Short Blog – Paypal / Vodafone

News today

Vodafone-PayPal Payments Go Mobile in The UK

My summary view

  1. Vodafone is linking all cards in Google like “Proxy model” w/ card issued by  R. Raphael & Sons plc
  2. Vodafone is able to see all transaction data and deliver rewards/loyalty separate from card issuer.
  3. Paypal is virtual card (?Mastercard) at POS
  4. Vodafone has enabled a contactless SIM that can operate separately from the VodafonePay application with one default card (see Vodafone Smart Pass)
  5. TFL/Oyster accepts various external networks (see list). Paypal operates as a virtual V or MA in this circumstance.
  6. Revenue for PP is 30/40 bps less Vodafone and program manager costs.

The Vodafone Pay Terms give most of the meat

“For each funding source you wish to use with Vodafone Pay, we’ll issue you a prepaid virtual card (which we will store securely on your SIM card). By ‘funding source’, we mean a UK sterling denominated debit or credit card that was issued to you by a UK-authorised bank or an account
that you hold with a UK-authorised bank or your PayPal e-wallet. You can link up to 5 funding sources via the Add a Card feature. The virtual card expires when your funding source does. […]

Because the payment goes from your funding source to your virtual card before it is completed, you may not get the same benefits (like loyalty points, discounts and card protection) as you get when paying directly with your funding source. The funds loaded onto your virtual card will not earn any interest”[…]

We, the issuer or your virtual card, are R. Raphael & Sons plc (Company Registration No. 1288938) with our head office and registered office at 19-21 Shaftesbury Avenue, London, W1D 7ED.”

Why SamsungPay is Toast

Samsung Pay has 2 parts

androidlknox
Android L

1) NFC (Contactless EMV ISO 14443 stuff)

2) MST (Mag Stripe Emulation)

Both “could” work in the new Google world. But Samsung does not seem to be aware of the new Android efforts to build an organic security solution within Arm’s TrustZone that completely steps on the proprietary work they did (mostly with Knox). For background, see the following articles

– Android L vs Samsung (see this article)

Samsung Knox 2.4 vs Google For Work

Samsung nixes Knox – Bob Eagan

The BRAND NEW Google for Work Security Whitepaper

Historically, NFC wallets driven by GSMA’s SIM based approach require MNO support (keys for either SIM based or for embedded). SamsungPay was based upon a new software SE that ran within its own proprietary security architecture.

Android for work
NEW Android M

Problem is that Google’s new Android M steps on Samsung’s security architecture. Both are claiming the same space.. Sorry I can’t be more specific.. I’m almost 50 now and have lost most of my real skills.

Now Samsung could redesign its wallet, give up its security architecture and run within Google’s HCE environment. Samsung pay would operate as Google wallet does.. at Parity. But Samsung is not currently running in this model.. Samsung could also launch a loopPay only wallet that works in this model..

Why are Google and Samsung so focused here on payments and security!!? See my blog on Brokering Identity, and Authentication in Value Nets. The key to future profitability within mobile is about managing interaction between the physical and virtual world… security, identity and authentication is EVERYTHING.

Forget about technology.. here is the real problem

Let’s assume that Samsung solves ALL of the technical issues above and now SamsungPay works on all Android devices. Everyone knows that MNOs decide what gets pre-installed on the phones they subsidize (even Apple). Six weeks before MWC, Google made a strategic deal with the US MNOs to buy ISIS in exchange for Android Pay (the new Google wallet) becoming part of Google Mandatory Services (GMS.. just like search and gmail).  Part of this is also a new android registration flow that addresses THE KEY weakness of Android profitability.. it gets consumers to add a card and play account (Apple brilliantly required an iTunes… with accompanying credit card.. in launch of iPhone).

Samsung’s wallet could still work.. however IT IS NOT PRE LOADED.. so this is what the consumer would have to do (AFTER REGISTERING FOR ANDROID PAY):

1) Find out about Samsung pay

2) Install Samsung Pay

3) Register for Samsung Pay

4) Understand where they can use Samsung Pay

5) Wave it near the Mag Head reader

6) Then use Android pay for in-app and play purchases..

Forget about the technical issues. In a world where only 6% of iPhone 6 users have ever used mobile payments..  What Mobile wallet has ever succeeded without:

#1 MNO Support

#2 OS Support

#3 Merchant Support … PLUC

#4 An ACTIVE COMPETING WALLET in same phone

Samsung .. just drop it… !? there is no longer any revenue or data rights associated with it.

