U.S. NFC Mobile Technology Adoption to be Spurred by the 'Big Three': HCE, BLE and EMV

Mobile NFC technology is in the running for widespread U.S. adoption for both non-payment and payment applications, with technologies and architectures like HCE, BLE and EMV complementing and propelling the technology forward, attendees learned at the 2014 NFC Solutions Summit. The 2014 NFC Solutions Summit, presented by the Smart Card Alliance in partnership with the NFC Forum and the NFC World Congress, was held last week at the Renaissance Arboretum Hotel in Austin.

Recently, attention has turned to Host Card Emulation (HCE), which unlocks the potential for NFC applications without the need for integration with the mobile device’s secure element (SE) or for the support of a trusted service manager. HCE enables quick and cost-effective NFC deployments, but it also raises the question–are its security capabilities enough for NFC payments and other secure applications?

“HCE is an architecture, not a solution,” said Ted Fifelski, the co-founder of SimplyTapp, the company that created HCE. “When it comes to levels of fraud and risk, HCE offer options. Enterprises need to ask themselves, ‘what are you protecting?’” and add levels of security they deem appropriate.

HCE is “another tool in the toolbox,” that will drive NFC adoption, said Erich Tompkins, the senior product manager, advanced mobility solutions at AT&T, but “the SE is the known good security model.” He said that the SE is the main building block for AT&T’s strategy, but that HCE can be complementary for non-payment uses cases like ticketing. Tony Sabetti, ‎director of merchant integration and commerce development at Isis agreed, saying that while HCE can get applications up and running quickly, he doesn’t see the hardware SE going away “anytime soon.” He said that cloud-based NFC solutions using HCE can bring about other burdens for data security: “cloud databases are good places to go hack.”

In his presentation, Michael Gargiulo, the principal consultant at TNG Technologies, talked about the HCE architecture and security considerations at the network, server and device level. According to Gargiulo, if HCE leaves data at rest in the phone at the operating system (OS) level, that data is “in the wild.” He said that potential security issues could arise from uninstalled OS security updates, ‘rooted’ phones, low-strength software security algorithms and capture of user-entered data.

NFC and Bluetooth Low Energy (BLE) will likely complement each other and coexist in the mobile ecosystem because their best use cases differ, John Ekers, the CIO at ABnote said in his keynote presentation. BLE’s quick coupling abilities are best for use cases that don’t require high levels of security, like in-store mobile marketing and gamification, and will drive consumers into stores and create interest. Payment, though, “is the ideal transaction for NFC,” Ekers said.