Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV

EMV

EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.

TOKENS

It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.

 

 

Future of Phones.. Good Enough?

As an investor, I believe we will see a massive new wave of companies redesigning retail. Five years ago I had a camera, an iPod, a PDA, GPS, phone, … today I have one device. What will the bundling (or unbundling) of retail look like? What are the problems to be solved?

16 Sept 2012

Quote of the week

It’s not clear that NFC is the solution to any current problem…

Apple Senior VP Marketing – Phil Schiller

A few months ago I was in Hong Kong speaking with institutional investors at CLSA’s annual event. One of my more memorable meetings was with James, a chief investment officer with a top 5 investment bank. The heart of the discussion was on the future of telecom. Although I’m not a telecom expert, James was interested in finding “the next killer app” in mobile. Was NFC it?

His investment thesis was that phones are starting to become commodities: screens, LTE connectivity, cameras, battery life, applications, …etc are all reaching a point of good enough. His time with me was spent drilling down into payments and NFC in order to see if I had any new data which would alter his view.  I did not….

What will happen in a world where handset hardware is no longer the basis for competition?  The same thing which occurs to any manufacturing area where a “good” becomes a “commodity”: margins compress for the commodity and migrate to the new area which is basis for differentiation/competition. Yesterday I outlined the implications, and investment opportunities, for the mobile operators.

This week we saw the launch of the iPhone 5.. better, brighter, bigger, lighter, clearer, faster, lasts longer, crisper, sturdier, takes better pictures, more tightly integrated to applications that Apple controls, …etc. A great new product.  An Evolution… not a revolution.  What Apple understands better than almost any consumer product company is: consumer experience matters.  While some handsets already exceed those of  Apple’s iPhone in feature/function (Samsung’s Galaxy S III)…  none can match it on consumer experience. Experience is where Apple is focusing its efforts, and the major shift in iPhone capabilities is NOT in hardware features.. but on orchestrating value in ways it can control.

Apple takes a Clayton Christensen approach to the iPhone: what problems does a customer have, and how do I solve them? For example, I hate typing in my name and address on a little mobile browser to order a good from lets say Gap.com.  Apple’s passbook will resolve this by allowing Gap to integrate to passbook to pull all of the “iTune’s account” information over .. so I don’t have to fill this out anymore.   Apple is moving to solve real consumer problems…  It is looking to orchestrate value delivery.. moving the “hub” of coordination from the phone to iCloud.

This is what I refer to as the Stage 4 Value Shift (see April Blog). Theoretically, an open innovation model (ex Google/Android, Java/Oracle, …) should be able to quickly surpass Apple, as 100s of small companies invest larger amounts (cumulatively) in expanding capabilities of a “platform” (see platform leadership). However, Apple has learned its lessons from its Mac days and has defined competition along the lines of “consumer experience”. In this model, it does NOT CARE about interoperability or standards… rather Apple is maniacally focused on delivering value to consumers with usability, reliability, intuitiveness, …  being core measures.  Apple’s brilliance is multi-faceted, but by defining product focus along the lines of consumer experience, the iPhone’s closed model of innovation can not only effectively compete, but win easily against open systems. In other words, while open systems compete more effectively in a feature/function war.. they loose in the qualitative measures of “experience”.

Apple will obviously monitor the environment for effective new features, to ensure that the core product hardware remains competitive. For example, the real world transaction data for NFC based payments is a complete joke. There are no phones, there are few terminals, and there is no consumer or merchant value proposition. Sure there are exceptions like Japan, but only closed systems with a monopoly leader have proven the ability to push the solution out.

Apple does see a need to improve device-device communication, as well as shrink the hardware footprint. With these drivers, and given the prototypes in market, I fully expect Apple to redefine phone hardware architecture with a new integrated chipset that would encompass functionality of: controller, radios (wi-fi, BT, 14443, …etc), secure element that would also enable the SIM to be virtualized and placed within the SE. If this is indeed Apple’s direction, it will not be a new basis for hardware competition on feature/function, but rather: battery life, footprint and control (ex. virtualized SIM).

Other players also have unique strategies and assets. For example, Google’s strategy: orchestrate value based on consumer data. In assessing investments I look for one key answer: what problems are platforms trying to solve and in what marketplace?