Can I see your ID?

credit_card_transaction_paul_burns18 March 2015

 

A major retailer just called me this AM. Theme of conversation is that the industry is creating a “perfect storm” for issuers in acceptance.  While LoopPay is very secure (because of Visa/MA tokens, phone ID, and transaction counters), the existence of a commercial grade mag stripe emulator in the hands of “bad guys” will create a little chaos… particularly when the cashiers think nothing of consumers (or fraudsters) waving their phones at the POS.

While both Visa and Mastercard have set rules that prohibit merchants for asking for IDs in a contactless EMV transaction (EMV), LoopPay (Samsung calls it MST) muddies the waters as it uses the phone to talk to the magnetic reader of the payment terminal. MST transactions are magstripe transactions which merchants are (and have always been) allowed to ask for IDs. Merchants can make the case that they have no idea which is which, and they have no way of “prohibiting” either, thus they must assume that it requires them to treat as something that requires them to validate (signature).

Let me see if I can list the different acceptance methods (looking for input into what I miss)

Acceptance Options

 

Add to this list Token authority (Tier 1, Tier 2, Visa, Mastercard, TCH, Bank, …) and TSM for GSM style NFC and we have quite a complex mess. The good news is that issuers have control over where their cards are presented.. Problem is that there are many new “exploits” which can be attacked by very well funded fraudsters.

Normally, all of this seems to put pressure to update and lock down your payment terminals. But merchants don’t bear any costs for POS fraud where they have validated signature/ID… it moves to the banks. How can Banks force merchants to lock down terminals? The incentives are very complex.. so complex that it may mean “can I see your ID” happens in every case.  So much for mobile making things easier.

In EMV transactions, issuers are normally in control of when PIN is required.. In mobile  there is no physical payment instrument (card)  for the cashier to validate signature … so when they ask for ID what do they validate against? (ie no embossed card with your name on it). This means issuers will naturally like PIN for mobile. In the US consumers don’t know their PIN (for credit cards)..

This is just too confusing.. lets just say small issuers will have a very challenging time adapting here, while the big issuers will maintain a substantial advantage. This is the normal course of [big] bank fraud strategy:  if a bear comes to your campsite you don’t have to be faster than the bear.. just faster than the slowest fellow camper (small banks)

Samsung Pay Launches Today: LoopPay + NFC + Tokens

1 Mar 2015

———–Update 8pm

It seems that in the US, Samsung plans to create and certify a new software secure element within the ARM Trustzone architecture that precludes the need for SE Keys, avoids US MNO SE Key Ownership issues (that can’t make MNOs happy).

In other countries (China, EU, …) Samsung’s architecture would leverage the traditional NFC approach within the NXP SE (and traditional TSM).

This is a great technical approach, but is doesn’t appear that Samsung has bothered to sell US MNOs on the concept (of going around them). Anything US MNOs subsidize they must approve..  Which means no pre-installation, particularly given the new Google relationship outlined below.

—————-

Brilliant tech and security.. killed in the US by recent Softcard deal

Samsung has just launched its LoopPay plus NFC (plus tokens) with support of top 5 US banks, MA, Visa, Amex, FD. What is it? a mobile payment wallet that works at the POS within Samsung’s new S6. The “new” part is hardware based upon their recent LoopPay acquisition (Samsung calls MST ?Magnetic Secure Transmission?). What does this Loop stuff do? It enables your phone to talk to any payment terminal that accepts a swipe by “emulating” the magnetic field generated as your plastic card’s magnetic stripe goes across the payment terminals’ reader (ie head). This is SUPER cool stuff.. and addresses the key problem impacting ApplePay today: merchant acceptance. In other words a LoopPay enabled phone payment can be accepted anywhere a card swipe is accepted (mag stripe).

Operationally the new payment wallet will combine Loop’s mag stripe emulation plus traditional NFC to work with terminals in either a “swipe” or “tap” mode. If a terminal accepts NFC SamsungPay will detect it and use the more secure NFC, if not it will emulate the magstripe. Technically Samsung has done a super job creating a “secure enclave” equivalent within the ARM TrustZone (and NXP’s PN66T.. having dumped Samsung’s Snapdragon). Samsung may have achieved a coup over  Apple in this new architecture (approval for storing card encryption keys within a new software secure element which will be certified as EMV compliant). This means Samsung doesn’t require the SE keys (in the US) and can also ride on the existing token rails that were created by ApplePay, thereby leveraging the same provisioning process for enabling cards that the networks created in ApplePay. Interestingly neither Samsung nor Google have been able to get the 15bps that Apple got.. showing that banks have learned lessons and that the ApplePay late followers (Samsung)  are now in a weaker position.

