Making online payments using NFC is safe, here's how

Making online payments using NFC is safe, here's howNear-Field Communication (NFC) is a set of protocols that allows two devices placed within a few centimeters of each other to exchange data. For this, both devices must be equipped with a NFC chip.

There are two ways in which NFC works. One is two-way communication involving two devices that can read and write to each other, for instance, two Android phones touching each other to transfer photos or contacts. The other is one-way communication, where a powered device such as a smartphone reads and writes to an NFC chip.

Presently, NFC is being used in many ways, including:

  1. NFC business cards that contain an NFC tag inside. You can tap it with an NFC mobile phone to link to online content.

  1. NFC lock doors can be operated with the tap of a smartphone, and allow homeowners to control access, send keys to others, and receive notifications when someone uses the lock.

  1. Libraries use NFC sticker tags to create 'smart' books. For instance, to make it easy to access book reviews, the tags can be placed on a book's cover and program so that it links to a reviews page, and helps users understand if that's the book they want.

  1. NFC mobile payment, which works like any other contactless card payment. Apple Pay is a good example; NFC-equipped iPhone or Apple Watch stores encrypted details of the user's debit or credit card information. When you tap your iPhone on a retailer's reader, your identity is confirmed via PIN or Touch ID sensor, and payment is made automatically.


Mahindra Comviva's mobiquity® Wallet is one of the first wallets to use NFC, QR code, biometrics and Bluetooth low energy (BLE) to simplify payments and facilitate mobile commerce. It works off the cloud-based Host Card Emulation (HCE) technology, which emulates a payment card on mobile devices using only software. Google's support for HCE in the KitKat OS jump-started the new technology, with Visa and MasterCard in the process of rolling out HCE-based projects in some countries.


HCE is the alternative to Secure Element (SE), which works like a smart card in a phone protected against tampering by a restricted access interface and strong encryption. In SE NFC payments, the payment app holding the payment credentials are stored in a tamper-proof hardware model called the Secure Element, which has a direct connection with the NFC controller. This is also the SIM SE owned by the mobile operator, indicating the operator 's role in provisioning the payment app. Before Android 4.4 KitKat, SE was the only available solution to emulate card payment on an Android device.

Host Card Emulation presents a short-cut for mobile NFC payments. Banks can use it to launch mobile NFC products without requiring the use of the Secure Element or SIM. Instead, the mobile device operating system can communicate directly over the NFC interface in card emulation mode. Banks have the flexibility to provide NFC products without cooperation from mobile operators, and can hence eliminate complexity and save costs.

What are the advantages of breaking the dependency on SE?

The opportunities presented by HCE are not limited to mobile payments, but also extend to other applications, including card access, transit passes and loyalty programs. There are three distinct benefits of breaking the dependency on SE :

ñ A more open system with a lesser reliance on carriers, issuers and trusted service managers
ñ There is no longer a need for complex SE cards provisioning
ñ It offers the ability to use multiple NFC wallets on the same device without SE storage size or compartmentalization worries

HCE supports NFC without the requirement for any infrastructure change; it can easily work with a current, NFC-enabled POS terminal device. This is beneficial for merchants with already established POS systems. They don't have to invest in pricey hardware to accept payments via emulated cards.

But is HCE more secure than SE?

As a physical secure element is not involved in HCE, there are some misgivings about the security offered by this technology. However, this is more a matter of perspective. In HCE, card data is not stored in the SE; rather, tokens are downloaded to the device and used to complete point-of-sale transactions. In the event of a security breach, only a limited amount of tokens of low transaction value would be exposed, and not the account itself. This can be viewed as a good balance of risk and reward. As the value of the token is very low, there is no requirement for the highest level of security.

It doesn't of course mean that security can be discounted. The risk posed by a lack of hardware security can be addressed by incorporating additional security layers, such as white box cryptography and securing the communication channels between the device and server.

HCE can simplify the business model, drive up processing speed and power, deliver greater storage capacity, and provide more control over projects.

(The article is authored by Srinivas Nidugondi, Senior VP & Head of Mobile Financial Solutions, Mahindra Comviva)

(Image: Thinkstock)