All about Commerce… and Entertainment

My major issue with Apple’s strategy is the degree to which other entities can participate. I see mobile phone revenue streams in 2 major buckets: Commerce and Entertainment.  Entertainment is not a focus for me.. Commerce is. Businesses operating within the retail sector are undergoing fundamental transformation. For 1000s of years, local merchants survived based upon distribution and availability. Today they are left trying to sell a commodity product at a higher price to consumers in a marketplace with near perfect transparency.

What is the roll of any intermediary in commerce? Not just in the selling, and purchasing, but in marketing, product selection, distribution, service, support, … What does the new face of retail look like? This is the focus of Amazon… they are the leader here from a “virtual commerce” (e and m) perspective.

As an investor, I believe we will see a massive new wave of companies redesigning retail. Five years ago I had a camera, an iPod, a PDA, GPS, phone, … today I have one device.  What will the bundling (or unbundling) of retail look like? What are the problems to be solved? In the past 15 years mobile has grown up along side of commerce, operating primarily as a replacement to fixed line and then migrating to a replacement for online. We will start to see phones leap into commerce in new ways.. but my firm position is that this leap does not start with payment (the last phase of a commerce) but with marketing (the first phase). Why? Because marketing and retail are fundamentally broken, and Payments is NOT.

It is in this context that I laugh at NFC solutions. My favorite quote on this topic was from head of strategy of top 5 retailer

“Mobile Operators know how to run dumb pipes, not create business platforms for marketing… their current wallet initiatives are akin to a toll bridge, NFC is their toll booth where they stop me before reaching my customer..  to cross their NFC bridge I have to wait in line and when I arrive at the gate they don’t want $0.50 toll.. they want 3.5% of what I’m carrying in my truck, and a copy of the shipping manifest (customers’ names). This model doesn’t work for me. “

Commerce will find another path… one of least resistance … of better “experiences”. This is what Apple is enabling in Passbook, and why Amazon is succeeding in commerce. NFC is just a radio… one who’s standards are largely controlled by banks, mobile operators and card networks. Why would retailers want to participate here at all?  We should not act to enrich the complexity of payment networks, or wireless ones, but rather form new networks.

Sorry for the typos.. and re-hash of past blogs.. hope it was useful.

Google wins in NFC! No NFC for Apple’s iPhone 5

Make no doubt that NFC will come to iPhone, but it just didn’t make the iPhone 5. This is good news for device fidelity.. and great news for Google. Apple may not be able to recover from this one.

14 March 2011

From UK’s Independent

No NFC for iPhone 5. Too many architecture considerations.. (previous post iPhone Twist) So while their patents clearly indicate NFC is in their plans.. they have not been able to coordinate all of the design into their iPhone 5 program (from hardware through software and apps).

 Brian White of Ticonderoga Securities  and I have both been predicting NFC, but we are obviously wrong.  The coordination necessary to bring about this change is tremendous. Vertical integration has its advantages in quality and control, but centralized control also prohibits distributed decision making. This is where closed platforms fail (Apple).

Just take a look at the NFC patent portfolios of some of the companies aligned to Google/Andoid (previous post). The Android platform is much more loosely controlled, which provides for distributed innovation and investment.

Make no doubt that NFC will come to iPhone, it just didn’t make the iPhone 5. This is good news for device fidelity.. and great news for Google. Apple may not be able to recover from this one. The iPhone provides tremendous consumer value as a handset and media player. But NFC will be the driving force behind many new value propositions, and investments are being made today.

More to come tomorrow.

OpenNFC – Game Changer

OpenNFC has a tremendous impact on MNO NFC business models. MNOs invested tremendous effort in developing NFC, now they are having their legs taken out from under them by a contactless vendor and the handset manufacturers. For ISIS to succeed they must run much faster and expand scope from a narrow payment pilot (over next 18 months) to building a platform that can compete AND interoperate against Android

24 February 2011

Monday I wrote about Apple’s “NFC Twist” and how a multi SE environment impacted MNO’s NFC business case. From Monday (I hate to quote myself.. but it keeps from following the link)

The champion of Multi SE architecture is Inside Contactless (OpenNFC).. a very very smart “Judo” move that leverages NXP’s substantial momentum (in integrated NFC/controller/radio) against itself. Inside’s perspective is that there is no reason for the ISO 14443 radio to ONLY be controlled via NFC (treat it like a camera). Inside’s OpenNFC provides for “easily adaptable hardware abstraction software layer, which accounts for a very small percentage of the total stack code, meaning that the Open NFC software stack can be easily leveraged for different NFC chip hardwalet multiple applications and services access it”. Handset manufactures love this model.. MNOs hate it. As I stated previously, closed systems must develop prior to open systems as investment can only be made where margins and services can be controlled. OpenNFC changes the investment dynamics for MNOs, and provides new incentives for Google/Apple/Microsoft, … to transition their closed systems into NFC platforms.

