Apple… Payment via BLE/Beacons will still happen (but when is issue)

2 May 2014

Many great blog comments. Let me go through some generic questions/answers.

Apple wants BLE/Beacons/Tokens… but will not release wallet with this capability for following reasons (my best guess):

  • Issuers must approve Token/Beacon model: creation/provisioning of token (TSP), use of tokens (not eCommerce), and assurance information.  This was the reason behind my Assurance Blog this week.
  • Apple is keeping the Banks in the dark to protect information on the launch (probably a good idea).
  • Similarly merchants are being kept in the dark, no coordinated acceptance infrastructure. Thus iBeacons will likely be a phase 2 (or limited phase 1).
  • Politics/negotiations/existing agreements. My guess is that Apple does want revenue from this new product, but will be disappointed. There is no economic model for a wallet provider in a card present transaction. This has been one of the reasons why NFC/Provisioning has failed, and the credit card only model.
  • Payment is NOT the focus of Apple’s new services and Hardware..  (see blog Apple Greatest Asset – Ability to Change Consumer Behavior)

What makes most obvious sense for Apple in Payments?

In a perfect world Apple would convert all 600M cards to tokens and leverage this both for iBeacon/POS presentment AND for eCommerce. I believe this was their initial plan.. and still their plan. My view is that all eCommerce merchants and wallet providers would be glad to let the networks exchange COF for tokens.. a few of the big ones are my clients. Lets just say the network’s message “you have to work with EACH issuer on card present pricing, value proposition and data”.  Yep it is that bad.

As you can imagine Issuers want revenue, credit card usage is incremental revenue.. Everything else in the iBeacon/token model above is a LOSS, thus Issuers are not exactly running to support. Thus token business issues abound for: debit, eCommerce, wallets, data, control, acceptance, …etc.

For example, Banks hate the idea of losing card not present (CNP) rates for eCommerce and having the networks locked into the TSP role. So Apple must keep a token in the phone, and also keep the 600M cards on file until the payment networks can get the cojones to define standards around assurance, tokens in eCommerce, and force issuer acceptance of risk and card present rates. Issuers have a strong case for caution, as Networks did this before (eCommerce/CNP liability shift) and failed miserably (see my blog vbv/msc Failure, and Bruce Schnieier’s similar post).

Data, data, data. My belief is that Apple is taking on the role of consumer champion (see blog Apple’s Platform Strategy: Consumer Champion). Apple may not realize that the this new architecture meaningfully impacts both bank and merchant data services.  Merchants and processors will no longer have insight into the consumer card number, which in many cases is used for analytics and loyalty.

Issues/Unknowns

  • Durbin/Hybrid Card. Per rule you can NOT wrap a debit card with a credit card. The card type must also be know to the merchant. If the Apple wallet has only one card per network, and consumer can store a debit card.. then that card must be a debit card.  Perhaps Apple doesn’t know this, or the implications. Someone is pulling a fast one.. the networks certainly know this rule, and undoubtedly will feign ignorance when consumers try to register their debit cards… only to find out later that they can’t be used.
  • Acceptance. If Apple launches with credit card only they will have failed to deliver any merchant benefit, or act as consumer champion. Similarly merchants (ex MCX consortium)  will have little case for adding contactless acceptance if they don’t know the card/cost or everything is a credit.
  • Process for taking the 600M cards on file and auto registering them with the networks. This could be going on now, with the networks building an issuer interface for approval.
  • Tokens. Apple really wants to make this happen, but only Amex and Paypal are in a position to support. My recommendation to Apple would be to get moving with tokens and Amex… as a lever to make V/MA networks get moving.
  • Pilot Merchants. Beyond the Apple store, I would pick Macy’s, Nordstrom, American Eagle, Gap, and a few others out as the most innovative in payments.. and the most likely pilot customers for a iBeacon shopping and checkout experience. Keep your eyes peeled.
  • Will Apple move forward with an iBeacon breakout without network/issuer support? This would make sense in the US, where contactless adoption is terrible. Apple certainly has the expertise (and cash) to go strong on iBeacons, go around the networks and treat as CNP transaction (owning the fraud/risk) and manage the fraud internally. The could do this in select retailers (in US), and focus EMV Contactless capability outside the US.