The “bad news” is that SamsungPay software is VERY VERY far behind (think Aug/Sept best case), and even if it were ready today it will never be be pre-loaded on ANY phone in the US (given the recent Google/Softcard deal with all 3 major US MNOs). The Google/Softcard deal hit Samsung HARD.. a complete surprise. What does this mean? Complete chaos. SamsungPay Loop requires specialized hardware (MST in S6 Only),  This means that SamsungPay will not work with any existing US handsets (all the SE keys went to Google and old phones don’t have the new ARM TEE with Software SE), applekorea-nov2014-counterpoint

Why would Samsung make this kind of “marketing announcement” without an operational wallet, carrier support and big US holes? Guess is they are feeling the pressure from Apple. The new iPhone is even grabbing over 33% marketshare even in Samsung’s home market (see Reuters article). There are MANY pieces necessary to make a wallet launch work: hardware, new loop acquisition, tokens, certification, bank support, it looks like they have those taken care of.. what is missing? MNO support, SW SE certification and a production ready software wallet.

While I’m rather negative on the prospects for Samsung in the US, I’m very enthused about Samsung’s prospects outside the US by leveraging a traditional NFC architecture plus tokens. As I discussed in Secure Element, NFC, HCE, EMV, Tokens and Cards, tokens plus mobile enabled identity (token assurance information) have enabled software to displace specialize hardware. In this case, a tokenized LoopPay is pure genius.. taking a basic device the tricks the card head into accepting information.. into a card transaction much more secure. I’m not going into the fraud prevention measures, but rest assured “replay attacks” will not be possible.

The purported “mobile acceptance gap” that Samsung’s wallet WOULD address is primarily in the US and due to a lack of merchant terminals that accept NFC. LoopPay addresses this gap through emulating the mag stripe swipe.. The US is where mag stripe swipe remains predominant, and only in a very short term “interim” period before EMV becomes mandatory in October of this year. Thus the market where mag stripe emulation would deliver the most value is the US, yet it is only so for the near term (EMV rollout), with a much delayed software release (September) in an inaccessible MNO environment (per Google/MNO reasons above).

Summary

  • SamsungPay is LoopPay plus NFC plus tokens. There won’t be anything to even trial until late summer, it is a marketing launch only (S6 contains the necessary HW)
  • Google/Softcard/US MNO deal has completely killed hopes for SamsungPay in the US, as MNOs CAN NOT pre-install on any Android phone (including S6).
  • Samsung’s hardware is very innovative, leveraging Arm’s TrustZone to store the EMV keys in a new software secure element within ARM’s TEE. I’d be surprised that the networks have already certified this.
  • Visa/MA and Amex will leverage their existing token infrastructure (from ApplePay).
  • LoopPay is super cool and tokens make is super secure.
  • Banks will be able to provision cards to SamsungPay just the same as the do with ApplePay today. Some banks may want to consider the incremental risks associated with the LoopPay card emulation. It looks like the controls are there, but it is not a card presentment mechanism that many have experience with.
  • Perhaps my biggest news here is something that wasn’t announced. My understanding was that Paypal was part of the launch. Perhaps they want to get a little momentum before pissing off all the banks.
  • My biggest unknowns: software live date, bank rev share, TEE certification for holding card keys (Tier 1 TSP), Paypal, HCE in the US (to by pass the Google’s SE key ownership), how will consumer install on top of (next to) GW and why would they want to?

 

 

 

Google+Softcard Levels Field Against Apple

24 Feb 2014

Well done Google. As predicted last month, Google announced last night that it had acquired “some exciting technology and IP from Softcard”. The price? My guess is around $50-60M, plus multi year revenue share (below). This is a FAR cry from the $3-$4 BILLION that these same Mobile Operators wanted for “NFC RIGHTS” in 2011. Google proposed a rev share back then too.. but MNOs were convinced they could go it alone. After dropping almost a billion in ISIS/Softcard with no future revenue of any kind in sight the drivers of the deal were obvious. Not only did carriers need an exit for their investment, they needed a partnership that gives them a role in the future of mCommerce.