For Banks, Handset Manufacturer and Startups…

I cannot understate the importance of this approach.  My guess is that Apple, Motorola and RIM are all planning to pursue “OpenNFC” .  Multiple applications can now leverage the 14443 radio IN ADDITION TO the MNO controlled (SWP/SE) environment. Applications can then ride “over the top” independent of carrier controlled (TSM Managed) OTA provisioning.

In business terms, what does this mean? ISIS was founded under the assumption that it controlled the radio and all applications accessing it under NFCs  secure element (SE)  single wire protocol (SWP). Nothing could use the radio unless the ISIS TSM (Gemalto) provisioned it. Visa, Mastercard, Amex were all looking at a future where the BEST they could do was exist as a sticker on the back of the phone. In the OpenNFC model, the radio can be accessed directly through the handset operating system (assuming the OS integrates to the Inside OpenNFC controller).  This provides the ability for applications on Android and iPhone to access the radio. In this model, Mastercard DOES have the ability to get PayPass into the phone. My guess is that one driver of MasterCard’s hiring of Mung-Ki Woo from Orange was his unique perspective on how to make PayPass work within this InsideContactless model.

For ISIS? This is a tremendous impact to their business model. Perhaps something they cannot recover from. MNOs invested tremendous effort in developing NFC, now they are having their legs taken out from under them by a contactless vendor and the handset manufacturers. For ISIS to succeed they must run much faster and expand scope from a narrow payment pilot (over next 18 months) to building a platform that can compete AND interoperate against Android. Yeah.. that big. Their advantage is in control, security and provisioning. Unfortunately, because they have focused on the “control” aspect as the centerpiece of their  business model, they have developed no alliances. In this, ISIS may well follow the failure of Canada’s Enstream. A group that got all of the technology right but failed to develop a sustainable business model.

Start-Ups

Start building to OPEN NFC. Game IS ON. Assume that Android and iPhone will let you access the radio…. For a fee.

For Consumers

CHAOS. What do you do when 5 applications all want to submit your payment.. .or read an RFID.. which one do you use?  For a view on the mess this will cause, see the Stolpan whitepaper

I believe this approach benefits Apple much more than Google. Apple’s platform “control” and QA testing will be essential to getting this off the ground. My guess is that Apple will have only ONE NFC payment option.. APPLE PAYMENTS. Perhaps a gatekeeper model where multiple cards can be store but Apple collects a fee.

Although Apple has an advantage in control. Google has the opportunity to deliver a much better value proposition to consumers, businesses and application developers. I’ll stick by my Axiom that new networks must start as closed systems delivering value to at least 2 parties. But can Apple compete with its Gosplan (USSR State Planning) like controls against open Android?

Background

NFC Background for non-techies reading the blog, there have been many, many global pilots of NFC.. but no production rollouts. From my previous blog

What is NFC? Technically it operates on the same ISO/IEC 14443 (18092) protocol as both RFID and MiFare so how is it different? I’m not going to get into the depth of the technology (see Wikipedia), but the biggest driver was  GSMA/NFC Forum’s technical definition (UICC/SWP) that ENABLED CARRIERS to control the smart card (NFC element). This in turn enabled carriers to create a business model through which they could justify investment (See NFC Forum White Paper).

iPhone 5 – NFC “Twist” (OpenNFC)

Last week Brian White of Ticonderoga Securities spoke of Apple’s plans for NFC with a unique twist. So what is the “twist? My guess is that the TWIST relates to Apple’s plan to support multiple Secure Elements (ie, one embedded, another in UICC). This would allow Apple to “support” MNOs driven initiatives and also create a closed system (described in many patents below).

