How Host Card Emulation (HCE) Works

By Robert R. Sabella

Host Card Emulation (HCE) has its genesis in the Interfaces Task Force of the NFC Forum, circa 2007. By 2010, all Near Field Communication (NFC) controller vendors had incorporated support for HCE into their silicon. Blackberry 7 phones incorporated the first commercial version of HCE called Virtual Target Emulation, in the summer of 2011.

But despite the hardware support for HCE in NFC chipsets, no developer access to HCE features existed in the other major smartphone or PC platforms that supported NFC.

Doug Yeager and Ted Fifelski, the founders of SimplyTapp, Inc., began experimenting with HCE in 2012. They modified a customized version of Android, called CyanogenMod, to enable the HCE features in the NFC controllers used in Android smartphones.

Deploying and using their HCE features required rooting (also known as jailbreaking or simply becoming a superuser) an Android phone and replacing its operating system. But despite this commercial friction, they generated a lot of buzz in the NFC developer community by pioneering the OS changes required to make HCE work in Android.

Yeager and Fifelski’s early work caught the attention of the Wallet team at Google and, subsequently, Google’s Android team incorporated its own HCE functionality into the base Android Open Source Platform, making HCE available to all Android OEMs and developers. This Android HCE functionality was initially released with Android Kit Kat in the fall of 2013.

Prior to HCE, a smartphone required a Secure Element (SE) to complete a transaction, which increased complexity, added hardware requirements, and made smartcard emulation unavailable to less expensive devices. Most important, the previous way of doing things tended to limit the penetration of NFC in the marketplace. The figure summarizes the changes that have occurred with the advent of HCE.

An overview of how HCE works.

Even though HCE was available commercially in Android in 2013, it wasn’t successfully implemented in OEM smartphones until 2014 when MasterCard and VISA both expressed their support for the technology. In December of that year, the Royal Bank of Canada (RBC) became the first bank to begin using HCE. HCE is still a new technology.

However, the newness of HCE hasn’t stopped companies such as CardsApp from introducing a security-hardened version of HCE called HCE+, which mainly sees use in Eastern Asia. In this case, the update requires the addition of security policies such as online credit card tokenization and PIN code entry upon contactless payments.

These updated forms of HCE are proprietary, of course, which locks you into using a particular vendor in many cases. The fact that these updates exist at all points to potential changes in HCE in the future: The updates could become part of the specification at some point if they prove useful and reliable.