What technology will stay? The SE Keys and the vending machine acceptance terminals.. seriously.. 98% of what ISIS/Softcard was is completely dead. My biggest unknown? I would love to see if Amex Serve could pick up the pre-paid card from Mastercard.. as the banks wanted to beat up my good friend Ed McLaughlin for doing what I still think was one of the best most innovative deals ever (Google pre-paid).SONY DSC

What did Google get? MANDATORY GOOGLE WALLET. That’s right, now EVERY ANDROID phone sold by the carriers will have wallet installed. This addresses a key advantage that Apple has in mandating an iTunes account (with credit card) for activating the iPhone. Apple’s brilliant registration process allowed it to know its customers (ID, card on file) where Android/Google did not. Many analysts believe that this ID/Payment deficiency is THE KEY reason why Apple’s environment is 8x-10x more profitable with less than 20% of the handsets. Now Google can compete in all things which require identity+payment. Not JUST in buying apps/music in Google Play, but in orchestrating commerce and brokering identity. I cannot understate the win here for Google. A brilliant move, and I firmly believe that this was the primary driver of the deal. Don’t look at this as a ApplePay competitive thing, it is about enabling Google to identify every Android holder as a default “opt in” during phone activation (iTunes Account Mandatory = Wallet Account Mandatory).

The Carriers? A partner that will share revenue. Where Apple takes 15bps for itself, my guess is that Google will give that to the MNOs, plus some revenue share for play services. My TOP 2015 prediction was that this would be the year of partnerships.. This is certainly my top new one for the year. MNOs are losing sleep about Apple’s unmatched “walled garden”, no one plays but Apple here. Google is developing an open model and this deal may be the first template for MNO/Platform revenue sharing.

Banks? Google will likely slowly “roll out” of its Google Wallet Card (also see TXVIA blog) which wrapped all other cards in a Mastercard Debit. Banks will be able to sign up for Google Wallet through network agreements just as they do for ApplePay today (at same rates/rules). This will mean that the networks will provision bank cards as tokens, and that Google will also benefit from forthcoming CNP token rules this summer. The primary difference in GW operation is HCE+Tokens (see blog). The Google Wallet model is not dependent on the SE Keys, or SD storage.. but it CAN operate in a non HCE model (from its GW 1.0 lineage).

Payment Networks. BIG WIN. Cards are the defacto standard for everything in mobile. I’m interested to see if the networks recognize (certify) the HCE card emulation application, as of 3 months ago it was still not certified. My belief is that they certify as part of tokenization scheme acceptance. This is a funny side story in itself. Most would ask how Google Wallet could run a non-certified card emulation app. Remember that the ONLY card being emulated was a Google owned mastercard debit.. just a brilliant work around. Note that in ApplePlay, Apple operates as a tier 1 token requestor in the current ApplePay model, and V/MA/Amex are tier 2 token requestors (see this excellent blog by SimplyTapp). In the Google model Visa and Mastercard will act as both Tier 1 and Tier 2 token requestors.

Big Losers? Samsung. OUCH!! No wonder they had to buy loop. Their new wallet strategy was to have a DUAL NFC/LOOP wallet. Google just got all the SE keys for the Samsung Phones. This means that Samsung’s wallet will only work on new phones.. a rather rough place to start.  Paypal.. with the birth of a new CNP scheme this summer driving ApplePay and Google Wallet beyond Apps to mCom checkout.. Paypal has no future in Mobile…  Except in emerging markets.

More to come.. but wanted to get this out today.

Softcard to Google?

17 Janisischoice

As I tweeted Monday, it is now in mainstream press (See today’s WSJ). This has been a very poorly kept secret, as the team at ISIS talks up its suitors.. I found out from a retailer. (BTW I did not return the calls of the WSJ for this article)

My very first blog in 2009 was on ISIS (project mercury back then).Did you know Softcard started as a joint venture between GE, Walmart and ATT!?  Selecting Discover and Barclays as the primary network/issuer to deliver value to retailers (Dekkers was lead at Barclays now CEO of MCX, Abbott was lead at GE now CEO of Softcard). There wasn’t much of a business case for the MNOs (50bps Discover card) so they brought in the mainstream networks, and realized that there still wasn’t a value proposition.. and started charging BANKS $1M a pop for the RIGHT to have their cards in the wallet (leaving 3 willing issuers today). Walmart left after the MNOs moved away from DFS/Barclays (and began planning MCX).

Hard to believe change can happen so quickly.  Just 4 years ago, the carriers wanted $3-4 Billion for the “rights” to NFC, now ISIS is going for around $60M. A price that more closely aligns the real value of NFC in an Apple, Token and Android HCE world.

SOOO many lessons learned, so many funny stories.  How could any company drive enough revenue to support a 12 party supply chain in payments (see blog)? See my “value prop” slide from 2009. Do you see anything that didn’t quite pan out? The WHOLE thing!!Mercury Value Proposition

I’m working on my 2015 predictions, one will be that we have come to a tipping point of … wait for it… COLLABORATION. Yes big companies WORKING with one another. Too much capital has been burned trying to go it alone. No one company can compete against Apple, Google, Amazon… Of course I’m betting on this with CommerceSignals

Look at the Google deal for Softcard (if rumors are true) as Google working to create a starting point for collaboration in payments. I don’t know if softcard is that right vehicle for that.. If Google is buyer, they will throw all of the technology away in days after acquisition.. I have some other very firm views here on why this all makes sense.. but don’t want to share now until deal is finalized.

