What is a Secure Element (SE)?
GlobalPlatform defines Secure Element (SE) as a tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities. Put simply, a Secure Element can be considered to be a chip that offers a dynamic environment to store data securely, process data securely and perform communication with external entities securely. If you try to mess with it by tampering in any form, it may self-destruct, but will not allow you to gain unauthorized access.
While not all NFC applications require security, those that involve financial transactions do. The Secure Element resides in highly secure cryto chips. It also provides delimited memory for each application stored in it and other functions that can encrypt, decrypt and sign the data packet.
In today’s smartphones, a Secure Element can be found as a chip embedded
directly into the phone’s hardware, or in a SIM/UICC
card provided by your network operator or in an SD card
that can be inserted into the mobile phone.
To put things into context, when you are using an NFC enabled mobile device to Tap & Pay, the NFC controller goes into card-emulation mode. The NFC controller itself does not deal with the data or processing associated with the payment transaction. It is just an interface that allows communication using standard protocols.
It is the Secure Element that actually emulates the contactless card. It performs handshake with the terminal, sends the right responses to the right queries, generates dynamic cryptograms, authenticates the stored card and so on. To take it a step further and be even more accurate, it is not the Secure Element that emulates the card. The software that emulates a contactless card is the one that is stored inside the secure element in the form of payment applications or applets. The Secure Element provides secure storage and execution environment for the payment applications to do its job.
Secure Element is not a necessity to emulate contactless cards although it is the most secure to date. An alternative is to use Host-based Card Emulation (HCE) which moves the secure storage and execution environment to the cloud instead of the Secure Element. We will discuss HCE
next.
Mobile Payments Blog Series
Welcome to the Mobile payments FAQ and not so FAQ series and you are on FAQ #14. The idea behind this series is to share and learn as much as possible about the field of mobile payments. If you like, you can read all of the FAQs on the Mobile Payments category or by visiting the Table of contents page.