Mobile wallets have gained significant traction in the Indian payments space with transaction volumes increasing from 33 million in 2012-13 to 55 million in 2014-15. The primary advantage of mobile wallets is that they fulfil the changing needs of merchants and consumers with the growing use of mobile devices to conduct financial transactions. They benefit both parties by eliminating the use of cash, enhancing the customer experience and reducing transaction costs.
However, the perception of risks associated with the adoption of these virtual prepaid instruments poses a major challenge. This is because of the lack of maturity in the mobile banking space owing to new technologies, new inexperienced entrants in the ecosystem and a complex supply chain. Many of these new entrants are innovative and dynamic but have limited experience in addressing security issues. Besides, new privacy risks have been brought to light with huge amounts of personal data being collected by wallet applications. Mobile wallet companies, therefore, need to incorporate more advanced security features in their platforms, without compromising on the user experience and convenience.
In this context, host card emulation (HCE) technology has emerged as a potential solution. The technology is based on tokenisation, that is, the use of virtual numbers or tokens as pseudo credentials, which are transmitted through mobile wallets instead of actual card credentials. The token can be any 13- to 19-digit numeric value, similar to the standard card credentials, which complies with the basic validation rules of a payment card. The transmission of tokens from the payer to the payee can be achieved through multiple technologies such as peer-to-peer near field communication (NFC), NFC card emulation, QR (quick response) code as well as Bluetooth low energy. There is no need for SIM replacement in the case of HCE technology. Moreover, unlike Apple Pay and Samsung Pay, which work on only Apple and Samsung smartphones respectively, HCE operates on all open channels without any specific operating system requirements.
There are several in-built security features in the HCE platform. For one, the tokens are encrypted using triple-data encryption standards. Besides, these tokens have a limit, and once a token is used or removed from the network, it cannot be re-used. This makes mobile wallets much safer than physical cards of Europay, MasterCard or Visa, which can be grossly misused if they are stolen or cloned.
By using smart tokens, mobile phones can be used instead of cards for ATM withdrawals. The tokens can also be set with limits on the amount that can be withdrawn from ATMs, thus helping decrease the transaction time. The tokens can be configured to perform peer-to-peer transfers such as transferring money to friends and family and making merchant payments. Besides, tokenisation makes online payments predictable, reliable and secure. Smart tokens can also be used for in-app payments.
Moreover, HCE technology enables banks to own and operate their own wallets, thereby eliminating the need to partner with third-party wallet providers who charge high transaction fees (such as Apple in the case of Apple Pay and Samsung in the case of Samsung Pay), which undermines the importance of the bank partner. There is a lot more innovation that a bank can do when they own the entire tokenisation platform. Banks have the ability to monetise the token platform for other use-cases such as token-based ATM withdrawals and peer-to-peer transfers.
Usage in India
ICICI Bank is the first bank to launch HCE payments in India and South Asia with its Pockets app. The app enables customers to store virtual versions of their physical Visa and MasterCard cards on its cloud server. At the time of making a payment at any point of sale, the customer simply taps his/her phone, and a one-time unique token number is generated by the bank’s server, which is encrypted and sent to the merchant’s terminal without disclosing any card information. The customer receives the charge-slip from the merchant along with a text message as confirmation.
HCE and tokenisation are viable solutions available today that can improve security and reduce fraud risks in payment systems. Encryption protects card data in transit from the point-of-capture to authorisation. Tokenisation protects data-at-rest in post-authorisation data stores and applications. These features also preserve the integrity of electronic payments and reduce the loss of vast sums in payment frauds.
Based on a presentation by Kamaljeet Rastogi, Global Head, Business Development, Mobile Financial Solutions, Mahindra Comviva, at a tele.net conference