HCE Security Certification Master Class (HCEONLINE)

Embedded Systems → Software security → Host Card Emulation


Industry partner of choice for mobile security certification and training

Are you developing and aiming to certify a mobile payment solution?

The content of this training is a distilled version of the lessons learned by our security evaluation team throughout the 50+ mobile payment security evaluation projects we executed in the last 3 years. For your convenience the training content is offered on-line.

The course includes lessons and quizzes on requirements, the evaluation process itself, HCE architecture, attack models and attacks versus countermeasures, common pitfalls and mitigation strategies.

Riscure is the number 1 laboratory for Mobile Payment Security Evaluations, accredited by VISA, MasterCard, American Express, Discover and others. As of today, Riscure has successfully completed more than 50+ security evaluation projects related to HCE and TEE based payment solutions and certification, making us not only the most experienced and efficient laboratory but also the number one choice to guarantee a smooth and successful certification process.

Our proven track record includes security evaluations on Mobile Wallets, HCE Software Development Kits (SDK), and Secure Element (SE) and Trusted Execution Environment (TEE) based payment solutions.

Training audience and objectives
This training program is aimed at the following audience:
• Project managers at organization developing and deploying mobile wallets (e.g. issuing banks, mobile
network operators and solution providers)
• Product owners of mobile wallet solutions
• Software developers involved in the design and development of mobile wallet solutions
• Security teams (e.g. solution architects, security officers, security experts, etc)
• Security evaluators, internal security testing teams

During the course, you will gain the understanding of:
• The security certification process and relevant actors
• The relevant security requirements for the mobile wallet solution
• The way the mobile wallet solution will be evaluated, which attacks are considered and how you can
defend against such attacks
• The common pitfall and lessons learned in mobile wallet security

Training program
After a thorough introduction to the fundamentals of mobile payment, which includes the description of the architecture for the HCE applications, we discuss how to prepare for the certification projects. Here we go into the details of on how to prepare the documentation, what are the pre-requisites, the timelines and project planning. Next, we focus on the scheme requirements for the evaluation with references to the security mechanisms and finally we discuss the most common vulnerabilities of HCE solutions today.

1. Introduction
2. Architecture for HCE: applications in mobile payment
3. Security certification preparation
4. Security requirements of the payment schemes
5. Attacker model and security mindset
6. Lessons learned and common pitfalls
7. Security mechanisms and mitigation strategies: how to incorporate the knowledge of the attacker into
scheme requirements
8. Attacks vs countermeasures: common attacks and countermeasures against such attacks

Each section of the training, contains a video with the explanations, you have access to the slides and other materials used in the section and a small quiz to consolidate the information presented in each section.

Location: on-line

  • Introduction
  • Introduction Video
  • Introduction Slides
  • Introduction Quiz
  • Architecture
  • Architecture Video
  • Architecture Slides
  • Architecture Quiz
  • Evaluation Process
  • Evaluation Process Video
  • Evaluation Process Slides
  • Evaluation Process Quiz
  • Requirements
  • Requirements Video
  • Requirements Slides
  • Requirements Quiz
  • Attack Model
  • Attack Model Video
  • Attack Model Slides
  • Attack Model Quiz
  • Common Pitfalls
  • Common Pitfalls Video
  • Common Pitfalls Slides
  • Common Pitfalls Quiz
  • Mitigation Strategies
  • Mitigation Strategies Video
  • Mitigation Strategies Slides
  • Mitigation Strategies Quiz
  • Attacks vs Countermeasures
  • Attacks vs Countermeasures Video
  • Attacks vs Countermeasures Slides
  • Attacks vs Countermeasures Quiz
  • Conclusion
  • Conclusion Video
Completion rules
  • You must complete the units "Introduction Quiz, Architecture Quiz, Evaluation Process Quiz, Requirements Quiz, Attack Model Quiz, Common Pitfalls Quiz, Mitigation Strategies Quiz, Attacks vs Countermeasures Quiz"