HCE minus SE = 'Hosed Card Emulation'
By Siva Narendra, CEO, Tyfone, Inc.
Mobile commerce has ushered in the convergence of e-commerce and the more
traditional and dominant physical world. Into this environment comes a popular “new kid in town” called Host Card Emulation (HCE). HCE is being
promoted for software-based security applications – but that continues to proliferate the basic problem of storing sensitive credentials in the
cloud that has proven inadequate time and time again. Compounding the problem, HCE also requires all this sensitive information for security to
be stored and managed by an entity other than the HCE provider. The HCE model may appear to be an elegant technical solution that circumvents
the need for a hardware-based Secure Element (SE). However can the payment industry really enable secure mobile payments without hardware-based
Throwing Out the Baby with the Bathwater
There are two distinct ways to move money in payments today:
“Card Present” (CP) transactions that originate at the physical point-of-sale and “Card Not Present” (CNP) for e-commerce. Fraud levels in the
CP world are much lower than the CNP world. Based on 2012 data from the U.S. Census Bureau, eMarketer and the Nilson report found CNP fraud in
the US accounted for $1.9 billion out of $220 billion in sales, or 0.9 percent. All categories of other fraud totaled $4 billion out of $4.35
trillion in sales – only 0.09 percent. In addition, CNP fraud is growing at a much faster pace than CP fraud according to FICO.
Although CP fraud levels are far lower, the payment industry has concluded that more secure storage of payment information is required in
the form of hardware-based security; hence, the global migration to EMV-based smart card SEs for CP transactions. If hardware-based security
is the proven solution where fraud is lower, why would anyone expect the CNP scenario to not require something just as effective?
Let’s put it another way: Should we really expect the
inadequate password security used in the e-commerce world today to migrate to
the physical world OR isn’t it more prudent and consistent to adapt the SE
security philosophy that is used in the physical world to e-commerce?
To Read the Full Article - Sign Up Below or Log In
New to the site and want to join?
Fill in the form below, it's FREE and the article will automatically display. PLUS: Additional Benefits
- Unlimited access to the entire CardNotPresent.com site
- Share your comments on articles and join the conversation
- Receive our CNP Report Newsletter
Please use the login form in the right column to view content.
Forget your password?
Send us an email (info@CardNotPresent.com) and we'll respond ASAP.