Here are a few of my old blogs..

ISIS Platform: Ecosystem or Desert

Battle of the Cloud – Part 2

ISIS National Launch

NFC – ISIS has 12 months… (Oct 2011.. I was wrong by 24 months)

ISIS: Antonym of Nimble?

Software Secure Element – HCE Breaks the MNO NFC Lock

NFC and Consumer Choice

 

 

What do Retailers Want in Mobile?

1 Nov 2014

Money2020 is next week, and I’m moderating the ApplePay session on Tuesday at 5pm… hope you guys can come. I’m more than a little sad that I can’t get any retailers up on stage with me. Why? The top 60 retailers are in MCX, and it makes little sense for them to get on stage and tell the world what they are NOT going to do and why. As I’m preparing to leave for Las Vegas tomorrow, was thinking “what could I write about? What unique perspective can I offer?” Well given I can’t get them on stage with me, let me try to articulate the Retailer’s view of the world. My twitter feed is blowing up as I work to explain why CVS and Rite-Aide turned off NFC. Please know I’m only trying to give perspective…

Payment Services are a brokering activity between two entities engaged in commerce. Logically, a broker must have the trust of both parties, and deliver some sort of value in managing the financial risk associated with the transaction.  Within Consumer Retail, Visa and Mastercard evolved from Bank owned exclusive networks of the 1960s (see History) to ubiquitous independent payment networks. Few remember that back in the 1960s, merchants took either Visa or Mastercharge but not both as the Merchant’s acquiring bank could only be a member of one of the networks. For merchants, the value proposition was clear: consumer credit.

Payment networks thus evolved from a closed and focused value proposition, to a settlement “infrastructure”. However the rules and governance process by which many parties (merchant, acquirer, processor, issuer, network, VASP, …etc) participated in defining operation of this “brokering” activity did not evolve. This is the central issue restricting the future growth of Visa and Mastercard. One I believe both are acting on. My firm belief is that rebalancing network rules will unleash a massive new phase of value creation for these networks.

Let me take a quick side bar here..

Network Theory – Openness

As I’ve stated many times, closed networks always precede open networks until scale is reached (Building Networks and “Openness”, 2011). Weak Links (nodal affinity) influences network creation, and there are VERY few open networks which exist in Nature. This is logical as Networks form around a function rendering generic open networks less “efficient” than specialized networks around any given specialized need.

Scale-free distribution (completely open networks) is not always the optimal solution to the requirement of cost efficiency. .. in small world networks, building and maintaining links between network elements requires energy…. [in a world with limited resources] a transition will occur toward a star network [pg 75] where one of a very few mega hubs will dominate the whole system. The star network resembles dictatorships in social networks.

-Weak Links

Networks NATURALLY form around a function and other entities are attracted to this network (affinity) because of the function of both the central orchestrator and the other participants. Open networks (internet/TCPIP, Visa, NASDAQ, … ) succeed where a common infrastructure benefits MANY NETWORKS.

Visa and MasterCard have transitioned to become common network infrastructure, a position FAR MORE valuable than that of a closed credit delivery system. They are a network of networks. However their rule making and governance processes do not match the other open networks listed above (NASDAQ, Internet, …). Most Banks, have also lost their traditional role of “brokering” and risk management (in retail) by creating a card rewards system that encourages card use paid by the merchant. This creates a brokering incentive separate from the commercial transaction… impacting brokering independence.

What do merchants want? A neutral broker!!

A top 5 merchant told me a few months ago “Retailers like Starbucks have proven that we are best placed to deliver value and influence consumer behavior. I don’t want to force my consumers to do anything, but similarly I want to networks that let me play on an even field. These next 5 years are going to be complete chaos for consumers. What do we want them to do? Swipe, dip, chip, pin, tap, QR…? We have been planning for EMV for 3 years… am I really supposed to jump to Apple in 4 weeks?”

MCX

These guys are good friends of mine, and I think their business vision is well placed. They want a network where they can play on an equal footing. A neutral broker.. or at least one where they can have a seat at the table when rules are set. Will MCX be a massive success? It depends on the consumer value proposition. Are the merchants motivated to work together in creating a neutral broker? Hell yes.

