Samsung Pay Launches Today: LoopPay + NFC + Tokens

1 Mar 2015

———–Update 8pm

It seems that in the US, Samsung plans to create and certify a new software secure element within the ARM Trustzone architecture that precludes the need for SE Keys, avoids US MNO SE Key Ownership issues (that can’t make MNOs happy).

In other countries (China, EU, …) Samsung’s architecture would leverage the traditional NFC approach within the NXP SE (and traditional TSM).

This is a great technical approach, but is doesn’t appear that Samsung has bothered to sell US MNOs on the concept (of going around them). Anything US MNOs subsidize they must approve..  Which means no pre-installation, particularly given the new Google relationship outlined below.

—————-

Brilliant tech and security.. killed in the US by recent Softcard deal

Samsung has just launched its LoopPay plus NFC (plus tokens) with support of top 5 US banks, MA, Visa, Amex, FD. What is it? a mobile payment wallet that works at the POS within Samsung’s new S6. The “new” part is hardware based upon their recent LoopPay acquisition (Samsung calls MST ?Magnetic Secure Transmission?). What does this Loop stuff do? It enables your phone to talk to any payment terminal that accepts a swipe by “emulating” the magnetic field generated as your plastic card’s magnetic stripe goes across the payment terminals’ reader (ie head). This is SUPER cool stuff.. and addresses the key problem impacting ApplePay today: merchant acceptance. In other words a LoopPay enabled phone payment can be accepted anywhere a card swipe is accepted (mag stripe).

Operationally the new payment wallet will combine Loop’s mag stripe emulation plus traditional NFC to work with terminals in either a “swipe” or “tap” mode. If a terminal accepts NFC SamsungPay will detect it and use the more secure NFC, if not it will emulate the magstripe. Technically Samsung has done a super job creating a “secure enclave” equivalent within the ARM TrustZone (and NXP’s PN66T.. having dumped Samsung’s Snapdragon). Samsung may have achieved a coup over  Apple in this new architecture (approval for storing card encryption keys within a new software secure element which will be certified as EMV compliant). This means Samsung doesn’t require the SE keys (in the US) and can also ride on the existing token rails that were created by ApplePay, thereby leveraging the same provisioning process for enabling cards that the networks created in ApplePay. Interestingly neither Samsung nor Google have been able to get the 15bps that Apple got.. showing that banks have learned lessons and that the ApplePay late followers (Samsung)  are now in a weaker position.

The “bad news” is that SamsungPay software is VERY VERY far behind (think Aug/Sept best case), and even if it were ready today it will never be be pre-loaded on ANY phone in the US (given the recent Google/Softcard deal with all 3 major US MNOs). The Google/Softcard deal hit Samsung HARD.. a complete surprise. What does this mean? Complete chaos. SamsungPay Loop requires specialized hardware (MST in S6 Only),  This means that SamsungPay will not work with any existing US handsets (all the SE keys went to Google and old phones don’t have the new ARM TEE with Software SE), applekorea-nov2014-counterpoint

Why would Samsung make this kind of “marketing announcement” without an operational wallet, carrier support and big US holes? Guess is they are feeling the pressure from Apple. The new iPhone is even grabbing over 33% marketshare even in Samsung’s home market (see Reuters article). There are MANY pieces necessary to make a wallet launch work: hardware, new loop acquisition, tokens, certification, bank support, it looks like they have those taken care of.. what is missing? MNO support, SW SE certification and a production ready software wallet.

While I’m rather negative on the prospects for Samsung in the US, I’m very enthused about Samsung’s prospects outside the US by leveraging a traditional NFC architecture plus tokens. As I discussed in Secure Element, NFC, HCE, EMV, Tokens and Cards, tokens plus mobile enabled identity (token assurance information) have enabled software to displace specialize hardware. In this case, a tokenized LoopPay is pure genius.. taking a basic device the tricks the card head into accepting information.. into a card transaction much more secure. I’m not going into the fraud prevention measures, but rest assured “replay attacks” will not be possible.