Update Mar 14

No NFC for iPhone 5. Too many architecture considerations.. (below). So while their patents clearly indicate it is in their plans.. they have not been able to coordinate all of the design into their iPhone 5 program (from hardware through software and apps).

See article from UK’s Independent

Update Mar 3

Multiple SEs are too complicated for Apple. Think they actually want to control everything and have one wallet with multiple cards. So much for ISIS having a TSM. Verizon/AT&T must be pushing back.. why subsidize the iPhone and let Apple control it? My guess is that JPM and Visa are also Apple launch partners (which further diminishes ISIS value prop). The downside of controlling everything.. is that YOUR TEAM becomes a throttle to success.

Feb 21 2011 (Updated)

Apple is a tremendous company, beyond its design and technical prowess the factor that most impresses me is its unique ability to maintain confidential information. How can such amazing innovation come out of a company that seems to operate as a mix between the CIA and the Hotel California (checkout any time you like… but you can never leave…)?

Last week Brian White of Ticonderoga Securities spoke of Apple’s plans for NFC with a unique twist. So what is the “twist? My guess is that the TWIST relates to Apple’s plan to support multiple Secure Elements (ie, one embedded,  another in UICC).  This would allow Apple to “support” MNOs driven initiatives and also create a closed system (described in many patents below).

For background on multi SEs see GSMA whitepaper

The GSMA NFC project recommends the UICC as the most appropriate secure element (SE) in mobile phones. It is foreseen that other secure elements (removable and non removable) may be implemented in mobile phones. As a consequence, applications may be hosted in secure elements other than the UICC. The selection of the secure element hosting the targeted application shall be solved. This case only applies in card emulation mode.

Most NFC pilots have launched with a single application in a simplified environment. The long term future of what NFC really looks like is very, very hazy. Many potential complexities arise, as best described in the Stolpan whitepaper (a EU consortium now largely defunct, an irony in its own right). Apple (or ANY MNO) certainly can’t build a business on this complexity. A multi SE architecture could also provide Apple with a mechanism to address anti-trust challenges on platform fees and openness/control (Washington Post – Apple’s Subscription Model Sparks Antitrust Concerns).  Apple would compete on quality of service and integration, but allow other applications to also “exist” in a separate environment with a different “trust”.

The champion of Multi SE architecture is Inside Contactless (OpenNFC).. a very very smart “Judo” move that leverages NXP’s substantial momentum (in integrated NFC/controller/radio) against itself. Inside’s perspective is that there is no reason for the ISO 14443 radio to ONLY be controlled via NFC (treat it like a camera). Inside’s OpenNFC provides for “easily adaptable hardware abstraction software layer, which accounts for a very small percentage of the total stack code, meaning that the Open NFC software stack can be easily leveraged for different NFC chip hardwalet multiple applications and services access it”. Handset manufactures love this model.. MNOs hate it. As I stated previously, closed systems must develop prior to open systems as investment can only be made where margins and services can be controlled. OpenNFC changes the investment dynamics for MNOs, and provides new incentives for Google/Apple/Microsoft, … to transition their closed systems into NFC platforms.

Along these lines (Apple AppStore into NFC Platform), I need to correct the assertion I made in my previous blog Apple and NFC.  In it I stated that NFC “control” for Apple was about advertising control (not payment revenue).  What if Apple evolves all of its current applications into a “trusted” (in NFC context) environment, with secure storage and access restrictions (GPS, Alerts, phone, camera, NFC element, payment, advertising, enforced customer anonymity, …)? Apple could also enable this new architecture to support new secure areas for the Mobile operator (or other TSM) to provision secure services, or even an “open area” where the customer can run anything they want.  In this multiple secure element example, Apple would seek to control (and monetize) access to device services and seek to INCENT all providers to run within the APPLE SECURE ENVIRONMENT.. but would provide an alternative (that it does not manage, support or control).