One merchant said it this way “Tom I didn’t think we would ever have someone more difficult to work with than Visa and Mastercard, but I was WRONG. Apple is a nightmare! At least we knew what was coming with Visa and Mastercard, with Apple they don’t talk to us, respond to our letters, or offer any kind of value proposition. Why on earth would I want to let another brand in my store without understanding what it will do for me? They are a great company, with great products, and certainly have a much better approach to data than Google.. but anonymity is NOT a value proposition, in fact Apple makes our efforts to deliver value to the consumer even harder as we have no defined way of using Apple to engage our consumers”. See Brokering Identity – Part 1, ApplePay and Merchants, Digital Transactions ApplePay Issuer Agreement.

Getting a card number from consumer to merchant is NOT innovation. There is just no problem here. My payment friends are already rolling their eyes. Apple does have great security and great ability to manage fraud.. but fraud losses for CP are 3.2 bps. What about store data losses? That is not “fraud”, and certainly a problem for merchants that keep PANs. Tokens do solve this problem… but so does better security, and more intelligent approach to tracking loyalty. Apple must move to create a merchant value proposition, and define how they will help with consumer engagement. I believe Google will far outpace Apple here.

Retail is a zero sum game.. I’m not going to buy MORE gas and groceries.. differentiation is about switching, product selection and pricing on data, ..the fluxonce this flux dies.. steady state resumes.  Perhaps all iPhone owners will only shop at whole foods, but data shows that consumers don’t make decisions this way. In fact payment is not in the top 5 reasons for consumers choosing a new iPhone.

Why are MCX merchants turning off NFC? To give themselves a little breathing room, make Apple create a merchant value proposition (engagement), get a seat at the table in a new network, and help to establish a consumer behavior that works for them too (Most Important Payment Race: Consumer Behavior, Apple’s Platform Strategy: Consumer Champion ).

What do Retailers want in Mobile?

Following from my big blog Static Strategies and the Rewiring of Retail.

  • Consumer Engagement
  • Consumer Acquisition
  • Consumer Loyalty
  • Allow Retailer to be in control of data
  • Partners that allow Store’s brand front and center
  • A Partner either IN CONTROL of the consumer experience (Apple/Google) or one that already has massive consumer adoption (ie Facebook).
  • Creating a fantastic customer experience from end-end
  • Ability to manage campaigns, data or your business
  • A Partner that can reach/influence consumers WHERE THEY ARE.. not where you want them to be.
  • Payment..? I guess if that comes too… 

shopper marketing

How will this play out?

  • Much has been made of the MCX contract provisions that prohibit participating retailers from allowing other forms of mobile payment. This is just not accurate. Any retailer can choose to turn on NFC, any retailer can sign up for MCX. Can an MCX retailer turn on NFC? Yep.. Large retailers are not participating in ApplePay because Apple has completely failed in a merchant strategy, they have not articulated one, nor have they worked directly with merchants. This is really no different than Apple’s failure to work with Banks. Banks are just fuming over the take it or leave it terms Apple offered to them. Merchants had no terms…
  • Apple will rollout a merchant friendly beacon product, and loyalty product for consumer engagement in next 6-9 months, this will also include a renewed focus on BLE. The product will fall flat until they can create an new merchant organization. Google has 4,000 sales people working with merchants, apple has around 16… so it is a big task.
  • Apple will ROCK in App payments.. it will be their homerun… I will make a further bet: Apple will WIN in every situation where they can control the consumer experience from beginning to end.
  • Visa and Mastercard are beginning a shift toward the merchant. They may not win the top 60, but Visa has 36M merchants.. that leaves 35,990,940 that will be open to new ideas. These are my biggest personal holdings, and I know both of the CEOs. Everything I’ve written here they know already.
  • Consumer authentication is VERY disruptive to retail and banking. As Ross Anderson said “if you solve for authentication in payments.. everything else is just accounting”. The need for an independent broker and their services are dramatically different if either the consumer or payment can be authenticated (ie cash, bitcoin). Why do you need a payment product at all? Just present the identity to the bank. This is what Sofort/Klarna does… Why not do this? Because the banks have no ability to MONETIZE the transaction (no merchant agreement). There are many better ways to leverage authentication, but no other ways to currently MONITIZE IT (outside card). Perfect Authentication… A Nightmare?
  • Apple is pursuing an “anti-google” approach: keep no data, closed platform, control everything. Google is 2-4 years behind on platform security.. but is catching up. The Google platform is much easier to build in and control (ex HCE), but consumer adoption lags as each Android participant must move consumer to their vision. Apple has successfully delivered security and authentication, but has not laid out a way for many apps to leverage it. Retail is a REALLY big business, with 1000s of specialists. It cannot be throttled by one company.. thus Apple will work fantastically in environment it can control. (sorry to restate).
  • ApplePay and overall contactless adoption will begin with small merchants and infrequent purchases. Most phones have the capability today. MCX will not stop contactless.. but it will impact consumer behavior substantially

ApplePay Vs Google

  • Is NFC/Contactless Acceptance required as part of EMV rollout? NO!!  This is the most widely held mis-understanding. While the large terminal manufacturers have no products in their official product list without contactless, the top 60 merchants order bespoke or custom terminals to fit their needs.

iPhone 6 – Quick Thoughts

Super short blog.. will do better job tomorrow.