I believe Apple didn’t put NFC in the 5s because they thought that they could launch Beacons without the Network’s support.  When launched all iPhones will be able to take advantage (only BLE H/W dependency).

iPhone 6 – Payment Predictions

30 April 2014

I’m on a roll, so thought I would put this out there as a positive prediction (vs describing how Apple is Throwing GSMA’s NFC under the Bus). My views are as much informed from the “negative” as the positive. For example, my starting hypothesis is Apple will enable a POS payment capability in iPhone 6. It was the reason for the timing of the Oct 2013 “token” announcement from the big 3 payment networks. As most of us asked “where on earth did this come from”…. It came from Apple (or the network response to Apple’s initial plan).

My problem in figuring out what is going on (if anything) is that Banks have no idea what Apple is planning. Current guess below revolves around assumption that the 3 payment networks do understand the plan. Thus the question becomes “what can Apple do in payments that starts with the payment networks, but does not involve the banks”? Constraints? It must involve: tokens, Apple’s security architecture, 600M cards on file, existing card presentment infrastructure, existing rules, recent lessons learned, and be able to expand to iBeacons.

My predictions

  • Apple will have a certified EMV contactless capability from V, MA and Amex in the iPhone 6.
  • Apple’s contactless is a proprietary architecture, based upon both tokens, and 3 card emulation applications (4 perhaps with Paypal)
  • Each Network will act as a Token Service Provider (TSP), with one token in each card emulation application. The TSP specs give this away, per the Spec, the TSP must be approved by issuer and have ability to translate token to Card. Apple may want to be the TSP… but Banks will say no. This solves a BIG problem with card provisioning, with V/MA/Amex already having the “proxy” card/token provisioned in the iPhone, and each bank working with respective network to turn on their card.  This is the Google model, with the networks running the TSP as opposed to Google/TXVIA.
  • Apple will not work in iBeacon model at launch, but rather EMV Contactless. You notice I’m not saying NFC.. from a merchants perspective this will look like NFC, and use the NFC protocol, but certainly not from a GSMA NFC perspective. There are no other vendors in this solution beyond Apple and their hardware suppliers (?Broadcom?)
  • Cards will be “provisioned” into the wallet through complex process involving Issuing banks, TSPs, and Apple. Apple’s inventory of Cards on file will be registered with the TSPs, and Banks issuers will approve based upon Token Assurance information , MNO information, card usage information … (yesterday’s blog).
  • Fingerprint will be key process which unlocks card/wallet and enables EMV Contactless interaction. Customer experience? EMV Contactless, consumer unlocks phone with fingerprint and authorizes purchase on Payment Terminal. iBeacon? Same thing only works on all iPhones via BLE (no proximity/NFC)
  • How will Apple make money on this? They won’t… nada. Altough there COULD be a way forward given that the product presented to merchant is in control of Networks AND the Issuers are in control of their cards.. a potential… but given lack of issuer participation, I have no idea of how they would pull this off. I do believe that there are groups in Apple that want to make money on a card present transaction, but join the club.. there is no economic model in any network agreement for a wallet provider.
  • I want to emphasize again.. this is just the easy payment part. I strongly believe that looking at payments in isolation is the wrong way to view this (see Blog).

I like this.. IF consumers can choose which payment products to store in phone (debit card). I think the Bank Issuers will flip out when they hear that V/MA have locked themselves into the TSP role.. talk about a reversal from TCH. Issuers could make the case that the networks own the fraud loss since it is a network proxy card wrapping the issuers card…. can’t wait for that one to happen.

I’m 90% confident in the above… lets see if I can keep my perfect track record on Apple, Google, Tokens and NFC.

 

Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC.  I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion

Facts

  • There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See http://en.wikipedia.org/wiki/Near_field_communication
  • Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
  • Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
  • The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
  • HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
  • Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
  • Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
  • In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction.  US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card..  just as they did with within the TSM provisioning model.
  • There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
  • Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
  • MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons).  The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
  • Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
  • 4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.

