Mobile Payments – Picking Up Speed

Apple Pay is going to China, Blackberry BBM Money is spreading through Africa, Samsung Pay is making inroads on Android—the whole mobile payment industry is catching fire. People are beginning to forget about the stumbling of MCX and other early attempts in the mobile payment world, which were so quickly breached after launch. Mobile payment providers still have to prove to consumers that they are reliable and secure. The catalyst to get people to start trusting and using their mobile devices for payments has largely been Hosted Card Emulation (HCE)—but is it really secure?

HCE Accelerating Mobile Pay Adoption

HCE creates an exact representation of the card’s payment information with software, in effect replacing the physical card for payment transactions. The payment data is encrypted in the device and in transit, with some payment providers also tokenizing the payment at the point of transaction. The major problem with HCE is that it is a less secure technology for devices using Near Field Communications (NFC) with contactless terminals. However, the ease by which HCE works with NFC is one of the principal reasons for the rapid spread of mobile payments. For context, there will be over 1 billion NFC-enabled devices by 2018. The caveat is that simplicity in development to meet demand does not always provide the most secure path. What are some of the security pitfalls of HCE?

HCE is Vulnerable

HCE allows a credit card to be emulated on a mobile device without using a SE (Secure Element). Instead of the transaction being routed to a hardware-based SE, the data is sent directly to a smart card application running on the host CPU. When using a contactless terminal and a mobile app—which is essentially a card-not-present transaction—HCE enables NFC to take place by using credentials stored in the main memory of an NFC enabled device or the cloud.

That brings us to the Android OS, which is the most widely used mobile OS on the planet. Android users are able to root a device—gain access to administrator “root” privileges—so that no matter which mobile payment application is in use, other apps—such as malware—can also gain unauthorized access to payment card data and personally identifiable information (PII). Mind you, more users are on Android worldwide than any other OS, so malware that has root access is a significant point of attack for mobile payments on millions of devices. In addition, when any mobile device is lost or stolen, it is subject to having the device’s memory read by another device, especially if the owner of the device has enabled root access. Other forms of cyber attacks will continue to get more sophisticated as HCE is implemented on more mobile devices. But as of now, the only way to defend against exposing valuable PCI or PII is by using cloud tokenization.

No Tokenization = Find Another Mobile Payment Provider

Cloud tokenization is the one mainstay in the data security industry that removes toxic PCI, PII, PHI (protected health information), or any type of data set, from back office IT or mobile environments, while not negatively impacting any of your business processes. Let’s be clear, tokenization does not stop a data breach, or malware infecting a mobile device, but it removes the sensitive data, so cyber thieves can’t steal what’s not there. Cyber thieves are working very hard to come up with new ways to steal valuable PCI and PII from mobile devices. If a mobile payment solution does not use cloud tokenization in the payment process, then it is simply not worth the risk.

TokenEx cloud tokenization platform is PCI compliant software. Remember, you can’t steal what’s not there. For more information on tokenization visit or email Follow us on Twitter and LinkedIn.

Topic(s): payments , tokenization

Keep Up With Our PCI & Privacy Blog