The purported “mobile acceptance gap” that Samsung’s wallet WOULD address is primarily in the US and due to a lack of merchant terminals that accept NFC. LoopPay addresses this gap through emulating the mag stripe swipe.. The US is where mag stripe swipe remains predominant, and only in a very short term “interim” period before EMV becomes mandatory in October of this year. Thus the market where mag stripe emulation would deliver the most value is the US, yet it is only so for the near term (EMV rollout), with a much delayed software release (September) in an inaccessible MNO environment (per Google/MNO reasons above).

Summary

  • SamsungPay is LoopPay plus NFC plus tokens. There won’t be anything to even trial until late summer, it is a marketing launch only (S6 contains the necessary HW)
  • Google/Softcard/US MNO deal has completely killed hopes for SamsungPay in the US, as MNOs CAN NOT pre-install on any Android phone (including S6).
  • Samsung’s hardware is very innovative, leveraging Arm’s TrustZone to store the EMV keys in a new software secure element within ARM’s TEE. I’d be surprised that the networks have already certified this.
  • Visa/MA and Amex will leverage their existing token infrastructure (from ApplePay).
  • LoopPay is super cool and tokens make is super secure.
  • Banks will be able to provision cards to SamsungPay just the same as the do with ApplePay today. Some banks may want to consider the incremental risks associated with the LoopPay card emulation. It looks like the controls are there, but it is not a card presentment mechanism that many have experience with.
  • Perhaps my biggest news here is something that wasn’t announced. My understanding was that Paypal was part of the launch. Perhaps they want to get a little momentum before pissing off all the banks.
  • My biggest unknowns: software live date, bank rev share, TEE certification for holding card keys (Tier 1 TSP), Paypal, HCE in the US (to by pass the Google’s SE key ownership), how will consumer install on top of (next to) GW and why would they want to?

 

 

 

9 thoughts on “Samsung Pay Launches Today: LoopPay + NFC + Tokens”

  1. Thank you for the blog. TEE certification is orthogonal to SE certification. If the S6 has a built-in NXP NFC SE this is more like the Apple Pay security model. TEE does not handle secure (as in SE) storage, but secure execution (as does the ‘Secure Enclave’ on Apple’s devices: iPhone has both an SE and Secure Enclave). Pushing EMV keys to the embedded SE would be solely Samsung’s call.
    My 2 cts

    1. My understanding is that the S6 will operate as you describe outside the US (in a ApplePay like model leveraging the NXP SE). Within the US they apparently are on track to create and certify a new software secure element within ARM’s TEE to avoid carrier SE Key ownership issues.

      1. So it seems it’s not an NXP SE but an Oberthur eSE… It’s not MNO-issued but Samsung-embedded so why wouldn’t Samsung be able to push keys and applications to it (through Internet and the TEE)? GP specifies an API to handle SE management from a TEE. I’m sure different models could exist in US and elsewhere but I’d like to understand the rationale behind that…

  2. Now we know why PayPal wasn’t mentioned. They just bought Paydiant (CurrentC).

    Boy, did Apple drop a grenade in the punchbowl or what?

    1. Does Paydiant own CurrentC? It’s my understanding that they developed the tool but MCX owns the wallet. It does seem like a logical step for PayPal to manage CurrentC and by adding other settlement methods they can make it more consumer friendly while still employing all the steering to ACH strategies to make it cheap for merchants.

  3. One key point overlooked in this post and related comments: is there, in the US, much of a market for proximity payments?

    If the US were chip and pin, proximity would make checkout faster. But the US is swipe, and will be for years to come (e.g. EMV will take years to become prevalent). Given that, why would anyone other than those payment geeks among us, what to replace swiping a card with their phone?

Leave a Reply

Your email address will not be published. Required fields are marked *