 

Opinion

  • Apple’s biggest asset is their ability to change consumer behavior (blog).
  • Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
  • Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
  • Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
  • -Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
  • Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
  • Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
  • How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
  • Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
  • What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
  • The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
  • Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
  • MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog).  Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control.  The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.Token schemes

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog).   Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me),  MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

  • an x% interchange reduction
  • Treat as Card Present, and own fraud (can not certify unless acquirer)
  • Access to DATA as permissioned by consumer
  • Share fraudulent account/closed account activity with you to sync

If you:

  • Tokenize (dynamically) every one of our JPM cards on file
  • Pass authentication information
  • Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

HCE – Now the PREFERRED contactless approach

Feb 19

HCE Gains Official Support from V/MA today

So much for 2 NFC/TSM CEOs telling me that HCE was “not viable”.  I told you Feb was going to be a great month.. and this is not even the tip of the iceberg. As I look at the number of reference links below.. I realize that I’ve been talking about this stuff for far too long. For detail on what HCE is see my November Post HCE Breaks the MNO Lock.

Today’s announcement primarily impacts BANKs. Message to Banks, if you want to test HCE TODAY there are 3 options: Mastercard, SimplyTapp, or Android 4.4 DIY.  Before everyone gets too excited.. the same mobile payment hurdle remains: merchant adoption. Technically HCE looks exactly the same to a payment terminal as NFC and unfortunately it also has same (terrible) business model (everything is a Credit Card .. by Bank design). Credit cards cost 200-500bps (% of sales) vs a flat fee of $0.07-$0.21 for most debit cards.

What does this announcement mean?

  • HCE Token Presentment = Card Present Paypass/Paywave
  • No more TSM, Payment is in the OS, No more dedicated NFC chipsets, and the MNO lock is gone. (Sell Gemalto … loosing MCX and NFC in the same week?)
  • Visa/MA prefer HCE to NFC hands down. It allows them to own the tokenization of cards in mobile. HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. The Networks ARE the TSMs. Mastercard is 3-5 years ahead of Visa here (with actual pilots). Visa’s is attempting to make up lost time by creating a more flexible program to support HCE within Visa Ready (Issuer Support). Note “Visa is Developing”.. vs.. call up MA and start the pilot. Visa’s token focus had been on the eCommerce side (V.me), and will have to run hard to play catch up.

Visa Ready

  • Android Rules! Cards, Tokens and Door Keys in Apps. Your Citibank mobile app can pay at a contactless terminal, your Starwood App can open hotel room doors. Apps have access to ISO 14443/18092 compliant exchange.. with the support of Android. This is where it will get VERY interesting. Google created HCE based upon the contribution of SimplyTapp’s Software (via GPL). I believe it is a tremendous competitive edge for Android, and I would bet they work to “manage” the deployment of KitKat and approve applications that can leverage it, as they MUST be part of Google’s Authentication/Biometric plans. Why is this better than Apple’s Beacon/BLE approach? Google is a Platform that will allow hundreds of apps to access the radio where they will own security and authentication (open innovation). Apple is a hyper controlled structure where beacons will talk to your phone in defined ways through approved apps (managed innovation). OK this is a bit of simplification, but until Apple actually releases a product don’t complain about it.
  • Tokens, Tokens, Tokens.  I could write a book on the interplay here. Much of the V/MA stance evolved from the previous TCH Token Project (see Money 2020 Blog and Business Implications of Tokens). The banks were working to end run Visa and MA on mobile tokenization. Theme is “if there is a number in the phone, why would we [Bank] want it to be a Visa or MA number.. lets make it OUR OWN number (ie a Token). After 3+ years the effort floundered and now TCH is left to be the standards body. Visa and MA reacted, most likely because of all my excellent token blogging (not), and together with Amex announced a new shared token approach.

Important. In the mobile context think of tokens are constantly changing card numbers. In the early stage HCE tokens will be 16 digits to support current payment infrastructure, but will evolve in next 2 years to be complex token identifiers much longer than 16 digits. Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts. A Token could refresh at different rates (10 seconds to 10 weeks) based upon how the user transacts or what part of the world they are in. In this model Token generation is a NETWORK responsibility, which is why V/MA love this model.  In the new token schemes, there is opportunity for the “mobile handset” to provide biometric and security information. As I stated before, NFC zealots will HOWL that there is no TSM, or security that a number will be stored in software. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation.  I will leave it a subject to a future blog how ID providers are paid for this service.

History

There maybe a few new readers on this blog, so let me recap a brief history of how this came to pass.

NFC is a great technology, with a terrible business model. Developed by carriers in a walled garden strategy, they planned to charge $0.05 every time someone wanted to access a credential (like a credit card) in the “secure vault” within the mobile phone. The secure vault was the Secure Element (SE), with companies like NXP making dedicated chipsets for the function. See Carriers as Dumb Pipes.

Also seeNFC Handset

ISIS Platform: Ecosystem or Desert

Apple and Physical Commerce

Network War – Battle of the Cloud Part 4

Controlling Wallets – Battle of the Cloud Part 3

Apple and NFC

Gemalto

 

 

 

 

 

Gemalto CEO: We will make “hundreds of millions” from MCX

4 Dec 2013

I had a large institutional investor forward me this article.. it is 60 days old.. but still I spit out my coffee laughing, so be careful.

gemalto

http://nfctimes.com/news/gemalto-offers-details-mcx-deal-vendor-will-earn-fees-transactions

Gemalto CEO’s assertion that he will make “hundreds of millions” from MCX is a big pile of… um… “optimism”.  Given he is a public company, I can’t imagine how he could possibly give forward looking statements that are so completely and utterly unfounded. Perhaps communication by public companies in Amsterdam is a little more relaxed (a trip to the “coffee shop” with Bob Dylan. I better watch out, or I may be treated like Bob was yesterday see CNN – Bob D Inciting hatred).

Let’s do a little math.

MCX will likely process payments in a decoubled debit model with a net payment cost of  $0.05 (plus 10-20bps for fraud). If Gemalto were able to get 10% of $0.05 ($0.005/tran) it would take 20 BILLION transactions to generate $100M in revenue, at $40 per average transaction that would be 800 BILLION in sales. For perspective, total US retail sales are $2.4T (not including restaurants, auto, services, gas).  Wow…. Quite Gemalto has quite an “aspirational” view on MCX adoption. I wonder if Gemalto’s CEO knows that the US operates in a competitive free market??

The only possible way to (re) interpret quote is that MCX will make 100M TRANSACTIONS. This means that Gemalto’s revenue from MCX would be $500,000 (at the VERY top end) in Year 5. I hope the institutional investors priced this “cloud” revenue…

I’ve yet to meet any vendor that has not left in tears after working with WalMart. These guys are supply chain Pros.. and no one makes hundreds of millions.. and if you were.. you sure wouldn’t go tell the press about it before your product went live.  Gemalto’s innovation is a pretty QR code.. they are complete idiots if they think that they are the only option for presenting a payment “token” to a POS (see Gemalto QR codes for detail).

12 Party

I own no Gemalto stock, but if I did.. it would be a short position. Their bread an butter businesses are handset SIMs and Credit Card Chips. My view of the world is that dedicated hardware is moving toward software. For instance the SIM card.. most have seen Apples plan to virtualize the SIM (see blog).  Gemalto’s hopes for NFC are also dashed by things like Host Card Emulation (HCE) and the 12 Party supply chain. See this picture on the right? The 12 parties… ? Well they ALL need to make money.. and I can tell you with great certainty that the NFC suppliers in this market don’t have 2 dimes to rub together on NFC.. everyone is taking a bath. Gemalto represents 2 boxes of the 12 (UICC and TSM).. Twice the risk.. non of the cash. Investors look at it this way.. do you really want to bet on Gemalto over both GOOGLE and APPLE? FUBAR!

What is left for Gemalto? EMV Cards.. They will see a bump in demand over next few years due to US reissuance.. but Gemalto is a commodity supplier here. I see nothing in their future that will help them evolve toward a software model.. MCX revenue projections are complete bull&*^*&^

[yop_poll id=”3″ tr_id=”101010″]

 

Issuers … give HCE a shot now

Imagine expanding your existing bank mobile app to do card emulation.. with NO TOLL to the TSM or carrier.. you are in complete control. A project which should be sub $1M AND NO CONTRACTS!!

Imagine expanding your existing bank mobile app to do card emulation.. with NO TOLL to the TSM or carrier.. you are in complete control. A project which should be sub $1M AND NO CONTRACTS!!

The only current dependency is Android 4.4 with an NFC or HCE capable handsets.. with over 40 new OEMs  handsets shipping in next few months.

I’ll fill this blog out in more detail, but here are the key actions

  1. mobile app development
  2. workout how your static signing keys can be deployed. SimplyTapp has solution in place (https://www.simplytapp.com/)
  3. Test with legacy embedded handsets and new OEMs to establish your test pool
  4. Create a new consumer registration service where virtual keys are provisioned to application (again SimplyTapp has this)

Google’s phones are ringing off the hook. Retailers, loyalty providers, Banks are all working to leverage this new approach. The Android team can help you with the APIs.. but recommend you get in touch w/ SimplyTapp today

(I have no current relationship with SimplyTapp… but think it is something that makes sense as hardware evolves to software)

– Tom

 

Software Secure Element – HCE Breaks the MNO NFC Lock

Visa and MA have both created HCE Apps which will REPLACE the SE based CARD EMULATION apps. This is a FANTASTIC development for BUSINESS and for Android. Now you can create apps that leverage payment, loyalty, … It is also a fantastic development for CUSTOMERS as you will be in control of the TSM and card provisioning. You will be able to load ANY CARD you want.. not just the Chase and Amex cards that are in ISIS.

News Today – WELL DONE GOOGLE!  (Note good comments below)

In my July post Big Changes to NFC: Payments part of OS I outlined the high level view of what is going on. In order for this blog to make any sense let me be a little less obtuse on the next shoe which will drop: Visa and MA have both created HCE Apps which will REPLACE the SE based CARD EMULATION apps. “Replace” is more from a business context than from a technical one. SE based applications (like a door key, or healthcare card) could still survive.. but why would anyone want to pay the MNOs RENT if you don’t need to.

I don’t have much time to delve into the technical details, but there are 3 core elements to NFC: Radio, Controller, Secure Element. They had been all residing on dedicated silicone from companies like NXP. I discussed in Apple and NFC Part 2 how companies like Broadcom have integrated these separate components into a single piece of silicone. In other words the NFC Radio is just another radio alongside GSM, CDMS, Wi-Fi, Bluetooth, … With Android 4.4 Google has now made Payments Part of the OS by enabling an application to bypass the SE and use the radio as directed by a OS. Another way of looking at this: in a world of integrated silicone, there is NO dedicated  controller… (the controller is in the firmware/OS).Exposure: 000 : 00 : 00 . 156 %Accumulated%=0

NFC zealots will HOWL that there is no TSM, or security. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation.  Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts.

This model also addresses a key FLAW with NFC. HCE will allow for APPLICATIONS to access payment.. yes I am speaking of mCommerce (buying from an app or a web site). No longer will you have to key in your card information. NFC did NOTHING for this.

This is a FANTASTIC development for BUSINESS and for Android. Now you can create apps that leverage payment, loyalty, …  It is also a fantastic development for CUSTOMERS as you will be in control of the TSM and card provisioning. You will be able to load ANY CARD you want.. not just the Chase and Amex cards that are in ISIS.

I believe that banks had very limited view of this development, and that several of them will be calling V/MA to confirm that they are creating an new CERTIFIED Card Present scheme based on HCE. Bank control (push for credit use) has been as much of a drag on mobile payments (at POS) as telecom control. This approach BREAKS BOTH.

Bank Benefits

No one can fix EMV…. there are too many parties. New token rules together with HCE AND Network Enhancements (ex Wallet ID, Phone forensics, ..)  a much finer grain of control than exists today. For example, new structure will allow for any given issuer to turn off all tokens for any given wallet provider. When comparing EMV to HCE++ we can’t forget WHAT EXISTS TODAY (is mag stripe). No one can suggest that HCE++ is less secure than mag. Most banks realize that payments are NOT about security and authentication.. but about Fraud and Risk management. Not just “are you the person that controls the account”.. but “did you just loose your job and about to enter bankruptcy).

The mobile device has SO much more data on which to manage fraud and risk. For example at Citi, SMS PIN code completely eliminated risk in new transactions. When we saw a new payee, we sent the consumer a PIN code to their mobile that expired in 1 min.. In future HCE environment if bank sees risk they can PIN, or ask for finger print scan (from apple).

HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. Today big banks differentiate themselves on ability to manage risk. They have made multi-billion dollar investments here. Complete security and authentication in a platform decreases their competitive edge. Perfect authentication is a NIGHTMARE to banks because then anyone could do their job and ID risk would be eliminated (not credit risk)NFC Change

Big Technical UNKNOWNS

  • Tokenization, Network Enhancements, New Card Present Scheme, New V/MA Emulation App, POS Terminals, Fraud Services, Device Forensics, Authentication, all are needed in this future model. Much is built.. but this is not without challenges
  • Today’s NFC requires issuer keys to generate the dynamic codes required in a contactless transaction. IF this is reused, than issuers will be able to prevent HCE from working.
  • Will V/MA attempt to impose Authentication/Fraud Services standards impact consumer experience or conflict with issuer requirements
  • Who will create the HCE standards by which everyone can use? How long will this take? are we back to ground 0?

Other quick thoughts

  • This is not just PRESS.. HCE is actually all LIVE right now with a Canadian Bank.. RBC and SimplyTap (the Rocket Scientists of HCE). In this model an ISSUER has given its “NFC Keys” to the SimplyTap for use in an HCE model that circumvents NFC controller.
  • I expect that Apple’s iOS will also follow model within next 8-12 months.
  • Very positive for V and MA, Google, Businesses that transact with consumers
  • Very positive for mobile POS payment
  • Could create new differentiators for Android if Apple doesn’t follow quickly (I expect they will)
  • Positive for merchants as consumers can now load debit cards on their phones and you can create apps that incent debit card usage
  • Negative for companies that specialize in providing payment services to mCommerce or NFC
  • Negative for PayPal.. why use them at all? your cards are stored in the phone. If you are a merchant with a mobile store front or app you will integrate with 2 payment service providers: Apple and Google.
  • SEs will be going away. Connectivity and Authentication put data in the CLOUD.. not locked in a device with the carriers holding a key.
  • Google has alignment on HCE. Devices from the top handset OEMs announced in the next week+ with no SE on board, like the Nexus 5
  • Next BIG challenge? Certifying/standardizing authentication methods which provide for finer grained control of payments, cloud data, re-issuance of tokens…. 100s of new companies.
  • HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. Today big banks differentiate themselves on ability to manage risk. They have made multi-billion dollar investments here. Complete security and authentication in a platform decreases their competitive edge. Perfect authentication is a NIGHTMARE to banks because then anyone could do their job and ID risk would be eliminated (not credit risk).

Appreciate feedback.

Who do you Trust?

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?

9 Sept 2013

(sorry for typos.. on the road and will proof later)iPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

WSJ article today on Apple’s biometric led me to believe the mainstream press is “missing” it. As I outlined in Payments as Part of the OS, generically for all handsets in Stage 4 Value Shift, and specific projections for Apple in Apple and NFC – Part 2:

  • Handsets are becoming a commodity, cameras screen resolution, battery life are no longer differentiators
  • New differentiator is “Value Orchestration” across physical and virtual worlds
  • Apple and Google are best placed to perform this service, and do so today from “cloud access” to music, pictures, calendars, documents, to storage of personal information like cards, social,
  • The “KEY” to value orchestration is owning the customer relationship. Identifying and Authenticating the customer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.
  • Authentication is of little value if the platform is not “secure” and offers no unique services to Authenticate. IOS and Android started life as relatively unsecure operating systems, where “control” over individual app access to phone data was “regulated” by testing vs. enforced in platform security.NFCActors

Platform Future

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software. From NFC to the SIM. Once security is in place, there is no reason Apple could not release a version of their phone with SIM virtualization/emulation. Could you imagine having 2-5 options at any given instant, using whatever carrier has best coverage and least cost given your current location… Perhaps even competing w/ Wi-Fi ? Of course this would destroy carrier subsidies.. but perhaps it may be worth buying an unlocked phone.. and carriers become dumb pipes competing to deliver the best service. There are a few regulatory roadblocks in the way.. but I am painting a future view that is already occurring in some markets (See dual SIM phones in India).

The implications for Android are much more significant than for IOS, given the number of Telecos that have leveraged Google’s baseline Android to create customized versions. If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

Trust – Everyone wants to play

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.where value lives

Bank strategy seems to center on control of existing networks. What they don’t realize is that the harder they work to build barriers to entry, the greater the value of finding ways around them. A public example is Google’s acquisition of Zave Networks in 2011.  Prior to taking your credit card at the POS, there is another settlement process in place.. one around coupons (which are a legal form of tender). In this coupon environment, P&G or General Mills’ accounts are debited and the consumers account is credited. In this financial settlement system, there is no limit on what accounts can participate… This example perfectly represents the “innovator’s dilemma” where a “good enough” network supplants an incumbent as the nature of competition changes.

I was with a top 3 bank CEO this year, who was confident that they would win the MCX business. I asked why. Response was “we have these Retailer’s investment banking business and handle most of their processing today”.. My response “when did you bring them customers or help with them compete”? He just did not understand the nature of his competition, it was not about cost of processing… the NATURE of competition in payments is changing.  (See Retailer as Publisher)

Who do I trust?

I’m an ex banker and can tell you that Banks take the trust role very seriously. They are regulated and monitored.. I had to take 40 online tests a year to ensure I understood compliance, regs, …etc. What a nightmare! Is it any wonder why this environment is not ripe for innovation. Can you imagine what the CFPB would do to a big bank when it had customer data not related to an account? It would have to explain why they had the data, how they obtained it, the customer agreement terms, what they would do with it, the safegaurds around use, storage, retrieval, how they planned to make money from it..  Its like your mother in law sitting next to you everyday asking you what you are doing.  I certainly Trust a bank.. but they will never ever get anything done here.  They need partners, but they want to dominate the relationship.. The country w/ most advance model of Bank led “trust” authority is Korea (see link).

I love Google and think everyone of their employees is working to “do no evil”. They are the most well meaning and least “nafarious” fortune 50 I have ever worked with.. but they are use to getting data for free and selling it back in services. Consumer safeguards seem rather absolute.. and their data stores are so massive and intertwined its hard to pull it apart, particularly when a “consumer” relates to an account(s) and device(s)… Google knows things about me that I have not specifically permissioned them for, They have the capability to be secure, but few current services where that is an imperative (payments, Google Drive).

Apple is from another planet, there is just no one else like them in keeping secrets. How do they do it? Yes I trust Apple.. they only know what I tell them…. I like this model.. If I added healthcare info to my iCloud account.. I have confidence it would be secure.

MNOs. This is a breakout business for them (See KYC $5B opportunity). GREAT authentication means physical verification of customer/credentials. I believe US MNOs are in a position to deliver this service through Payfone… but it must be integrated to local physical distribution channels for a “new” account type. This is where digital signatures could really take off… from signing mortgage documents to account applications..  I believe MNOs are best placed for the Trust role because of their physical distribution channels and knowledge of consumer.  Forget about ISIS.. if you own authentication everything else is dependent on you.

Side Note: Paypal is getting far too much attention

They had a slew of new product releases last week. All focused on “convenience” not on COST or customer acquisition. As I outlined.. Paypal is nowhere in off-ebay mobile payments ($1B – see my 10k Breakdown), they are under attack as processors like FirstData refuse to route their physical payment. The only prospective customers of Paypal are services, or Branded retailers that restrict distribution, as the eBay marketplace encourages price competition for distributed CPG products. Jamba Juice, Dunkin Donuts, and Under Armor are example prospects.. Consumer adoption is driven by frequency of use.. If Paypal can’t make traction in Grocery, Gas or Transit their prospects are very bleak.

From a network perspective Physical POS was NEVER PayPal’s focus.. it is not what they do, or why their current consumers and merchants use them.

ISIS National Launch

My informed view is that carriers are 2 years late to this game, have lost the opportunity, and may actually suffer significant negative consequences from this launch

Venture Beat has good article on ISIS’ planned national launch later this year. My teleco friends tell me there will be $200M in advertising to support it (rumor is Sept/October).

As I was the first blogger to uncover this thing (4 years go Project Mercury and had many of the participants wrong), the initial 2008 supporters  (Discover, Walmart) walked away from it in 2010 after ISIS switch from a retailer friendly model, to a bank/card model. Given its been over a year since my last ISIS post, thought I would continue to provide my perspective… (you get what you pay for).

After speaking directly to top 5 Bank CEOs, Card Heads, Top 10 Retailers, as well as mobile platform leaders…. My informed view is that MNOs are 2 years late to this game, have lost the opportunity, and may actually suffer significant negative consequences from this launch. Specifically this may be the event which creates a tipping point where MNO’s lock on phones (including subsidization) makes a big turn.

Why?

  • Customer Behavior Barrier (see blog). Customer must buy new phone, obtain new SIM (GSM only), register payment instruments, change the way they pay physically, change the financial way they pay (no more debit)… each one of these is a show stopper.
  • Where will I use it? Globally, it is well known that there are 3 areas which drive new payment type adoption: Grocery, Gas, Transit.  Rumor is that ISIS may have gotten a big Gas win (?buying Exxon’s speedpass?) but given that top 20 retailers (corresponding to 60% of retail spend) have all said they will not support NFC consumers must still carry their physical card. See list of ISIS merchants (https://www.paywithisis.com/where-to-use.xhtml)
  • My choice of payment? If the first 2 were not significant enough, there are no debit cards in the ISIS wallet. Most of the readers are probably points junkies like me and don’t understand mass market consumer behavior. Mass Consumers don’t use credit cards frequently, roughly 80% of credit cards have less than 5 transactions per month. This is why Banks were supporting ISIS.. to drive increased credit card usage. Of course this is also the reason merchants have refused to support it.
  • WHY will I use it? What is the value proposition? to Consumer? How is it better than a plastic card? In the 7 pilots my teams have done globally (w/ Citi), we always see a novelty phase, where consumers want to use their new phones.. they see it works.. but it really isn’t any faster than physical card. I would be my britches that ISIS has seen this dynamic themselves in Austin and Salt Lake.. it is NOT something they will muscle through. Unfortunate they aren’t really discussing w/ they owners.
  • Competition: Payment capability vs. New Platforms. As I wrote about yesterday, Apple and Google are making payment part of the OS. New phones from Apple and Google will not support SIM based SWP. In fact I believe Apple will embed SIM (taking away all carrier keys). We will see US MNOs launch w/ Windows phones and a few customized android handsets. MNOs are thus focusing a marketing effort around a “new” payment capability with “old” phones. SWP SIM, is not a “killer app”, particularly against a new Google XPhone or new iPhone
  • Demographic/Audience. As tech leaders and gadget freaks buy the new iPhone and XPhone, MNOs will have a “unique” audience using ISIS, (perhaps teenagers for example). While vending machines and QSRs would step up to support this demographic, Nordstrom and Shell will not. There will be a reinforcing effect as network focused on delivering value (and retaining) current customers.
  • MNO “leadership”. If you had the CEOs of Verizon, ATT and ISIS in a room and asked “who owns mobile advertising”?.. ISIS would say nothing if both of the other CEOs were in the room.. They want it.. but no one will give it to them as they can’t execute with what they have in this space.  Verizon would say “many partners”… MNO preference would be to sell the platform akin to VZ’s $550M search sale to Microsoft in 2009. MNOs don’t want to run a business, they want to sell access (nodes). Their about to be disinter-mediated as the “nodes” move from subsidized/locked to Google/Apple.
  • Bank support. All of the top bank issuers have given up on it..  Perhaps their marketing/PR teams will say differently, but the guys running the P&Ls have already written it off.  The token efforts I’ve written about are very focused here.
  • History. Look at every other NFC launch.. ISIS can see it in their own pilot…  I was paying with Google wallet at the Duane Reed in front of Penn Station. There were 5 cash registers lined up.. 5 cashiers, one manager overseeing all of them. Manager asked me “is that Google wallet”? I said “yes, but you must see this all the time since NYC was launch market and Goog subsidized all your terminals”, He said ” only one I’ve seen for 2 months and I work here every day”. Enough said.

Thoughts appreciated.

– Tom