Monday, March 19, 2018

HCE: Host-based Card Emulation 2/2

Hola!!!! Man!! this post really took its time! But glad it made it :D

Welcome back, hope you have been doing good.
In my last post we were discussing basics of NFC and what do HCE really means.. in case you missed it please take your time and read that first before proceeding with this blog. Else you may find yourself TOTALLY LOST.

Read it here :

Ok!! I've read it already!!!
Kool enough, let us begin with our part 2 of understanding HCE. Out here we will discuss a bit about what it takes to build an application that will use the features of HCE.

As described earlier, HCE enables application to emulate a card and perform APDU exchanges without the need of secure element.

Some Basic Terminologies:

  • APDU : Application Protocol Data Unit, they are nothing more than data & commands in Hex (Hexadecimal) values, the POS terminal will only be able to communicate using this data format.
  • AID : Application Identifier, treat them as a name for the application that terminal wants to talk to. Again the name is coming from Terminal therefore expect it to be an APDU.
Thats it, you don't need any more terminologies to remember ;)
Going forward we will keep on using these to explain things better.

Okay, so...whats next?
Next let's try to understand what exactly happens when you tap that card on the terminal for contactless. Why are we talking about cards??? Well, the entire concept of HCE (Host Card Emulation) is about emulating an existing behavior of Card communication with the terminal in order to leverage the existing infrastructures.

Okay..! what happens between Card and Terminal (a.k.a POS)
Remember, between card and POS, the POS tries to be a hero who do all the talking but is actually the dumbest guy because all he do is asking question to the card. Whereas, the card is that cool guy who has all the right answers!

Following is their chat in  human readable format:

POS: Hey Dude, What do you support?
Card: I support Mastercard applet with AID 1234
POS: Hey AID 1234 please tell me if about yourself
Card: Okay, here is some basic info in clear
POS: Thanks, but can you also give me some secret info to complete payment, i need it for approval from your issuing bank
Card: Sure, @#$@SFGSDF@# take this encrypted value, and share it with my issuer for approvals
POS: Alrighty! Thanks!

Now, note, that the communication between POS and Card is via APDU.

With the above understanding, all you as an app developer have to do is emulate the same behavior (i.e. the behaviour of the card) from your application.
i.e. You will need to interpret the APDU commands, expose and AID to which POS will talk to and generate the Card profile (i.e. the card basic info) and the Cryptogram (i.e. encrypted data for bank verification).

Hope this blog was able to help you understand how things work for HCE! In order to build application using HCE you will need critical parties to come together (i.e. Issuers & Card Schemes) to provide you necessary keys and data formats in order to enable payments through your app.

Food for thought: Payment apps are not the only thing that can be developed leveraging HCE!