News Today – WELL DONE GOOGLE! (Note good comments below)
In my July post Big Changes to NFC: Payments part of OS I outlined the high level view of what is going on. In order for this blog to make any sense let me be a little less obtuse on the next shoe which will drop: Visa and MA have both created HCE Apps which will REPLACE the SE based CARD EMULATION apps. “Replace” is more from a business context than from a technical one. SE based applications (like a door key, or healthcare card) could still survive.. but why would anyone want to pay the MNOs RENT if you don’t need to.
I don’t have much time to delve into the technical details, but there are 3 core elements to NFC: Radio, Controller, Secure Element. They had been all residing on dedicated silicone from companies like NXP. I discussed in Apple and NFC Part 2 how companies like Broadcom have integrated these separate components into a single piece of silicone. In other words the NFC Radio is just another radio alongside GSM, CDMS, Wi-Fi, Bluetooth, … With Android 4.4 Google has now made Payments Part of the OS by enabling an application to bypass the SE and use the radio as directed by a OS. Another way of looking at this: in a world of integrated silicone, there is NO dedicated controller… (the controller is in the firmware/OS).
NFC zealots will HOWL that there is no TSM, or security. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation. Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts.
This model also addresses a key FLAW with NFC. HCE will allow for APPLICATIONS to access payment.. yes I am speaking of mCommerce (buying from an app or a web site). No longer will you have to key in your card information. NFC did NOTHING for this.
This is a FANTASTIC development for BUSINESS and for Android. Now you can create apps that leverage payment, loyalty, … It is also a fantastic development for CUSTOMERS as you will be in control of the TSM and card provisioning. You will be able to load ANY CARD you want.. not just the Chase and Amex cards that are in ISIS.
I believe that banks had very limited view of this development, and that several of them will be calling V/MA to confirm that they are creating an new CERTIFIED Card Present scheme based on HCE. Bank control (push for credit use) has been as much of a drag on mobile payments (at POS) as telecom control. This approach BREAKS BOTH.
No one can fix EMV…. there are too many parties. New token rules together with HCE AND Network Enhancements (ex Wallet ID, Phone forensics, ..) a much finer grain of control than exists today. For example, new structure will allow for any given issuer to turn off all tokens for any given wallet provider. When comparing EMV to HCE++ we can’t forget WHAT EXISTS TODAY (is mag stripe). No one can suggest that HCE++ is less secure than mag. Most banks realize that payments are NOT about security and authentication.. but about Fraud and Risk management. Not just “are you the person that controls the account”.. but “did you just loose your job and about to enter bankruptcy).
The mobile device has SO much more data on which to manage fraud and risk. For example at Citi, SMS PIN code completely eliminated risk in new transactions. When we saw a new payee, we sent the consumer a PIN code to their mobile that expired in 1 min.. In future HCE environment if bank sees risk they can PIN, or ask for finger print scan (from apple).
HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. Today big banks differentiate themselves on ability to manage risk. They have made multi-billion dollar investments here. Complete security and authentication in a platform decreases their competitive edge. Perfect authentication is a NIGHTMARE to banks because then anyone could do their job and ID risk would be eliminated (not credit risk)
Big Technical UNKNOWNS
- Tokenization, Network Enhancements, New Card Present Scheme, New V/MA Emulation App, POS Terminals, Fraud Services, Device Forensics, Authentication, all are needed in this future model. Much is built.. but this is not without challenges
- Today’s NFC requires issuer keys to generate the dynamic codes required in a contactless transaction. IF this is reused, than issuers will be able to prevent HCE from working.
- Will V/MA attempt to impose Authentication/Fraud Services standards impact consumer experience or conflict with issuer requirements
- Who will create the HCE standards by which everyone can use? How long will this take? are we back to ground 0?
Other quick thoughts
- This is not just PRESS.. HCE is actually all LIVE right now with a Canadian Bank.. RBC and SimplyTap (the Rocket Scientists of HCE). In this model an ISSUER has given its “NFC Keys” to the SimplyTap for use in an HCE model that circumvents NFC controller.
- I expect that Apple’s iOS will also follow model within next 8-12 months.
- Very positive for V and MA, Google, Businesses that transact with consumers
- Very positive for mobile POS payment
- Could create new differentiators for Android if Apple doesn’t follow quickly (I expect they will)
- Positive for merchants as consumers can now load debit cards on their phones and you can create apps that incent debit card usage
- Negative for companies that specialize in providing payment services to mCommerce or NFC
- Negative for PayPal.. why use them at all? your cards are stored in the phone. If you are a merchant with a mobile store front or app you will integrate with 2 payment service providers: Apple and Google.
- SEs will be going away. Connectivity and Authentication put data in the CLOUD.. not locked in a device with the carriers holding a key.
- Google has alignment on HCE. Devices from the top handset OEMs announced in the next week+ with no SE on board, like the Nexus 5
- Next BIG challenge? Certifying/standardizing authentication methods which provide for finer grained control of payments, cloud data, re-issuance of tokens…. 100s of new companies.
- HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. Today big banks differentiate themselves on ability to manage risk. They have made multi-billion dollar investments here. Complete security and authentication in a platform decreases their competitive edge. Perfect authentication is a NIGHTMARE to banks because then anyone could do their job and ID risk would be eliminated (not credit risk).