And so it begins.An announcement earlier this week by the Spanish bank BBVA
is potentially of seismic importance in the NFC payments space. The bank has confirmed that it has now commercially launched an NFC solution based on HCE (Host Card Emulation), thereby becoming the first global bank to implement NFC on this basis.
It has also confirmed that it will be rolling out the solution in a number of other markets in the short term, including the US, Mexico and Chile.
A number of objections have been raised against the HCE-based model of NFC – notably around the relative security of the solution when compared with a SIM-based secure element – although it should be pointed out that those decrying HCE’s solutions the loudest are those who have a stake somewhere along the line on the SIM side of things. Furthermore, both Visa and MasterCard have given their blessing to HCE: indeed, it is due to Visa’s endorsement and support that BBVA has made the leap to a cloud-based solution.
The real question here is therefore, not whether HCE as secure as a SIM-based SE, but is it sufficiently secure for the leading financial institutions to deem it capable to supporting their transactions without there being any more than negligible risk of fraud or data theft. No solution is foolproof, and both banks and card providers will be acutely aware that one such theft could be enough to bring the whole mobile contactless house crashing down around them, particularly so given the nascent state of the technology and of consumer acceptance of/confidence in it. Thus, given this awareness, one would assume that before providing endorsement, Visa, MasterCard and all would have subjected it to fairly rigorous tests; it will not have been pushed through on a nod and a wink.
The crux of the matter is that HCE offers financial institutions the potential to integrate NFC into their banking applications without having to involve the network operator; it means (a) that they continue to control the customer and (b) that the model might now actually make financial sense. However, despite their enthusiasm for showing the network operators the door at the earliest opportunity, it is unlikely – highly unlikely – that that enthusiasm would translate into disregard for their customers’ transactional security and hence a disregard for their own brand strength and reputation.
A final point. Back in the late 1980s, two UK satellite broadcasters, Rupert Murdoch’s Sky and British Satellite Broadcasting (BSB) were vying to become the first to launch commercial services, and to deliver those services in an encrypted manner. Murdoch, who had originally wanted to broadcast- “in clear”, was persuaded of the need to encrypt by the various rights holders, and announced that he would be using a smartcard-based service, VideoCrypt, developed by a News Corporation subsidiary. The then UK regulator, the Independent Broadcasting Authority (IBA) believed that the solution would not be successful; that it would not be possible to encrypt the PAL standard used by Sky.
They were wrong; it was.
At the same time, General Instruments had developed an extremely secure encryption chip for BSB’s service. However, this security proved to be its downfall. The chip had apparently been too secure - General Instrument's previous work for the US military had enabled them to produce designs which would thwart not only everyday hackers seeking to avoid subscription payments, but also the determined efforts of British Intelligence. this necessitated General Instruments having to go away and redesign the chip.
As a result of this, Sky was first to market.
Sky is still with us today.