Host card emulation

Host Card Emulation (hCE) is the presentation of a virtual and exact representation of a plastic card or a Digital Card using only software over NFC protocol. Prior to the hCE architecture, NFC contactless transactions were mainly carried out using the Secure Element. hCE enables any kind of institution to offer card solutions more easily through mobile, closed-loop contactless payment solutions, real time distribution of cards and allows for an easy deployment scenario that does not require them to change the software inside the terminal.

hCE describes the ability to transact with remotely operated "cards" in smartphones. At that time BlackBerry had played around with a similar functionality, calling it virtual target emulation; it was supposed to be available through the BB7 operating system, which was run by the Blackberry Bold and Torch devices. Prior to hCE, card emulation only existed in physical space, meaning that a card could be replicated with multiple-purpose Secure Element hardware that is typically housed inside the casing of a smart phone.

After the adoption of hCE by Android, Google had hoped that by including hCE in the world's largest mobile operating system (which by that time covered 80% of the market^{[citation needed]}), it would offer the Android payments ecosystem a chance to grow more rapidly while also allowing Google themselves to deploy their Google Wallet more easily across the mobile network operator ecosystem.

However, even with the inclusion of hCE in Android 4.4 KitKat, the banks still needed the major card networks to support hCE. Four months later, at Mobile World Congress 2014, Visa and MasterCard made public announcements placing their support behind hCE.^[1][2]

On December 18, 2014, less than ten months after Visa and Mastercard announced their support for hCE, Royal Bank of Canada (RBC) became the first North American financial institution to launch a commercial implementation of mobile payments using the HCE technology.^[3]

NFC has faced adoption issues due to lack of infrastructure (terminals) and the Secure Element approach preventing organizations with the desire to participate in mobile payments from doing so due to the high up-front capital costs and complex partner relationships.

By supporting hCE in Android 4.4 KitKat, Google enabled any organization that can benefit from the NFC technology to do so at a relatively low cost. Some areas the new hCE architecture can support include payments, loyalty programs, card access and transit passes.

Host Card Emulation is the ability for Near Field Communication information transfer to happen between a terminal configured to exchange NFC radio information with an NFC card and a mobile device application configured to act or pretend to emulate the functional responses of an NFC card. hCE requires that the NFC protocol be routed to the main operating system of the mobile device instead of being routed to a local hardware-based Secure Element (SE) chip configured to respond only as a card, with no other functionality.^[4]

Since the release of Android 4.4 KitKat, Google has implemented hCE within the Android operating system.^[5] Google introduced platform support for secure NFC-based transactions through Host Card Emulation (hCE), for payments, loyalty programs, card access, transit passes, access-control and other custom services.^[4] With hCE, any app on an Android 4.4 device can emulate an NFC smart card, letting users tap to initiate transactions with an app of their choice. Apps can also use a new Reader Mode so as to act as readers for hCE cards and other NFC-based transactions.

The first known mobile handset to support anything like hCE outside of the Android family was the Blackberry bold 9900 that was first available in Thailand. released together with Blackberry 7 OS.^[6]

CyanogenMod operating system was the next known mobile device operating system to support hCE ^[6] through the effort of modifying the NXP NFC stack known as libnfc-nxp, the NFC service manager, and operating system APIs by Doug Yeager. The OS APIs were adapted to include two new tag types that were called ISO_PCDA and ISO_PCDB which are also known terminal or PCD standards. This would imply that you could "read" a tag in the same manner that you could read a terminal..

hCE in the form of "hCE+" (Host Card Emulation Plus) or "hCE2" (Host Card Emulation 2) is widely used as a proprietary hardened security development of the standard hCE by CardsApp in east Asian market, mostly for access-control, loyalty, payment and identification. In 2012 CardsApp has declined^[7] the use of standard hCE claiming it has major security flaws.

Payment and identity transactions are prone to security risks. Standard hCE allows the transmission of unsecured plain-text data which could sometimes contain full card identification strings if not encrypted by host. There are two main approaches to high-risk data transmission using hCE:

1. Untokenized transaction - sending data plain-text as is without any limitation, prone to POS decision.
2. Tokenized transaction - generation of external issuer token, limited to the sum authorized by the consumer and also expired as a certain time limit. Token is then sent by the POS to the issuer, requesting the approval and charge or identification of consumer linked to the token.

hCE is used to allow transactions between smartphones and other credential acquiring devices. Those devices may include other mobile devices, contactless point-of-sale terminals, transit turnstiles, or a variety of access control touch pads. For example, Android developers can leverage hCE to create specific payment experiences, such as using hCE to enable a mobile application as a transit card.^[8]