Driving Forward with Tokenization and HCE - An SPA Position Paper - October 2014
For a long time now, the retail payment market has been an exemplar of stability with well-established and socially accepted payment methods and little incentive for breakthrough innovation. However in the last five years, thanks to technological evolution and the impact of new market entrants, an unprecedented change in the way card payment instruments are issued and processed has been taking place.
Two key areas for driving this innovation are internet and mobile payments. Both have stimulated the emergence of new business models that have resulted in new players arriving on the retail payments scene. As a result, Tokenization by EMVCo and Google’s Host Card Emulation (HCE) have become part of the maelstrom. More recently we’ve seen Apple Pay step into the ring with a proprietary payment solution that uses a Secure Element – which is good news from a user security perspective.
Tokenization sets out to prevent card data from being compromised when sent over public networks or stored in large databases held by retailers. Bound to a single transaction or a particular transaction context, tokens are of limited or no value to fraudsters. So, while a security breach of a token database may give fraudsters access to tokens used in past transactions, these can’t be ‘replayed’.
Host Card Emulation (HCE), on the other hand, makes it possible for applications residing in a mobile device to use a mobile device’s NFC interface to communicate directly with a contactless terminal. This means application owners do not need to negotiate terms with issuers of the security element when deploying applications in NFC-enabled mobile devices.
At first sight, both these technologies appear to address different problems - Tokenization is all about security, while HCE is an NFC-enabler. But in practice these technologies complement one another rather well; for example, while HCE is not secure enough to store permanently static payment credentials, a token is a dynamic credential that’s created for the purpose of a one-time payment. In other words, HCE is the perfect use case for tokenization.
The SPA believes there is a growing trend towards omni-channel payment methods, irrespective of the purpose of the payment (person-to-person, person-to-small business, person-to-business). In this context smart card technology, with different form factors that are adapted to different channels, provides the ideal central unifying technology foundation for the roll-out of safe payment applications.
In this paper the SPA clarifies the relationship between Tokenization and HCE, and evaluates the potential impact of Apple Pay. The SPA also sets out why smart card technology represents the perfect baseline for a new generation of payment instruments that fulfil the needs expressed by a variety of different stakeholders.