Wow.. Apple has just launched the greatest new consumer product since the first iPhone.. Per my blog, there is so much more to the iPhone 6 than what we saw. The iWatch was just a thing of beauty.. I think the entire presentation was a an A+ with one be fat D.  While the rest of the videos were world class works of art, the payment video was like they put it together yesterday… and we had to see it TWICE. Quite frankly it was the worst mobile payment announcement I’ve ever seen.. particularly for a feature that has been around for 7 years. It wasn’t until after the event that I read https://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html and saw that the iWatch had an SE and could do payments too.. Why didn’t they lead with that.. seriously!! my guess is that this was the primary video but got pulled for sequencing the “One More Thing”. applepay

I had a nice call with Visa, and I know the MA team as well. The network planning on the tokenization is just tremendous.. No changes to the network, using auth messages as the mechanism for Issuers to approve and bind token. Apple token assurance information in the existing card data fields.. all just fantastic stuff.  Apple is the first implementation of the new EMVCo tokenization specification. In my view this is a giant LEAP beyond EMV chip and PIN, and is now (by far) the most secure PAYMENTS scheme on the planet. (Wish Apple said this instead of showing that old lady 2 times).

What are my big payment surprises?

#1. Apple branded PAYMENTS. Where Google and ISIS have a wallet. Apple has ApplePay.. they just wrapped the card network brands. I can’t believe that anyone allowed them to do this (rebrand payments).. but this is a BIG win for Apple, particularly as they work to “enhance” NFC acceptance with an eventual move toward BLE POS processes.. Yet, do Retailers really want to introduce yet another brand in store between consumer and merchant?

#2. Miserable fail for ApplePay in merchant value proposition and merchants on board. Google had all of these merchants on board 3 years ago.. all the acceptance numbers were just the generic NFC Contactless acceptance numbers. Apple did nada to loop in merchants today, and it will cost them. They could have highlighted terrific new consumer buying experiences with beacons, and BLE, .. but we got some old lady fumbling with her wallet. They showed NOTHING new that Google, Samsung, ISIS don’t do today (and 3 yrs ago). The only new merchant I saw on the list was Disney.. and I don’t think they will drive much high frequency (behavior changing) volume. Remember, Apple doesn’t really know how to play with others very well.. they are consumers first.. everyone else .. .who cares. Not great attributes of a value orchestrator. Also I, anxious to see how the Macy’s/Nordstrom/Kohls private label cards will be accommodated in token model (Citi/ADS are key).

#3 I LOVE ApplePay online.. the target demo was the only save from a solid F. Makes complete sense.. who will help 1000s of eCommerce merchants integrate? The PR says Visa/CYBS are on board..  BIG issues for eCommerce specialists.. as this new iPhone 6 takes on authentication and fraud in a brand new way.

Where I was wrong..

  • Looks like the 15-25 bps is at the low end of 15 bps..
  • I didn’t see Apple announcing a separate secure element chip.. I’m not the smartest knife in the drawer. Thought for sure the Secure Enclave would be the place for this.. someone enlighten me.
  • No Paypal.. anywhere.. so much for my consistent G2.
  • Where are the Beacons?  I’m very confident that beacons will be used to “wake up” the payment application on launch. Don’t know why not demoed. ApplePay merchants will likely get a pack of beacons and instructions for registering them (location)

Clarification.. I never, ever said that Apple would get Card Present rates for ApplePay eCommerce.. I said it was logical for them to ask, and that the banks said no. ApplePay at the POS is a network certified card present transaction. ApplePay for eCommerce is a Card Not Present transaction. Merchant costs DO NOT change for accepting a card at the POS. It is TBD if Apple wants to put a fee on the eCommerce transaction.

 

Will Merchants Adapt to Apple?

Guys… There needs to be trust building, value creation, and pump priming for this to take off. Merchants have to understand the value to them before jumping on board.. and anonymity… its not a great merchant value proposition.  Google was in a place TO PAY MCX to TAKE GOOGLE WALLET.. that’s right.. google had pitched an idea that would have brought all card acceptance costs to ZERO (as opposed to the full 180-240bps for ApplePay).. the merchants STILL DID NOT WANT Google to do it..  I’m telling you the story to help you realize how GIANT the merchant acceptance problem is. Can it be fixed? yep.. but it is a 5-10 year thing..

