JAXenter: First of all, can you explain more in depth how host card emulation (HCE) and Near Field Communication (NFC) works with payment systems?
Aivars Kalvāns: That is a broad question. But in short, it is based on the same principles as EMV cards are. Contactless EMV cards communicate over NFC with the terminal and do not need to be inserted into the card reader. NFC technologies are also limiting – contactless cards do not receive the result of transaction authorization and therefore transaction limits, PIN and risk parameters can’t be updated unless the card is inserted into a reader device. The consumer has to insert the card into a device every now and then just to keep it working.
Host Card Emulation (HCE) allows an application to emulate Contactless EMV card – it communicates over NFC with the terminal but application is also able to receive updates and authorization results over the internet. That solves the problem of contactless cards. But card emulation introduces new challenges as well because EMV cards have tamper-resistant storage for cryptographic keys but most mobile devices do not. Applications solve this problem by storing cryptographic keys on servers “in the cloud”. If you wondered before, that is why HCE and Cloud-Based Payments are so closely tied together.
JAXenter: What are the challenges in bringing this tech to mobile banking?
Aivars Kalvāns: Today the biggest challenge is the lack of HCE support in iOS which is one of the leading mobile operating systems in the western world. Android has had support for HCE since the beginning and now even BlackBerry and Windows support it. All we can do is to wait for Apple to change strategy regarding HCE.
The second challenge is the availability of devices (POS terminals) that accept contactless payments, but the number of those is growing and that is something payment card industry can influence and change.
JAXenter: What are the benefits of making the switch for the industry? Are there benefits to the consumers as well?
Aivars Kalvāns: The biggest benefit compared to other new payment methods is the utilization of existing payment card ecosystem: anywhere a contactless card is accepted, an HCE enabled mobile device will be able to make a payment. That is something both the industry and consumers will appreciate.
Also due to the nature of HCE, the device has to be connected to bank’s system and the consumer can update expired cards and risk parameters wherever one is. Banks can utilize the mobile platform to collect geolocation and other information to prevent credit card fraud with physical cards, to provide personalized deals, information about partners and sales nearby.
JAXenter: Security is a major concern these days. How about does a cloud-based payment system take this into account for consumers and enterprises?
Aivars Kalvāns: Cloud-based payments address security on multiple levels Behind the scenes cloud-based payment system is made of several physical machines, safeguarded by firewalls and located on multiple different networks. Only one of the systems is accessible from the public network. All communication between machines, of course, is encrypted and responsibilities of each system are assigned so that even one compromised system can’t perform work on another systems.
A lot of credit card fraud comes from low-security signature-based or card-not-present transactions. Unfortunately, those transactions are still supported to accept payments online and some countries still show low EMV card adoption rates. Cloud-based payments actually are made with a token or a proxy card that accepts only one secure type of transactions. Even when card data or transaction data is stolen it’s not enough to create a fraudulent transaction.
Consumers will appreciate that physical wallets with RFID&NFC protection are no longer needed: in order to pay you have to unlock your phone and select a card from your mobile wallet. Furthermore – the consumer can choose upper transaction amount limit surpassing which the wallet will ask for an additional PIN code entry.
I would be confident to claim HCE payments are among the safest means of payment today.
JAXenter: Has the FinTech movement triggered a culture shift in credit cards and banking?
Aivars Kalvāns: Yes, definitely. I personally have mixed feelings about it because on one hand banking needs to become more flexible and agile for today’s customers. But on the other hand FinTech are often neglecting exception cases like refunds and disputes and thriving because of lack of regulations that banking has to comply with. Time will show and the best of both sides will combine and survive which is good for us as customers.
JAXenter: What can attendees expect from your session?
Aivars Kalvāns: There’s a saying in Latvian that a small road bump flips over a big cart. In this session, I will show how a lack of a small and cheap tamper-resistant storage on the mobile device has to be compensated with complexities in applications and backend systems to provide equivalent security features. Because I have hands-on experience of developing cloud-based payment system I will share some real challenges and amusing situations and issues we have faced.
Wednesday, April 11 2018
14:45 – 15:35