If this is indeed Apple’s plan I will have to update my prognostication on the death of mobile apps (in favor of HTML 5). Particularly for Apps that leverage any of the Apple services I list above. This scenario is consistent with Apple’s  Patent US10200082444 PORTABLE POINT OF PURCHASE USER INTERFACES

[0088] Close range communication may occur through the NFC interface 60. The near field communication (NFC) interface 60 may operate in conjunction with the NFC device 44 to allow for close range communication. The NFC interface 60 may exist as a separate component, may be integrated into another chipset, or may be integrated with the NFC device 44, for example, as part of a system on a chip (SoC). The NFC interface 60 may include one or more protocols, such as the Near Field Communication Interface and Protocols (NFCIP- 1) for communicating with another NFC enabled device. The protocols may be used to adapt the communication speed and to designate one of the connected devices as the initiator device that controls the near field communication. In certain embodiments, the NFC interface 60 may be used to receive information, such as the service set identifier (SSID), channel, and encryption key, used to connect through another communication interface 58, 64, 66, or 68.

[092] … The security features 74 may be particularly useful when transmitting payment information, such as credit card information or bank account information. The security features 74 also may include a secure storage area that may have restricted access. For example, a pin or other verification may need to be provided to access the secure storage area. In certain embodiments, some or all of the preferences 72 may be stored within the secure storage area. Further, security information, such as an authentication key, for communicating with a retail server may be stored within the secure storage area. In certain embodiments, the secure storage area may include a microcontroller embedded within the electronic device 10.

There are 4 market forces at work which may drive a multi-SE approach

  • Protect App Store/iTunes Model
  • Support MNO Models
  • Anti-Trust Concerns
  • Control Platform

Your feedback is welcome

– Tom

Other Information

Mobile Apps will Die

As Google evolves Android into an open mobile platform, the “app” revenue model will evolve as well. Just as with Apple’s Mac experience, it will be difficult for Apple to attract continued investment. Given the tremendous talent at Nokia, MSFT, Google, RIM.. I’m sure they see the analogy to the 1994 example I have provided above. An “open” mobile browser with enhanced features would destroy the Apple ecosystem. App developers would choose “open” first (IF they could monetize their investments).

16 February 2011

Yeah.. thought the headline would make you read this one. This was the theme of yesterday’s  WSJ article covering a NYC Mobile Monday Confab. I agree with these young CEOs, as I’m sure would James Gosling, Grady Booch, Marc Andreesen, Alan Kay (and the Xerox PARC team). Most of the readership of this blog are business/payments folks, and probably don’t recognize the names or the technical dynamics at play. Objective of this blog is to give a business perspective on a “death of apps” dynamic as these business execs are the ones who actually fund (and take the risk) on these technical approaches.

Let me start off with 2 stories

Story 1 – 1994

A long, long time ago (1994)…  Netscape launched and gave ability to view basic HTML. The experience was rather dry, with even “drop down” boxes a major accomplishment. There was very little transacting, and the internet looked like one big marketing brochure. Early stage corporate use was limited to “employee directory” kind of functions, and interactive employee applications were built on … wait for it… POWERBUILDER, VisualBasic, or … for the more advanced companies… Smalltalk (an excellent language and my personal favorite). IBMs OS2 Warp was easily winning the enterprise war against Microsoft’s 3.1, a release which required a TCP/IP add on (Win95 came the next year in 1995). 

Enterprises had a desktop mess, applications had to be installed with all of their supporting libraries, on multiple machine types, with multiple operating system versions, hardware versions, most of which conflicted. Fortunately internet browsers began to develop more and more functionality, with scripting and embedded virtual machines of their own. “Light” applications began to migrate to the browser with a significant advantage in cost to deploy and a slight disadvantage in functionality. As browsers and standards further evolved, more applications changed their architecture, attracting more top tier developers. Fat client apps became an ugly legacy (for all but Microsoft’s Office applications).

Lessons learned: multiple proprietary architectures won in “functionality” but lost in cost to develop, cost to deploy and cost to service. Greater investment in a “sub standard” approach enabled faster growth, focus and subsequent adoption. Open architectures allowed multiple parties to create profitable businesses, and further invest.

Story 2 – Fat Mobile Applications

I had a tremendous global team at Citi, quite frankly some of the best and brightest people I have ever worked with at any company. As head of channels for Citi Global Consumer, mobile (outside of the US) was in my domain. Banks are highly driven to reduce cost to serve and acquire. Mobile was (and is) a channel with much experimentation. At Citi I took a look at 6 key mobile initiatives within the last 3 years to look for patterns of success/learnings that could be leveraged. We had developed “fat client” mobile applications in US, Germany, Japan, Mexico, AU as well as SMS based applications in PH, SG, IN, Indonesia, … In every case fat client mobile applications failed.  Why? Technology, user experience, cost to deploy, MNO “support”, …  The testing matrix of handset types, OS types, screen size, OS versions, …. was just not manageable.

