Payment systems based on magnetic stripe cards have evolved to incorporate EMV chip cards and the natural next step was to use dedicated security hardware inside most phones called a Secure Element to host the payment application, user payment credentials and the associated cryptographic keys.
With Host Card Emulation (HCE), critical payment credentials are stored in a secure shared repository (the issuer data centre or private cloud) rather than on the phone. Limited use credentials are delivered to the phone in advance to enable contactless transactions to take place. Although this eliminates the need for Trusted Service Managers and shifts control back to the banks, it brings with it a whole different set of security and risk challenges.
- To protect the centralised service where millions of payment credentials are stored or to create one-time-use credentials on demand
- To secure the phone responsible for requesting card data stored in HCE service and acting as a communications channel over which the sensitive payment credentials are transmitted to the POS terminal
- Host Card Emulation Mobile Payments: Both nShield and payShield hardware security modules help to secure HCE-based solutions. Payment credentials are securely created and stored centrally using HSMs by the issuer, who also has the flexibility to decide how many keys are stored in the phone at any given time, and therefore cover situations where offline authorisation is supported as part of the issuer risk decision.
- Complete Security: In an online authorisation scenario, the usual deployment mode for HCE solutions, the issuer utilises HSMs to validate the cryptogram that is created by the phone app in real-time as a part of the contactless mobile payment transaction. In this scenario, the security design of the phone app is critical to ensure that the processing inside the phone reduces the risk of key or sensitive data exposure to criminal attacks. Due to this reason, card schemes are conducting extensive validation of mobile payment app security, which includes the interface to the issuer involving HSMs, before the bank can go live with the HCE service.
- Helping secure HCE-based solutions
- Utilising the same kind of Thales HSMs for HCE that are in use globally today for authorising card payments and issuing EMV cards
- Leveraging the Thales integration partner ecosystem to choose proven HCE-based solutions and become automatically compatible with the latest card scheme specifications
- Selecting from a variety of cryptographic algorithms and key management schemes already supported by Thales HSMs to create a hardware-based secure session between the issuer system and the phone, preventing man-in-the-middle attacks during the credential loading process
- Simplifying audit compliance by taking advantage of the existing HSM certifications, FIPS 140-2 level 3 and PCI HSM