow’s Transactions Blog.

About the GSMA

The GSMA represents the interests of mobile operators worldwide. Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators with more than 250 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers and Internet companies, as well as organisations in industry sectors such as financial services, healthcare, media, transport and utilities. The GSMA also produces industry-leading events such as the Mobile World Congress and Mobile Asia Expo.

For more information, please visit the GSMA corporate website at www.gsma.com. Follow the GSMA on Twitter: @GSMA.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, discussed how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galera MyS...
"We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"We are an all-flash array storage provider but our focus has been on VM-aware storage specifically for virtualized applications," stated Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Internet of @ThingsExpo has announced today that Chris Matthieu has been named tech chair of Internet of @ThingsExpo 2017 New York The 7th Internet of @ThingsExpo will take place on June 6-8, 2017, at the Javits Center in New York City, New York. Chris Matthieu is the co-founder and CTO of Octoblu, a revolutionary real-time IoT platform recently acquired by Citrix. Octoblu connects things, systems, people and clouds to a global mesh network allowing users to automate and control design flo...
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
Between 2005 and 2020, data volumes will grow by a factor of 300 – enough data to stack CDs from the earth to the moon 162 times. This has come to be known as the ‘big data’ phenomenon. Unfortunately, traditional approaches to handling, storing and analyzing data aren’t adequate at this scale: they’re too costly, slow and physically cumbersome to keep up. Fortunately, in response a new breed of technology has emerged that is cheaper, faster and more scalable. Yet, in meeting these new needs they...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
When it comes to cloud computing, the ability to turn massive amounts of compute cores on and off on demand sounds attractive to IT staff, who need to manage peaks and valleys in user activity. With cloud bursting, the majority of the data can stay on premises while tapping into compute from public cloud providers, reducing risk and minimizing need to move large files. In his session at 18th Cloud Expo, Scott Jeschonek, Director of Product Management at Avere Systems, discussed the IT and busin...
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
The WebRTC Summit New York, to be held June 6-8, 2017, at the Javits Center in New York City, NY, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 20th International Cloud Expo and @ThingsExpo. WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web co...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...