An Android phone enabled with NFC, and running KitKat will soon be able to be used in place of a credit card with payWave technology.
The Host Card Emulation (HCE) system developed by Cuscal avoids the need to access the secure element of an Android phone, by moving its functionality into an application that negotiates with the NFC controller within the device. Usage of HCE currently requires an active internet connection, due to the need for the device to communicate with Cuscal's datacentre to authorise payments. With a 4G connection to an Android device, Cuscal says that all the communication needed to authorise should occur in under 400 milliseconds.
The system is currently being piloted internally by Cuscal staff, and is slated to be released to Cuscal clients — which include the National Bank of Australia, Bank of Queensland, and the majority of Australian mutual and credit unions — by the middle of the year.
Upon installation of a compatible app, whether developed by Cuscal or a client institution, a two-factor authentication procedure is initiated to pair the device with the correct credentials, with payment details contained within Cuscal instead of on the device.
Adrian Lovney, Cuscal general manager of product and service, said HCE allowed Cuscal and its customers to avoid rentseeking telcos and handset manufactuers.
"Getting payments inside phones has traditionally been difficult because of the need to coordinate multiple parties such as trusted service managers, handset manufacturers, and telecommunications providers," he said.
"The HCE approach simplifies this while maintaining the highest level of payment security for cardholders."
Stephen Karpin, Visa group country manager for Australia, New Zealand, and South Pacific said that with 40 percent of Visa transactions in Australia already taking place via contactless payments, it was important to bring secure mobile payments to consumers.
Brian Parker, CIO of Cuscal, said HCE was enabled by the introduction of functionality within Android KitKat to allow the NFC controller to receive payment credentials from sources other than the secure element, and he was confident that security had been addressed in the new offering.
"We are the party that holds the trust between the customer and their financial institution. If we let down that trust, then we haven't got a business model," he said.
"That's our business, we have expertise in it, and that's why we are confident in releasing this sort of technology, where others may not.
"You need to have a real strong security focus to access the keys that are required to create these cryptograms that Visa can than rely on to say that the transaction is ok."