Tap it up

Host card emulation is set to revolutionise the way we shop offline and online.

[Photo: Nilanjan Das] [Photo: Nilanjan Das]

Imagine walking into a department store, picking out all the things you need (and don't really need), and queuing up at the billing counter only to realise that you forgot your wallet at home. Usually, walking out empty- handed is the only option. Today, enabling virtual cards on your phone can save you this ordeal and, perhaps, you can make 'forgetting wallet at home' a usual practice.

Touted to be the future of mobile payments, a virtual card is securely saved on the cloud to let you transact without producing a physical card or entering a PIN at the merchant's. The host card emulation (HCE) technology enables a computerised emulation of your physical debit/credit card on your smartphone within a bank's mobile app. HCE for offline retail works closely with Near Field Communication (NFC), and both the smartphone and the point-of-sale terminal or machine need to be NFC-enabled for the transaction.

ICICI Bank has already leveraged HCE technology to launch India's first contactless mobile payments solution, which is available in the bank's 'Pockets' app, eliminating the need to carry a physical card or cash to pay in stores that support contactless payments. The virtual card stored on the phone bears a different card number, while the credit limit and expiry date remain the same as on the physical card. A customer needs to just wave the NFC-enabled mobile phone with the virtual card in front of the terminal to make a payment. Launched in April this year, the bank claims that close to 2,500 of its customers are already using this technology.

Kusal Roy, Senior General Manager and Head-Payments and Unsecured Loans, ICICI Bank, hails it as a game changer. "It is like magic. Plastic cards are dematerialising. Since this is a cloud-based technology, it can enable a large number of customers to avail contactless payments without the hassle of re-carding their existing physical card."

HDFC Bank is also working on a mobile payments service that will support NFC-, HCE- and QR code-based payments. This will be integrated in the bank's PayZapp mobile app that contains a prepaid wallet and a virtual prepaid card. SBI Cards, too, is working on the same technology. However, there are only 100,000 NFC-enabled terminals across the country that accept contactless (or tap and pay) payment solutions. By the end of March next year, the industry expects close to 200,000 terminals to come up.

Parag Rao, Country Head - Cards, Payment Products & Merchant Acquiring Services, HDFC Bank, vouches for the security and convenience of HCE. "With the explosion of smartphone adoption in India, most consumers already have a high-end device that can initiate NFC transactions. Hence, HCE has the potential to become a popular alternative form of payment from the mobile. This technology offers increased transaction security on mobile since the card credentials are tokenised, and also helps in device identification and other validations. It rides on the EMV contactless acceptance infrastructure, which is already in place in India," he explains.

This technology can be used for online transactions as well. For instance, ICICI Bank has launched a quick checkout facility for existing credit and debit customers wherein nothing has to be keyed in. The verification is done within the phone itself and the customer has to only enter the CVV number to make a payment. The service is currently live on a few select websites.

What's the Big Deal?

While it all sounds fancy, do we really need this technology, especially since the standard procedure of swiping cards is convenient and popular?

Experts say that making payments through the HCE client app is quicker - it only takes one-fourth of the time to make the payment in comparison to regular swipe/chip payment methods. But the biggest benefit of HCE is that it makes transactions much more secure. Whenever you swipe your card, all your personal account details are passed on to the merchant; but not with HCE. On your smartphone only the last four digits of your virtual card will be visible as you tap to make the payment. A one-time unique token number is created by the bank's server, which is encrypted, and sent to the merchant's terminal, without disclosing any other information.

"Card tokenisation for data security is used where it substitutes sensitive data with a token, which in turn traces back to the card details. While making payment, the user does not share card details with the merchant, but only the token. It reduces the risk of accidental exposure or unauthorised access to sensitive card data," explains Vijay Jasuja, CEO, SBI Cards.

The chances of a virtual card being misued are almost negligible. Firstly, virtual card payments can be done only through the registered SIM. Secondly, even if a customer loses his/her mobile phone, there would not be any loss of confidential information, because the virtual card - accessible only through the app - requires the MPIN, which only the card holder has. Besides, even if the app has been launched, the session expires after 10 seconds, which reduces the chances of misuse to a great extent. Lastly, as per RBI regulations, only transactions of up to Rs 2,000 can be performed using mobile contactless solutions. There is still a long way for HCE's popularity to pervade, but when it does, pickpockets will be out of business.