HCE minus SE = 'Hosed Card Emulation'

By Siva Narendra, CEO, Tyfone, Inc.

HCE minus SE = 'Hosed Card Emulation'Mobile commerce has ushered in the convergence of e-commerce and the more traditional and dominant physical world. Into this environment comes a popular “new kid in town” called Host Card Emulation (HCE). HCE is being promoted for software-based security applications – but that continues to proliferate the basic problem of storing sensitive credentials in the cloud that has proven inadequate time and time again. Compounding the problem, HCE also requires all this sensitive information for security to be stored and managed by an entity other than the HCE provider. The HCE model may appear to be an elegant technical solution that circumvents the need for a hardware-based Secure Element (SE). However can the payment industry really enable secure mobile payments without hardware-based security?

Throwing Out the Baby with the Bathwater

There are two distinct ways to move money in payments today: “Card Present” (CP) transactions that originate at the physical point-of-sale and “Card Not Present” (CNP) for e-commerce. Fraud levels in the CP world are much lower than the CNP world. Based on 2012 data from the U.S. Census Bureau, eMarketer and the Nilson report found CNP fraud in the US accounted for $1.9 billion out of $220 billion in sales, or 0.9 percent. All categories of other fraud totaled $4 billion out of $4.35 trillion in sales – only 0.09 percent. In addition, CNP fraud is growing at a much faster pace than CP fraud according to FICO.

HCE minus SE = 'Hosed Card Emulation'Although CP fraud levels are far lower, the payment industry has concluded that more secure storage of payment information is required in the form of hardware-based security; hence, the global migration to EMV-based smart card SEs for CP transactions. If hardware-based security is the proven solution where fraud is lower, why would anyone expect the CNP scenario to not require something just as effective?

Let’s put it another way: Should we really expect the inadequate password security used in the e-commerce world today to migrate to the physical world OR isn’t it more prudent and consistent to adapt the SE security philosophy that is used in the physical world to e-commerce?

To Read the Full Article - Sign Up Below or Log In

New to the site and want to join?
Fill in the form below, it's FREE and the article will automatically display. PLUS: Additional Benefits

  • Unlimited access to the entire site
  • Share your comments on articles and join the conversation
  • Receive our CNP Report Newsletter
Please take a moment and register.
* First Name:

* Last Name:

* Password:

* Confirm Pwd:

* Email:




Existing Members

Please use the login form in the right column to view content.

Forget your password?

Send us an email ( and we'll respond ASAP.