Perhaps the biggest learning of all.. is how mobile is viewed by the customer. As my head of mobile in HK (Brian Hui) told me “what is so urgent that the customer can’t wait to get back to their PC”? Customers want speed and simplicity in their mobile interactions. For services like “what is my balance”? Fat clients are not needed. Even today, bank mobile applications are largely a competitive “me too”, as deployment costs to support 3 platforms (RIM, iPhone and Android) are much lower than prior “universal” support attempts. Although the statistics are not widely published, more than 3x customers access their bank through a mobile browser than through their bank’s mobile application (not everyone has an iPhone.. imagine that).

Proprietary Closed Systems must go first in NEW markets… then evolve or fail

As I mentioned in my previous blog, history has shown that closed networks form prior to open networks (in almost every circumstance). Closed networks are uniquely capable of managing end-end quality of service and pricing. This enables the single “network owner” to manage risk and investment. How can any company make investment in a network that does not exist, it cannot control, at a price consumers will not pay, with a group that can not make decisions or execute? Answer: Companies cannot, it is the domain of academics, governments, NGOs and Philanthropic organizations.

The principle challenge in evolving a closed business platform is financial. The margins associated with maintaining “control” of a platform are substantial… they are very hard for any company to give up (ie Microsoft, Apple, IBM). Just take a look at today’s WSJ regarding Apple’s subscription service plans. Apple wants to take a 30% cut of everything ever sold to its platform… for eternity. Can you imagine Microsoft asking to take a 30% cut of every fee on any item viewed or played on a Windows PC? How do you think Amazon or the music industry feel about this? Every iPhone App developer? It must feel like a Faustian bargain at best.

Apple’s big advantage today is app revenue, as it provides:

  • Terms and Control
  • In App Billing
  • In App Advertising
  • Consumer Payment Management

Yet I digress…. what about fat apps? This is why I like Google’s model, and why it will be so hard to compete against them. As Google evolves Android into an open mobile platform, the “app” revenue model will evolve as well. Just as with Apple’s Mac experience, it will be difficult for Apple to attract continued investment.  Given the tremendous talent at Nokia, MSFT, Google, RIM.. I’m sure they see the analogy to the 1994 example I have provided above. An “open” mobile browser with enhanced features would destroy the Apple ecosystem. App developers would choose “open” first (IF they could monetize their investments). Every handset manufacture and MNO has incentive to develop and invest in a “kill the app” mobile browser standard to compete with Apple and change the competitive dynamic.

One exception I see is in mobile “secure” applications. In this the GSMA and NFC Forum are absolutely brilliant… they have defined a common standard.. unfortunately the business model to monetize it has not yet developed. They had the right technical team design it.. can they get the right business leaders to make is successful? (see related blog)

Excellent TechCrunch Article on HTML 5  Feb 5, 2011

Nokia’s Opportunity: Building an NFC Ecosystem

Most of you have read Stephen Elop’s scathing internal assessment of Nokia yesterday: “Burning Oil Platform”. Today NFC software start ups are locked in by both handset manufactures and MNOs…. could Nokia leapfrog Apple by enabling companies to invest, and go to market, in NFC?

8 Feb 2011

Most of you have read Stephen Elop’s scathing internal assessment of Nokia yesterday: “Burning Oil Platform”.  Although I will probably get laughed at for this… I’m actually quite high on Nokia. At least the CEO knows there is a fire.. which is the last phase in the Kubler-Ross Five Stages Of Grief ( 1. Denial and Isolation. 2. Anger. 3. Bargaining. 4. Depression. 5. Acceptance). Now what?

Nokia and Motorola are very similar in many respects. Both have heavy (VERY HEAVY) engineering driven cultures. This engineering excellence has led them to their current market position, and these teams are just tremendous. The downside of the engineering focus is that areas like Marketing, sales, and alliances have always taken a seat far in the back of the bus. When handset competition was driven by feature/function this was no issue.. but Apple and Google have changed the nature of handset competition and how consumers perceive value. Beyond the number of apps available to consumers, it is the number of BUSINESSES that are investing in the platform. Google and Apple have created platform ecosystems that enable many businesses to enhance the platform at a pace that a single company can’t match (sorry Apple), in new dimensions (Apps, in app advertising, NFC, …et), with new business models (see previous blog).

