Visa and MasterCard have announced support for host-card emulation and cloud-based payments, with Visa saying it already had initial standards ready and noted endorsements from banks in the U.S., Australia and Canada.
While Visa, the world’s largest payment network, continues to support payments with its application on secure elements, throwing its support behind cloud-based payments and host-card emulation, or HCE, is expected to offer strong momentum for the technology.
Such banks as U.S. Bank, Australia’s ANZ and National Australia Bank and Royal Bank of Canada, or RBC, endorsed the move. RBC has already launched a cloud-based payments service that uses a hybrid technology combining cloud-based payments with a small applet and cryptographic tokens on secure elements.
Shortly following the Visa announcement today, MasterCard also announced that it would publish host-card emulation specifications, during the first half of 2014. It noted that Capital One in the U.S. and Spain-based Banco Sabadell have trialed the technology with MasterCard PayPass. Google also uses HCE with PayPass for its Google Wallet in the U.S. on its Nexus 5, under waiver from MasterCard. The Nexus 5 is the first Android device that supports Android 4.4, or KitKat. It’s also the first device that supports HCE as a default.
As NFC Times reported earlier today before the announcements, Visa, MasterCard and other major payments schemes have been drafting standards for months to enable use of their applications with HCE.
HCE enables issuers to put their applications in the cloud, while still using the growing base of contactless point-of-sale terminals, which MasterCard estimated at 2 million contactless merchant locations globally.
The transactions would continue to use NFC’s card-emulation mode, but instead of the communication being routed from the POS terminal through the NFC controller to the secure element, it would go from the controller to the smartphone's host processor.
From there, it could go to the banks’ servers, either for the actual credentials or, more likely, to refresh preloaded tokens that would act as cryptograms to communicate with the POS terminals during the actual transactions.
These are then passed on to the host issuer to authorize the transaction, which must be authorized online. Storing the tokens on the phone avoids the need to rely on sometimes spotty mobile network coverage at retail locations during the transaction, which could threaten the user experience.
The specifications that Visa, MasterCard and such other schemes as American Express have been drafting would define what issuers and their HCE vendors would put in the cloud, as well as on the mobile device, including how the tokens would work, sources told NFC Times.
It remains to be seen how ready the payment schemes are with specifications. They have been fast-tracking them.
Visa said that it’s offering the cloud-based payments support as one option for banks that want to introduce Visa payWave applications on NFC phones. With HCE, banks and other issuers would be able to avoid working with mobile operators or other secure element owners. Visa said in its announcement that it is extending the standards, tools and other services that make up its Visa Ready Program to issuers that want to launch Visa-branded NFC-mobile payments in the cloud.
“The Android HCE feature provides us with a platform to evolve the Visa payWave standard, support the development of secure, cloud-based mobile applications, while at the same time offer greater choice to our clients,” Elizabeth Buse, executive vice president for global solutions at Visa, said in a statement.
Visa also said future versions of its standard would support QR codes and in-app payments.
MasterCard called HCE an “open architecture” that could be used for nonpayment applications, as well, such as loyalty programs, building access and transit passes.
“Consumers are now shopping and paying in whatever way best fits their needs and lifestyles–and from every device they own, said James Anderson, MasterCard’s group head of mobile. “To meet their expectations for convenience, we need to accelerate the availability of services in the market. The use of HCE provides a very attractive way forward to launch an increased number of NFC-based offerings.”
Questions remain over the security of cloud-based payments, but the endorsement by Visa and MasterCard today does much to reassure banks.
Visa in its announcement said it would “deploy several layers of security to protect payment accounts in the cloud.” That will include one-time use data, real-time transaction analysis, payment tokens and device fingerprinting technology.
Visa said it would also release a software development kit for banks to use develop their own applications or to add payments with payWave to their mobile banking applications.
And the payment network will enable banks to issue payment tokens, which would replace the 16-digit PANs “and can be limited for use with a specific device, payment channel or merchant.” These tokens are different from the tokens that are similar to cryptograms that would be stored on phones to communicate with POS terminals offline in HCE implementations.