How can an Android app store and emulate credit card over NFC for contact-less payment processing?

Question

NFC Host Card Emulation mode gets rid of the local Secure Element (SE), and facilitates payment by leveraging an SE stored on cloud, with the cooperation of several participating parties, e.g. merchant, service, providers, card issuers etc. Typically, this is how Apply Pay (probably it still uses a local SE), Google Pay and Samsung Pay work.

However, there exist apps, e.g. Cards - Mobile Wallet, MyCard - NFC Payment, Contactless Credit Card Reader which claim to be able to store the card information locally in the phone, and enable payment in shops with contact-less card readers using one's mobile phone. I have tried using Cards. It reads the card information (the credit card number and expiry date) over NFC, and shows this:

The credit card (card_A) is of a US bank, and I am pretty sure it doesn't support contact-less payment. I have another debit card (card_B) from some other bank in some other country which does support contact-less payment. However, I don't have any means to test if this app works with card_B.

My questions are the following:

1. The debit/credit cards which support contact-less payment (like the ones similar to card_B), what payment standard do they abide by? FYI, both card_A and card_N have EMB chips on them, but one support contact-less payment, the other one doesn't.
2. Can I consider payment solution, e.g. Apply Pay, Google Pay and Samsung Pay workarounds to enable contact-less payments on cards which do not support contact-less payment natively?
3. If the Android apps I linked above work successfully, do they still use NFC Host Card Emulation mode?
4. Lastly, EMV cards have a secret key stored secretly on the card. I was surprised to see the Cards app to read and store the card information without any additional authorization from the bank or the merchant, and then just claiming to be able to make contact-less payment? In Google Pay, they use tokenization and a secret key is stored on device which gets replenished time to time. How come these category of contact-less cards do not play any key based challenge-response protocol to make the payment happen?

Answer 1

1. If contactless, they follow the EMV Contactless standard https://www.emvco.com/emv-technologies/contactless/.

2. Yes you can use Apple/Google Pay with cards that do not support contactless. However, you will be restricted on whether the cards will work based on whether the issuing financial institution has allowed their cards to be compatible with Google/Apple Pay.

Google Pay compatible institutions - https://pay.google.com/about/banks/

Apple Pay compatible institutions - https://support.apple.com/en-us/HT204916

3. Google Pay moved to HCE+NFC https://www.pocket-lint.com/apps/news/google/135017-what-is-android-pay-how-does-it-work-and-which-banks-support-it

4. By keeping the single transaction limit to between £15-£60, the banks minimize the friction for the customers and don't ask for a challenge response like chip+pin for larger transactions or when the daily contactless limit has been used up (~$100)

Answer 2

So it seems, with no references I will bring this fwd... since the card system is a two way process. The emulator must react as the card would do towards the queries sent by the card reader. So if one would want to emulate the card.. it would have to scan and record the precise conversation between the card and the reader. Then, simulate that conversation with the the android HCE. The plus side is that the phone is more flexible than the card ...so we assume that the phone could mimic any form of protocols, thus conversation that any card and reader could have. Now scanning and decrypting the cards has been done fairlywell. But as the cards have their differences, the readers as well might have their own complexity...and most likely varies depending which banks provides the sale point reader.

I just started on that project as well. And I'm pretty much at that point. I'm gonna record conversations.