HCE Service Launches EU PSD2-Compliant Mobile Payments Solution


The EU (European Union) PSD2 (Payment Services Directive 2), which will apply from January 2018, aims in particular at ensuring that all payment services offered electronically are carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud.

October 23, 2016 – Money2020, Las Vegas – HCE Service announces the launch of its PKI-based (Public Key Infrastructure) “SWIM” (software wireless identity module) platform which ensures the highest degree of security and safety in terms of authentication while enabling user-friendly, convenient one-click NFC/in-App/Web payments. SWIM already complies with the PSD2 Regulatory Technical Standards requirements of strong (two-factor) customer authentication (SCA).

With the open and insecure mobile Internet, higher levels of security, other than a simple password and ID presentation, have to be introduced to limit payment fraud. PSD2 mandates Regulatory Technical Standards (RTS) on authentication and communication (Article 98):

  • Ensuring the safety of users’ funds and personal data;
  • Allowing for the development of user-friendly, accessible and innovative payments.

RTS specifies that strong customer authentication must use two of the three factors:

  • Knowledge (something only the user knows),
  • Possession (something only the user possesses), and
  • Inherence (something the user is).

Article 97(1) of PSD2 requires that payment service providers apply strong customer authentication where the payer:

  • Accesses its payment account online;
  • Initiates an electronic payment transaction;
  • Carries out any action through a remote channel with potential fraud risk

“The launch of our SWIM solution leverages proven secure technologies to be PSD2 compliant no matter what the application, account to account faster payments, use of blockchain technology in payments, and of course HCE mobile payments which are growing rapidly,” said Dr. Chandra Patni, CEO, Founder and Director of HCE Service Limited. He added, “SWIM delivers HCE EMV mobile payments and other value-added services to banks and wallet providers, at the lowest possible costs.”

The SWIM platform uses PKI security measures to protect the confidentiality and the integrity of the Payment Service Users’ (PSU) personalized security credentials as well as ensuring secure communication. “Host Card Emulation” (HCE) tokenized cards are securely delivered to mobile devices using public/private key pair digital identities. Hence, public key cryptography within secure software white boxes on mobile devices ensures user and tokenized card data integrity.

SWIM protects the confidentiality and integrity of users’ personalized security credentials:

  • Data on personalized security credentials are masked when displayed and not readable in their full extent.
  • Personalized security credentials data as well as encryption cryptographic keys are not stored in plain text and can only be used in tamper resistant whiteboxed cryptographic processing environments.

SWIM security measures prevent unauthorized use of the personalized security credentials and of the authentication devices and software due to their loss, theft or copying. SWIM ensures:

  • Secure bilateral identification when communicating between user’s device and the tokenization host.
  • Protection against misdirection of communication to unauthorized third parties.
  • All payment transactions and other interactions with the user are traceable, with post event audit.
  • All communication session use unique identifiers, log transactions and are network time-stamped.

About HCE Service

HCE Service Ltd, UK and HCE Secure IT Services (Pvt) Ltd, India deliver innovative, secure and exciting mobile tokenization services to its card-issuing customers globally with the aim that their consumers can use SWIM secured mobile apps and contactless NFC mobile payments at points-of-sales. HCE’s state-of-the-art hosted infrastructure provides services to telecom, transport and retail enterprises as well as banks and other financial institutions. Our SWIM (Software Wireless Identity Module) solution provides strong cryptographic security to a wide range of applications and services on mobile devices. Our MAP (Mobile Application Platform) host provides the most advanced HCE EMV card/token issuance payment service for most card/token issuers.

First appeared at LTP