Mobile Cloud-based Payment Security Evaluation


A new possibility to perform NFC card emulation without a Secure Element (SE) in mobile devices opened up when Blackberry released its OS7 in 2011 which was called Virtual Target Emulation. Google re-introduced the technology on its Android 4.4 “KitKat” operating system by the end of 2013 and called it Host-based Card Emulation (HCE).

HCE has clearly accelerated the introduction of the NFC services variety, by providing an optional more simple, but in principle, less secure way to provide a NFC card emulation service. This option is optimal for service providers to quickly create their own solutions however, they need to be fully aware of the security risks caused by the lack of hardware-based security as provided by the SE.

In the Mobile Payment arena, payment schemes such as Visa, MasterCard and Amex have created Cloud-based Payment specifications leveraging on HCE technology over the last years, and Issuing Banks are broadly adopting HCE technology to provide new and convenient ways to pay to their customers.

In order to increase the security of Cloud Mobile Payment Applications (CMPAs), the above stated payment schemes have created security guidelines for MPAs bank issuers and Software Development Kits (SDKs) developers. In addition, they have in place security evaluation processes for third party laboratories to assess such security solutions in an effective and consistent way.


UL is recognized by payment schemes to perform Mobile Cloud-based Payment security evaluations for Visa, MasterCard and American Express.


UL will assess SDKs and MPAs security to the payment schemes security requirements.


SDKs are mandated to go through security evaluation, CMPAs are in some cases not mandatory.


At the moment, mobile devices are not providing a high level of security measures on their default features. This implies that any valuable asset could be stolen or corrupted by an attacker. UL recognized experts will help SDKs and MPAs developers to meet payment schemes security requirements.

  • Visa Ready Program for Cloud-based Payments Process
  • MasterCard Mobile Partner Program Cloud-based Payments
  • American Express Cloud-based Payments


Report to get certification


  • Software Development Kits – SDKs
  • Mobile Payment Applications - MPAs


Visa, MasterCard and Amex HCE/Mobile Cloud-based payment specifications.