I don’t see any scenario where there is a fast start to contactless in the US, not without billions of investment in helping retailers build a platform to interact with the consumer.

I do think all handsets will have it (go buy NXP) and I see contactless winning at the periphery (coke machines, QSR, convenience). Why is it working in Europe? Their banks jumped on the EMV bandwagon long ago… interchange rates are more tightly regulated, and debit is accommodated more broadly (less merchant resistance).

START UP OPPORTUNITIES

  • Bring Apple Pay to Merchants..
  • Help retailers construct consumer engagement experiences with the iPhone 6
  • …?

 

iPhone 6 – Payment Update – Sept 2014

Super short post that summarized my 20 odd tweets this week. Frequent readers should skip to last section “New G2”

Feel 100% comfortable with my March Predictions iPhone 6 – Payment Predictions, only thing I missed was release date (September 9th… not October).

Looks like Apple got squeezed into the bank box. As I related in Apple… Payment via BLE/Beacons will still happen (but when is issue) Apple wanted to launch the payment product with BLE (not NFC) but existing payment networks didn’t want to cause merchant chaos in fragmentation of acceptance infrastructure.. so pushed apple back into the NFC mold.  The payment experience is as I outlined in May Apple iBeacon Payment Experience. I don’t see ereciepts as part of launch.

Also confident in my predictions that Visa and MA are running the TSP (see iPhone 6 – Payment Predictions)

 

  1. Consumer walks up to cash register, a payment terminal beacon provides information to Apple payment application that it is close proximity to payment terminal ID xxxxx (TID),
  2. Merchant scans goods for purchase. No mobile processing of loyalty, coupon, discount information
  3. Merchant payment terminal cannot send total amount due since it does not have Apple handset information/UUID. So how will Apple do it? My guess is Apple will provide UUID to the Payment Terminal via BLE at application wake up to perform a “lite” checkin with payment terminal. Good news is that there would be no data connectivity requirements, but it requires a new payment terminal… For everyone else.. there is no total amount due (99% at launch).
  4. Legacy NFC. At application wake up,  phone asks “pay merchant with Apple wallet”?
  5. Consumer validates transaction with fingerprint biometric
  6. Consumer taps phone (NFC) and Card token presented Payment Terminal via NFC Merchant processor routes token to payment network which translates and routes to bank for authorization
  7. Payment is authorized (as happens today).

NEW G2

  • Launch customers in payment likely to include Macy’s and Nordstrom
  • Apple will also likely launch with Starwood Hotels for hotel room door key provisioning (as I tweeted last week)
  • Apple was able to get 15-25bps from top 5 issuers (JPM, C, COF, BAC, Amex). These are the only issuers that will work at launch. As part of this fee, Apple will release token assurance information (see Token Assurance – Updated)
  • Apple will also launch an eCommerce/mCommerce buy button in EasyPay. This will NOT receive any card present or preferential rate. This is less a function of in App purchases and more a function of 3rd party ecommerce sites having a EasyPay button for fast IOS checkout. Will in App purchases have this as well? Good question, seems logical
  • The following cards are provisioned into Apple’s secure enclave at time of manufacture/OS loading: Visa Debit, Visa Credit, MA Debit, MA Credit, Amex, China Union Pay.  (NO DISCOVER)

Unknowns

  • What will apple do for all the iTunes cards not from one of the top 5 issuers. That will be a rude experience. How will they enroll 3000+ issuers into this scheme and get each one to cough up 25bps
  • What is pricing on debit. Technically everyone will support debit, but no one is incented to make it work.
  • Don’t know how Paypal will run in this model.. so this is a mystery, particularly with launch of EasyPay.. will Paypal be a whitelabel here? I am confident that Paypal will be part of launch.. what I don’t know is how..
  • How will Apple ensure they get 25bps from the banks, they have no insight into the transaction.. the card is presented and that is the last Apple sees of it. This has been a problem for other wallets as well. It is one reason why google created the proxy card.. to see all the transactions.

Updates Sept 8

  • Enrollment, looks like Banks will be supporting a BarclayCard/Google Wallet like enrollment process from within online banking.. This is very, very smart.
  • Bank of America, Citi and Wells are all rumored to be supporting Debit card inclusion in Apple wallet day one..

barclaycard-save-to-google-wallet

 

Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV

EMV

EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.

TOKENS

It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.