Elop has the right background to change this, and has a number of opportunities to put Nokia into a position to uniquely compete. My suggested focus: create a platform ecosystem around NFC, with Europe and a few Asian markets (SG, HK, AU) as the launch pad… Find a model where you make Google a partner. Why? It aligns with your core competencies, and your competitors are failing in the NFC platform. Apple is seeking too much control, and Android has poor focus beyond the broken US market. What if Nokia was Google’s key partner outside the US?

For those outside the MNO world, what I’m suggesting is heresy to many in the Nokia Symbian world. Its like telling the French that they should throw away their dead language and force adoption of English. Elop’s challenge is creating a platform business akin to what he ran at Microsoft. This takes ability to partner…. partnerships mean deciding on WHAT you must focus on. In Smart Phones… where is the competition battle? If it is App Stores can Nokia get a critical mass of developers writing to its platform as it looses the US market?  Where is the revenue opportunity? Is it the handset?

I’m certainly not suggesting that Nokia completely abandon Symbian… but what about providing an option? What if their phones were the only ones that could support multiple OS? Run any application? In the NFC model I’m suggesting, OS should not be the competing factor.. what Nokia needs is other companies investing in its platform. NFC seems to be a key prospect given the trajectories of other efforts.

As an example.. handset manufacturers control the “keys” to NFC’s secure element. Industry insiders guess Apple is planning to keep them from the MNOs.. could Nokia take a more “open route” by creating an global independent TSM… a “java” kind of approach. Today NFC software start ups are locked in by both handset manufactures and MNOs…. could Nokia leapfrog Apple by enabling companies to invest, and go to market, in NFC?

Nokia is not a dumb contract manufacturer. It is one of the best handset engineering companies in the business. WHAT it is engineering to is the operable question. An OS generic NFC ecosystem approach seems to be supported by over 130 NFC Patents as well (second only to Sony). This NFC Communications World article does a tremendous job outlining Nokia’s NFC Platform business model. Beyond the NFC ecosystem, Nokia is already assuming an equally broad leadership role in LTE, a world where all of your consumer electronics will will communicate with each other and your phone. Therefore, I disagree completely with Venture beat that Microsoft is the partner of choice.. Nokia’s plans should be one that makes OS the commodity.. let the customers and the market decide.

NFC Patent Portfolio
NFC Patent Portfolio

The first challenge for Elop is cultural. As a generalization, Motorola is rather hierarchical and autocratic, where Nokia takes on the Finnish consensus driven management culture. Given that Nokia’s primary asset is people, it is very difficult for Elop execute a “Steve Jobs” type of vision and command/control without destroying his organization. Is the burning oil platform analogy the first step in building the case for change? I would expect his next announcement to be a big vision… how will the stars in the Finnish company react?

Thoughts appreciated

Visa’s new iPhone App: Is this success?

Visa’s release a new iPhone app last month. One Bank has signed up (US Bank) the rest are holding back (more on this below). The application has been a 2 year effort driven by Monitise, and the UI looks very good. However, I’m afraid that Visa’s latest mobile effort is doomed to failure because of the "last mile" issue at the POS.

Visa’s iPhone app is available on Apple’s App Store (but not advertised)

www.visa.com/mobile

The application has been a 2 year effort driven by Monitise, and the UI looks very good. However, I’m afraid that Visa’s latest mobile effort is doomed to failure because of :  “last mile” issues at the POS, and issuer data ownership.

From Visa’s website (http://usa.visa.com/personal/using_visa/visa-mobile/faq.html)

 **Offers: Receive merchant discounts and special offers directly on your iPhone. The offers are stored on your iPhone and can be redeemed at physical merchant retail locations, online, or by telephone …

**In-store redemption:
Visit the merchant’s physical retail location and show the cashier the offer displayed on your iPhone. The merchant discounts the price in accordance with the offer and you pay for your purchase using your enrolled Visa card.

