Host Card Emulation (HCE): Validation insights for banks from a security laboratory perspective


    There’s no question that HCE is a technology of increasing interest for both banks and application developers. At the end of 2015, Visa estimated that over 30 European banks were already committed to going live with Android apps for secure contactless payments and 2016 has seen steady growth in the sector.

    Many banks have decided that now is the moment to start building their own HCE-powered wallet apps, for a variety of reasons. HCE provides a good solution to reduce complexity for stakeholders involved in this method of mobile payment, especially if we compare it with other solutions such as USIM or Embedded Secure Elements. Right now, the ecosystem is ready and the market is looking for rapid growth in the mobile payment area.

    But what does a bank need to know before taking the plunge and opting for HCE technology?



    Contact the payment scheme to define the project scope and requirements

    For starters, a bank needs to be in contact with the payment schemes to explain its project. This is important because different schemes may have different requirements. This can depend on the size of the project, which token service you want to use, how many payment schemes you want to validate with, among other factors.


    Security countermeasures are key

    Of course, for consumers and banks alike, the most important issue when it comes to any payment system is security. As a pure software security solution, an HCE-based system needs a good combination of countermeasures between the software and the back end of the system – the cloud. Unless you already have expertise in this area, we recommend that you look for licensed solutions such as whitebox cryptography libraries, rather than developing your own. An alternative would be to use an SDK that has already been evaluated and approved by a payment scheme.


    More complexity means a larger attack surface

    When it comes to security, the complexity of a system increases the attack surface and potential risks. That’s why offering a standalone payment solution that offers only payments is the optimal approach for reducing certification costs and risks when deployed on the market. This doesn’t mean that these features cannot be added to an existing app, so long as the multipurpose application features robust isolation.


    App updates might require delta evaluations

    When looking at HCE security, the payment schemes talk more about validation than certification. A product is validated to show that it meets the scheme’s requirements at a particular moment, but the schemes don’t issue any sort of certificate. This means that when it comes to updating the product, discussions need to be held with the scheme to find the right approach. Depending on the changes in the application update, a bank might need to go back to the laboratory to check whether the previous results are affected. In some cases, extra testing might need to be conducted in the form of a delta evaluation.


    Look for a laboratory partner to help you through the process

    It’s highly recommended that you choose the best partner laboratory to support you throughout the validation process that will be required by the payment schemes. It’s important that the laboratory you partner helps you when it comes to defining the timeline, understanding the evaluation process, identifying the test set up requirements, informs you on the required documentation, and leading the coordination with the payment schemes.

    Find out more about Applus+ Laboratories HCE validation services.


    By Guillem Ernest Malagarriga

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel