Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV

EMV

EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.

TOKENS

It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.

 

 

Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC.  I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion

Facts

  • There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See http://en.wikipedia.org/wiki/Near_field_communication
  • Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
  • Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
  • The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
  • HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
  • Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
  • Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
  • In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction.  US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card..  just as they did with within the TSM provisioning model.
  • There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
  • Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
  • MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons).  The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
  • Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
  • 4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.

 

Opinion

  • Apple’s biggest asset is their ability to change consumer behavior (blog).
  • Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
  • Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
  • Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
  • -Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
  • Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
  • Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
  • How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
  • Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
  • What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
  • The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
  • Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
  • MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog).  Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control.  The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.Token schemes

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog).   Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me),  MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

  • an x% interchange reduction
  • Treat as Card Present, and own fraud (can not certify unless acquirer)
  • Access to DATA as permissioned by consumer
  • Share fraudulent account/closed account activity with you to sync

If you:

  • Tokenize (dynamically) every one of our JPM cards on file
  • Pass authentication information
  • Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

HCE – Now the PREFERRED contactless approach

Feb 19

HCE Gains Official Support from V/MA today

So much for 2 NFC/TSM CEOs telling me that HCE was “not viable”.  I told you Feb was going to be a great month.. and this is not even the tip of the iceberg. As I look at the number of reference links below.. I realize that I’ve been talking about this stuff for far too long. For detail on what HCE is see my November Post HCE Breaks the MNO Lock.

Today’s announcement primarily impacts BANKs. Message to Banks, if you want to test HCE TODAY there are 3 options: Mastercard, SimplyTapp, or Android 4.4 DIY.  Before everyone gets too excited.. the same mobile payment hurdle remains: merchant adoption. Technically HCE looks exactly the same to a payment terminal as NFC and unfortunately it also has same (terrible) business model (everything is a Credit Card .. by Bank design). Credit cards cost 200-500bps (% of sales) vs a flat fee of $0.07-$0.21 for most debit cards.

What does this announcement mean?

  • HCE Token Presentment = Card Present Paypass/Paywave
  • No more TSM, Payment is in the OS, No more dedicated NFC chipsets, and the MNO lock is gone. (Sell Gemalto … loosing MCX and NFC in the same week?)
  • Visa/MA prefer HCE to NFC hands down. It allows them to own the tokenization of cards in mobile. HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. The Networks ARE the TSMs. Mastercard is 3-5 years ahead of Visa here (with actual pilots). Visa’s is attempting to make up lost time by creating a more flexible program to support HCE within Visa Ready (Issuer Support). Note “Visa is Developing”.. vs.. call up MA and start the pilot. Visa’s token focus had been on the eCommerce side (V.me), and will have to run hard to play catch up.

Visa Ready

  • Android Rules! Cards, Tokens and Door Keys in Apps. Your Citibank mobile app can pay at a contactless terminal, your Starwood App can open hotel room doors. Apps have access to ISO 14443/18092 compliant exchange.. with the support of Android. This is where it will get VERY interesting. Google created HCE based upon the contribution of SimplyTapp’s Software (via GPL). I believe it is a tremendous competitive edge for Android, and I would bet they work to “manage” the deployment of KitKat and approve applications that can leverage it, as they MUST be part of Google’s Authentication/Biometric plans. Why is this better than Apple’s Beacon/BLE approach? Google is a Platform that will allow hundreds of apps to access the radio where they will own security and authentication (open innovation). Apple is a hyper controlled structure where beacons will talk to your phone in defined ways through approved apps (managed innovation). OK this is a bit of simplification, but until Apple actually releases a product don’t complain about it.
  • Tokens, Tokens, Tokens.  I could write a book on the interplay here. Much of the V/MA stance evolved from the previous TCH Token Project (see Money 2020 Blog and Business Implications of Tokens). The banks were working to end run Visa and MA on mobile tokenization. Theme is “if there is a number in the phone, why would we [Bank] want it to be a Visa or MA number.. lets make it OUR OWN number (ie a Token). After 3+ years the effort floundered and now TCH is left to be the standards body. Visa and MA reacted, most likely because of all my excellent token blogging (not), and together with Amex announced a new shared token approach.

Important. In the mobile context think of tokens are constantly changing card numbers. In the early stage HCE tokens will be 16 digits to support current payment infrastructure, but will evolve in next 2 years to be complex token identifiers much longer than 16 digits. Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts. A Token could refresh at different rates (10 seconds to 10 weeks) based upon how the user transacts or what part of the world they are in. In this model Token generation is a NETWORK responsibility, which is why V/MA love this model.  In the new token schemes, there is opportunity for the “mobile handset” to provide biometric and security information. As I stated before, NFC zealots will HOWL that there is no TSM, or security that a number will be stored in software. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation.  I will leave it a subject to a future blog how ID providers are paid for this service.

History

There maybe a few new readers on this blog, so let me recap a brief history of how this came to pass.

NFC is a great technology, with a terrible business model. Developed by carriers in a walled garden strategy, they planned to charge $0.05 every time someone wanted to access a credential (like a credit card) in the “secure vault” within the mobile phone. The secure vault was the Secure Element (SE), with companies like NXP making dedicated chipsets for the function. See Carriers as Dumb Pipes.

Also seeNFC Handset

ISIS Platform: Ecosystem or Desert

Apple and Physical Commerce

Network War – Battle of the Cloud Part 4

Controlling Wallets – Battle of the Cloud Part 3

Apple and NFC

Gemalto

 

 

 

 

 

Gemalto CEO: We will make “hundreds of millions” from MCX

4 Dec 2013

I had a large institutional investor forward me this article.. it is 60 days old.. but still I spit out my coffee laughing, so be careful.

gemalto

http://nfctimes.com/news/gemalto-offers-details-mcx-deal-vendor-will-earn-fees-transactions

Gemalto CEO’s assertion that he will make “hundreds of millions” from MCX is a big pile of… um… “optimism”.  Given he is a public company, I can’t imagine how he could possibly give forward looking statements that are so completely and utterly unfounded. Perhaps communication by public companies in Amsterdam is a little more relaxed (a trip to the “coffee shop” with Bob Dylan. I better watch out, or I may be treated like Bob was yesterday see CNN – Bob D Inciting hatred).

Let’s do a little math.

MCX will likely process payments in a decoubled debit model with a net payment cost of  $0.05 (plus 10-20bps for fraud). If Gemalto were able to get 10% of $0.05 ($0.005/tran) it would take 20 BILLION transactions to generate $100M in revenue, at $40 per average transaction that would be 800 BILLION in sales. For perspective, total US retail sales are $2.4T (not including restaurants, auto, services, gas).  Wow…. Quite Gemalto has quite an “aspirational” view on MCX adoption. I wonder if Gemalto’s CEO knows that the US operates in a competitive free market??

The only possible way to (re) interpret quote is that MCX will make 100M TRANSACTIONS. This means that Gemalto’s revenue from MCX would be $500,000 (at the VERY top end) in Year 5. I hope the institutional investors priced this “cloud” revenue…

I’ve yet to meet any vendor that has not left in tears after working with WalMart. These guys are supply chain Pros.. and no one makes hundreds of millions.. and if you were.. you sure wouldn’t go tell the press about it before your product went live.  Gemalto’s innovation is a pretty QR code.. they are complete idiots if they think that they are the only option for presenting a payment “token” to a POS (see Gemalto QR codes for detail).

12 Party

I own no Gemalto stock, but if I did.. it would be a short position. Their bread an butter businesses are handset SIMs and Credit Card Chips. My view of the world is that dedicated hardware is moving toward software. For instance the SIM card.. most have seen Apples plan to virtualize the SIM (see blog).  Gemalto’s hopes for NFC are also dashed by things like Host Card Emulation (HCE) and the 12 Party supply chain. See this picture on the right? The 12 parties… ? Well they ALL need to make money.. and I can tell you with great certainty that the NFC suppliers in this market don’t have 2 dimes to rub together on NFC.. everyone is taking a bath. Gemalto represents 2 boxes of the 12 (UICC and TSM).. Twice the risk.. non of the cash. Investors look at it this way.. do you really want to bet on Gemalto over both GOOGLE and APPLE? FUBAR!

What is left for Gemalto? EMV Cards.. They will see a bump in demand over next few years due to US reissuance.. but Gemalto is a commodity supplier here. I see nothing in their future that will help them evolve toward a software model.. MCX revenue projections are complete bull&*^*&^

[yop_poll id=”3″ tr_id=”101010″]

 

Gemalto QR Codes.. One Giant Leap _________ ?

I like QR codes for their ubiquity and established consumer behavior (thank Starbucks in the US). Stores don’t need to buy any new hardware for this to work, there is a zero cost of issuance, and it will work on a broad spectrum of phones. Development cycles for Store POS software are normally 18 months… so it could be some time before we see something come out.

10 Jan 2013

NFC is a beautiful technology with uses far beyond payment. In the payment use case however, it is not the technology, but rather a business battle over control and ownership  (a 12 Party NFC Supply Chain Mess) which has conspired to create many forces against NFC’s payment success. QR_code_phone

As I stated yesterday, latest news is that MCX has chosen QR code based approach from Gemalto (following Starbucks success). My guess is that Gemalto has developed a one time use QR code that is derived from device information (it will change for every transaction… ).  You can safely assume that ACH will be the primary funding mechanism (just as in Target’s Redcard and Safeway’s FastForward).  The banks had some idea of MCX’s plans are thus moving aggressively to create a directory service to “protect” customer DDA information via tokenization. My guess is that this protection will come at a price….

Here is my best guess of the transaction flow (assuming the rumor is true).

Registration

  • Customer downloads Gemalto’s wallet
  • Account is created unique to the phone
  • Consumer registers phone, DDA, loyalty cards, backup funding instrument
  • Bank account is validated, consumer risk scored, back up payment instrument run for auth
  • Wallet is activated on first use at a participating merchant after ID is validated

Usage

  • Customer opens wallet at checkout
  • Unique QR code is generated based upon phone information (ex IMEI, time, network, phone #, …)
  • Cashier selects “check” or “loyalty card”
  • QR code is presented to register and scanned. Note MCX merchants are large multi lane merchants with POS development teams.. there will be some work to be done here
  • Authorization – ECR passes QR code to MCX. Example via store controller routed much the same way coupons are done today.
  • MCX validates code, performs fraud screen, authorizes payment (performed by FIS).
  • Individual stores also will be able to leverage code as key for consumer “cloud wallet” access where coupons are stored and redemption is paperless.
  • Coupons are applied
  • Loyalty price/promotions are applied
  • Payment is applied
  • Zero balance
  • Consumer gets electronic receipt and paper one.

I like QR codes for their ubiquity and established consumer behavior (thank Starbucks in the US). Stores don’t need to buy any new hardware for this to work, there is a zero cost of issuance, and it will work on a broad spectrum of phones. Development cycles for Store POS software are normally 18 months… so it could be some time before we see something come out.

QR codes may not be rocket science, but NFC has demonstrated the downside of tech heavy solutions. We may not need a $400M F22 when a simple bicycle will do. Carriers face a future as dumb pipes, a future share by banks, as both work to control their market positions instead of delivering value. MNOs and Banks (in the US) have proven themselves equally incapable of succeeding with new walled garden strategies.  Commerce will find the path of least resistance, like a mighty river…

The big challenge for MCX will NOT be in technology, but rather a consumer value proposition.  Retailers stated goal is to bring death to merchant funded bank card reward programs. What will convince me to part with my Amex card at the POS?… it will need to be something substantial.

Another often asked question is can MCX keep a bunch of fierce competitors working together in the same tent? This approach seems broad enough to insulate MCX from retail competitive forces and align them in fighting a common enemy. Per Sun Tzu “the enemy of my enemy is my friend”. Retailers are looking to turn the tables on the  2% “payment tax” on their business. There is serious enterprise commitment to making MCX work, banks will do well to treat them with respect.

Who will lose in this approach?

  • Payment Terminal Manufactures
  • Anyone dependent on NFC
  • Existing Payment Networks – Debit Volume primarily (if MCX can create a value proposition)
  • Retail banks. The primary payment relationship is a strong “daily use”… there are many downside for banks if they loose it.. for example retailers could offer instant credit based upon your history and network reputation.
  • Start ups building case for value around bank cards or payment networks
  • Consumers that want anonymity.

Other Related Blogs

ISIS Delay..

ISIS is proving that the NFC supply chain is not workable… at least not without a very substantial customer value proposition. A December 2012 delay to a PILOT may well be the death knell for ISIS… how can carriers invest $200M in a team that won’t see production until mid-late 2013?

ISIS Delay

My last blog on this subject was only 2 months ago.. Headline was “ISIS has 12 months”.  Rumor this week is that ISIS has 12 months to go TO PILOT (Dec 2012). The driver seems to be the UICC chip that supports the SWP SE (Gemalto’s fault??).  Note that my previous nine party chart did not even consider the UICC.. so here is a revision.. (added UICC, MNO, and POS register)…

How would you like to run an industry consortium that had to coordinate a release and a new technology across 12 different companies!?? Oh.. a few other minor considerations as well:  no compelling customer value proposition and against Google? My favorite question to ask anyone from ISIS is what will the application do for me that my Citi sticker won’t do now?

  • Provision over the air? (Who cares)
  • Turn on/off the card/element? (Who cares I don’t pay for fraudulent charges)
  • Offers? (Who cares.. Citi can tie merchant offers directly to card use.. Clovr Media/Linkable)

There are MANY future functions like eReciepts and Item level coupons.. but these are VERY far off because they require retailer participation.

ISIS is proving that the NFC supply chain is not workable… at least not without a very substantial customer value proposition. A December 2012 delay to a PILOT may well be the death knell for ISIS… how can carriers invest $200M in a team that won’t see production until mid-late 2013?   There is no shortage of parties complaining about Google’s approach.. but by taking control of the spec, the architecture, the handset and “TSM” they have eliminated the complexity and have been able to get something to market… and are improving from there based upon REAL customer feedback. So while ISIS will struggle to get a pilot running by late next year, Google is signing up new retailers every week, improving its applications and gaining market experience.

As I outlined previously, carriers started from a basis of control with the NFC Forum’s technical specification. Obviously, the handset has proven to be a platform of digital/physical convergence.   We all see enormous opportunities to re-wire physical commerce with the handset at the core. But today the handset’s “commerce” success is driven by its open nature (apps and connectivity). It is a platform where anyone can build anything within a given set of loose rules (tighter in Apple’s case). In order to attract retailers, advertisers, issuers.. the MNOs had to continue this “open” approach.. but instead have taken one of control. This control approach may have been unintentional as not many organizations have successfully built business platforms (favorite book on topic is Platform Leadership). MNO’s control approach could have also been driven by the desire to securely maintain customer information. Whatever the reason, companies will likely develop approaches (See Square Card Case) that keep information out of the secure element and place it in the cloud. As I related in the Square article.. the success of NFC is far from given.. All that is really needed at the POS is a “key” that key could be a single number/identifier delivered by NFC, your voice or your IRIS.  Keeping all customer information on the phone is rather stupid. One MNO told me this week.. its on the phone in case it doesn’t have connectivity. Well guess what.. stores have the connectivity.. that’s how Visa’s system works.. Stores are not dependent upon the Phone’s connectivity.. but rather their own.

It’s never easy for a Fortune 100 organization to admit that they made the wrong bet.  Globally, there is also a very strong inter-carrier commitment to “carrier controlled NFC” work. All it will take is one major carrier to change course and join Google’s camp to bring down a global house of cards that is NFC.  My guess is that carrier controlled NFC find long term traction in public transit and ticketing perhaps even in government identification. .. but this is 3+ years out before any substantial (>20%) adoption.

Customers.. you want ISIS mobile payments functionality? Go get a sticker.

MNOs.. do you want ANY part of mCommerce? You better move quickly to partner with someone that can get all of this done. Their dance card may fill up quickly. If you don’t move beyond the “control” approach.. you will be relegated to dump pipes.. as thousands of businesses work to get around your controls..   Given the Carrier IQ blow up this week, you have no ground for claiming you would manage privacy better than Facebook or Google.

OpenNFC – Game Changer

OpenNFC has a tremendous impact on MNO NFC business models. MNOs invested tremendous effort in developing NFC, now they are having their legs taken out from under them by a contactless vendor and the handset manufacturers. For ISIS to succeed they must run much faster and expand scope from a narrow payment pilot (over next 18 months) to building a platform that can compete AND interoperate against Android

24 February 2011

Monday I wrote about Apple’s “NFC Twist” and how a multi SE environment impacted MNO’s NFC business case. From Monday (I hate to quote myself.. but it keeps from following the link)

The champion of Multi SE architecture is Inside Contactless (OpenNFC).. a very very smart “Judo” move that leverages NXP’s substantial momentum (in integrated NFC/controller/radio) against itself. Inside’s perspective is that there is no reason for the ISO 14443 radio to ONLY be controlled via NFC (treat it like a camera). Inside’s OpenNFC provides for “easily adaptable hardware abstraction software layer, which accounts for a very small percentage of the total stack code, meaning that the Open NFC software stack can be easily leveraged for different NFC chip hardwalet multiple applications and services access it”. Handset manufactures love this model.. MNOs hate it. As I stated previously, closed systems must develop prior to open systems as investment can only be made where margins and services can be controlled. OpenNFC changes the investment dynamics for MNOs, and provides new incentives for Google/Apple/Microsoft, … to transition their closed systems into NFC platforms.

For Banks, Handset Manufacturer and Startups…

I cannot understate the importance of this approach.  My guess is that Apple, Motorola and RIM are all planning to pursue “OpenNFC” .  Multiple applications can now leverage the 14443 radio IN ADDITION TO the MNO controlled (SWP/SE) environment. Applications can then ride “over the top” independent of carrier controlled (TSM Managed) OTA provisioning.

In business terms, what does this mean? ISIS was founded under the assumption that it controlled the radio and all applications accessing it under NFCs  secure element (SE)  single wire protocol (SWP). Nothing could use the radio unless the ISIS TSM (Gemalto) provisioned it. Visa, Mastercard, Amex were all looking at a future where the BEST they could do was exist as a sticker on the back of the phone. In the OpenNFC model, the radio can be accessed directly through the handset operating system (assuming the OS integrates to the Inside OpenNFC controller).  This provides the ability for applications on Android and iPhone to access the radio. In this model, Mastercard DOES have the ability to get PayPass into the phone. My guess is that one driver of MasterCard’s hiring of Mung-Ki Woo from Orange was his unique perspective on how to make PayPass work within this InsideContactless model.

For ISIS? This is a tremendous impact to their business model. Perhaps something they cannot recover from. MNOs invested tremendous effort in developing NFC, now they are having their legs taken out from under them by a contactless vendor and the handset manufacturers. For ISIS to succeed they must run much faster and expand scope from a narrow payment pilot (over next 18 months) to building a platform that can compete AND interoperate against Android. Yeah.. that big. Their advantage is in control, security and provisioning. Unfortunately, because they have focused on the “control” aspect as the centerpiece of their  business model, they have developed no alliances. In this, ISIS may well follow the failure of Canada’s Enstream. A group that got all of the technology right but failed to develop a sustainable business model.

Start-Ups

Start building to OPEN NFC. Game IS ON. Assume that Android and iPhone will let you access the radio…. For a fee.

For Consumers

CHAOS. What do you do when 5 applications all want to submit your payment.. .or read an RFID.. which one do you use?  For a view on the mess this will cause, see the Stolpan whitepaper

I believe this approach benefits Apple much more than Google. Apple’s platform “control” and QA testing will be essential to getting this off the ground. My guess is that Apple will have only ONE NFC payment option.. APPLE PAYMENTS. Perhaps a gatekeeper model where multiple cards can be store but Apple collects a fee.

Although Apple has an advantage in control. Google has the opportunity to deliver a much better value proposition to consumers, businesses and application developers. I’ll stick by my Axiom that new networks must start as closed systems delivering value to at least 2 parties. But can Apple compete with its Gosplan (USSR State Planning) like controls against open Android?

Background

NFC Background for non-techies reading the blog, there have been many, many global pilots of NFC.. but no production rollouts. From my previous blog

What is NFC? Technically it operates on the same ISO/IEC 14443 (18092) protocol as both RFID and MiFare so how is it different? I’m not going to get into the depth of the technology (see Wikipedia), but the biggest driver was  GSMA/NFC Forum’s technical definition (UICC/SWP) that ENABLED CARRIERS to control the smart card (NFC element). This in turn enabled carriers to create a business model through which they could justify investment (See NFC Forum White Paper).

ISIS: Moving payments from Rail to Air

Merchants love the ideas of ISIS, as much because of perspective value as the pain it will bring: Visa, MA and Amex. Historically, the card schemes have built up much ill will with merchants due to: interchange, payment system integrity, fraud controls, consumer influence, …etc. Two major issuers inferred that Discover is a failed payment “cash back” card network. I would proffer that their “success” is just delayed, and ISIS is the initiative which will drive transaction and network growth in a model that existing schemes can’t compete with.

9 January 2011

Previous Posts 

It’s the New Year, and thought it was time to touch on this again (last post 9/10). Quite frankly its hard to believe I’ve been writing about this for almost 18 months.. it was AT&T Newco, then Mercury now finally I have a name: ISIS, with a URL www.paywithisis.com (err… same reaction). Over the last 18 months or so I guessed wrong on the consortium around AT&T, it was not Visa, but Discover (See winners/loosers blog above) it was also all of the major US MNOs (Sprint was initially involved, but has delayed further participation).  Discover makes complete sense, as stated previously a 3 party network is the only one capable of developing a new payment type (with corresponding set of rules and fees). Visa/MA are constrained by existing agreements with card holders, issuers, acquirers. A principle example is Visa’s failure to force a “mandatory” payment type in Visa Money Transfer (VMT).

Top questions I hear today:

1) What is merchant value now that Durbin has pushed back debit to $0.12

2) Will ISIS work with Mastercard Paypass/Visa Paywave ?

3) Will Phase 1 have a mobile advertising component?

4) What are the economics for a merchant POS “upgrade”

A common basis for many of these questions is the ISIS value proposition, the entities driving it and their incentives. The high level value proposition is shown below, updated from the previous September version (prior to announcement of Barclays and Discover).

Merchants love the idea of ISIS, as much because of prospective consumer value … as the pain it will bring: Visa, MA and Amex.  As one former collegue put it: “Merchants have always loved the idea of instant credit and see value in giving customers the ability to buy regardless of the balance in their account, however merchants don’t buy into paying 1.5% of sales for a debit transactions that was $0.05 with a check”.

Historically, the card schemes have built up much ill will with merchants due to: interchange, payment system integrity, fraud controls, consumer influence, …etc.  Two major issuers inferred that Discover is a failed payment “cash back” card network. I would proffer that their “success” is just delayed, and ISIS is the initiative which will drive transaction and network growth in a model that existing schemes can’t compete with. (See American Banker Article).  I see a $200B-$600B TPV network evolving with Discover at its core. Perhaps this is why JPM is assessing a Discover acquisition.

In addition to Discover, I see 5 other entities capable of driving similar value propositions (in the US): PayPal, Amex, Citi+??, Bank of America/First Data, and Chase/Paymenttech.

From an MNO perspective the value proposition is clear (see previous blog). Payments not only supports their existing value proposition to customers, they have the distribution and incentives (airtime, data rates, discounts, advertising) to change customer behavior.

Question 1: Will ISIS take off in light of Durbin and $0.12 debit?

I interpret this as a merchant question. Certainly merchants want the lowest cost payment type used in purchase. What if merchants were “paid” to take the payment instrument? Merchant borne interchange has historically been the major source of revenue for current card products, is there a model where advertising can replace interchange? Googlization of payments?

ISIS has this potential, but will likely not execute against this element for 2-3 years as it develops the payment infrastructure and customer footprint. This may be an issue for ISIS, as merchants may take a “wait and see” approach before investing in POS terminals. This would obviously impact payment volume as merchant NFC POS terminals are just as important to a payment network as millions of NFC enabled phones. If I were Michael Abbott, I would focus on a few very large merchants and commit to a very low interchange (50bps) to drive POS economics that would then support further network expansion. Perhaps this is why we hear so little of ISIS’ merchant value proposition..

So to answer this question, YES it will still take off. I’ve spoke with 2 Fortune 50 retailers this month and they are very firmly committed to making ISIS successful. They see value extending beyond the payment cost itself. That said, there will not be a “big bang” roll out, but rather geographically focused.

Question 2: Will ISIS work with other Visa/MA?

There are many, many sub-questions here. So let’s start with some facts:

1) Discover Zip is different then ISIS NFC (see Story Here).

Geoff Iddison (MA head of mobile) is quoted in NFC times as saying “The challenge that Isis will have is to re-terminalize all of those merchants to a terminal specification which is proprietary”. This is false, ISIS is not using ZIP. They are 2 different initiatives (see ZIP pilot results). The details are best described in this American Banker Article (Jan 2011).

2) NFC and RFID are both based upon ISO 14443

For further info, see the NFC FAQ. And NFC Ecosystem.

3) Merchant POS terminals support multiple standards today

POS terminal decisions have always been independent of card issuers, except where there has been direct subsidies for a “pilot”. Today, POS terminals support multiple staandards (example:  VivoPay 8100).  Note from a scheme perspective, these POS terminals must be “certified”.

Perhaps this interoperability question should be rephrased to ask if ISIS is constructing any competitive barriers? Does ISIS have unique “standards”? Will ISIS be subsidizing merchant POS terminal? What are the “control” points for ISIS? 

The “real” barrier ISIS is constructing is NOT at the POS, but the handset. Specifically, ISIS has created a multi carrier TSM (serviced by Gemalto). For those unfamiliar with NFC ecosystems, the TSM is the entity that owns the “keys” to the secure applications within your handset. Banks want to be in the position to serve in the TSM role, a “DESIRE” best exemplified in FirstData’s TSM brochure:

Card associations believe they are excellent candidates to fulfill the TSM role, and it makes sense from their perspective. The TSM role would make it much easier for the card associations to support their member financial institutions in the issuance of new payment applications and the expansion of the number of accounts they have. In addition, they already have an infrastructure in place for supporting their card accounts.

Banks will not get this TSM role… at least not for NFC which is embedded within the handsets. In the US market, MNOs subsidize phones and already engage in a device “locking” strategy (GSM phones cannot be used with another carrier). US MNOs plan to leverage ISIS and Gemalto (as TSM) to extend this control model to the secure NFC element. In other words controlling which cards and applications can use the device’s NFC capabilities. Note that this dynamic is very “US” focused, as consumers in most other countries buy their handsets unlocked and will have a “choice” of TSM.

This ISIS TSM construct greatly concerns Visa, MA and the large issuers. In the Visa/MA model, NFC transactions are “premium” and can carry very high interchange (see BestBuy Pilot). Merchants are very reluctant to add NFC POS capability if it will increase costs. Although Retailers don’t have to worry about consumers using PayPass or PayWave in mobile phones (due to TSM constraint above), they may have to contend with NFC stickers, MicroSD cards and unlocked phones with NFC capability.

I have no visibility into ISIS, or retailer, plans here. My guess is that the large retailers (which ISIS is working with) will exclude Visa/MA NFC payment types unless there is a an agreement to match interchange. Merchants and ISIS will be emphasizing a new payments brand.. Will merchants allow an Visa PayWave transaction on the same POS? I would imagine that some will, but I would bet that ISIS launch partners will not support PayPass or PayWave. They will tell their customers “sorry … just swipe your card”.

The issuers may contend that agreements in place prohibit discrimination of NFC vs. Card Swipe (retailers beware of this point). I doubt if they will be successful with this argument, given that the merchant is not discriminating but rather accepting a new payment type in a new infrastructure (which the merchant pays for).  Durbin, also allows merchants to “steer” customers toward preferred payment types.

Question 3 – Mobile Advertising

I have limited visibility here, but it would seem this is not in scope for Phase 1 of ISIS. Michael Abbott has only been in the job for a few months, and would expect him to be the driver of plans here given his CMO role at GE Money.  One interesting tangent will be what role ISIS allows Apple iPhone to take. It is assumed that the ISIS TSM will still manage the secure element, but Apple will manage marketing. See Apple NFC Patent.

Question 4 – POS Economics.

From my perspective, this remains the biggest barrier to adoption (see Federal Reserve Study). Durbin’s reduced debit rates have made a challenging business case even more so. There is a normal refresh rate on POS infrastructure of about 4-6 years. Card networks have typically subsidized POS infrastructure within pilot geographies. It remains to be seen how ISIS will incent merchant participation beyond the marketing value proposition (above).

Summary

Most of you know the story of FedEx Founder Fred Smith, and the college term paper he wrote discussing the market for a next day package delivery service. His professor scoffed at the idea and gave him a “C”. Why would anyone want to ship goods via Air.. and there was no need for a “next day” service. Similarly with ISIS, the banks see no need for a MNO driven payment solution… after all they have all of the technology that ISIS has … and have been doing this for years. The market opportunity for ISIS is in shifting of control away from banks and card networks toward merchants and consumers to deliver a new value proposition that goes beyond payments. The mobile handset has the opportunity to be THE primary device for advertising, content and communication. Payment is only one element, but perhaps the central one as it is enables delivery and tracking of incentives necessary for effective advertising.

Will banks / networks be able to adapt their existing payment rails to the ISIS model? It sure is hard for trains to fly

Where can banks win?  Credit, Risk, Merchant Services, Consumer Preferences, Deposit, Customer Service, … etc.

Thought appreciated