Great customer experience… click on an offer and “SHOW THE CASHIER” your coupon. My guess is that the cashier will gladly give you the discount with a cash purchase as well.  There is certainly the opportunity for a social network aspect to sharing discounts (think groupon) and location aware mobile advertising.. but the banks are not on board. Why?

  1. Visa makes it clear they can register up to 5 Visa cards. Hence they have 1 Participating Issuer – USBank.
  2. Visa is beginning to use customer data for advertising. Current Visa rules do not provide for them to advertise directly to the customer.. it is the issuer that owns the relationship. Perhaps this is the driver of the marketing annoucement

Visa/BAC in Mobile Pilot

Looks like I was a little premature in the original version of this post. Looks like the pilot may be a field trial for NFC as in the Micro SD form factor.

20 Aug 2010 (update Aug 23)

(update – Was just told that the BAC pilot is NOT using the Monitise application. Wow.. what on earth is going on with the Visa team? They have at least 5 different pilot models.. in a positive light this is market experimentation. I’ll take the blame for being premature, but given that I saw the new application and was told it was July I connected the dots… albeit incorrectly.  Bloomberg’s story above is on target and trial is a field test of the newly certified DeviceFidelity MicroSD.  Purpose is to ensure all works as planned from enrollment, activation, OTA provisioning, application usage and NFC payment ).

Visa has a number of initiatives surrounding mobile and NFC. Certainly a challenge to get multiple parties aligned to make this happen:

  • Monitise, provider of a new iPhone application
  • Device Fidelity, NFC tech provider which
  • Bank of America (pilot agreement, marketing plans, focus demographic)
  • Advertisers.. currently part of existing visa discount program
  • Apple.. certification of the Moni iPhone application (submitted in June)
  • First Data. Trusted Service Manager (TSM) in the NFC role…
  • … I could go on

This activity represents a major investment by the entire industry team.. ( given equity stakes perhaps Keiretsu is more appropriate).

More to come … this is just a quick update

Previous Posts

Chase QuickPay and Quick Deposit

Chase has a stellar eCommerce and mobile team in both their retail and cards organization, and they are poised to deliver tremendous payment innovation across both of these business units. This innovation that has been “in the works” over the last few years, and Jack Stephenson (PayPal’s former head of strategy) is fortunate to have a joined at a time where both the payment platform and team is gaining traction. This month the JPM retail team has delivered new capability in its iPhone versions of QuickPay and Quick Deposit products.

25 July 2010 (Updated 20 Aug)

Chase has a stellar eCommerce and mobile team in both their retail and cards organization, and they are poised to deliver tremendous payment innovation across both of these business units. This innovation has been “in the works” over the last few years, and Jack Stephenson (PayPal’s former head of strategy) is fortunate to have  joined at a time where both the payment platform and team is gaining traction. This month the JPM retail team has delivered new capability in its iPhone versions of QuickPay and Quick Deposit products.

QuickPay Overview:

QuickPay is a JPM’s money movement “pay anyone” service that provides registration for both Chase and non Chase customers. Chase was very late to the money movement game, rolling out its first QuickPay service in 2008 (whereas Bank of America and Citi have been providing this since 2002  through CashEdge). From a strategy and organizational perspective, JPM is well known for their “preference” to develop applications internally. It may have taken some time for JPM to complete the QuickPay internal build, but in the current release it has surpassed the domestic capability (and usability) of all other banks. JPM is now the leader in retail online payments.

Non-Chase customers can register for QuickPay before or after receiving funds. For non customers, registration for QuickPay is similar to PayPal (or CashEdge’s PopMoney), with the QuickPay wallet currently constrained to single linked checking account. Chase customers have a streamlined enrollment process and the QuickPay functionality is integrated into their existing online experience (demo above). This differs substantially from BAC, where the same capability to transfer funds exists but the usability is very poor. BAC is missing a substantial opportunity to capture beneficiary phone/e-mail information, an unnecessary miss since the capability exists (BAC is Cashedge’s largest US customer but has not yet signed on with CashEdge’s mobile POP money service).  Beneficiary information is critical to maintaining an accurate directory.. the key element in any payment system. Chase’s QuickPay maintains e-mail, phone and other information which gives it a head start in the directory battle (subject of future blog).  Given Chase Paymentech’s role in acquisition (for card, paypal, …) you can see potential for further directory synergies internally.

Quick Deposit

The articles above provide a great overview of the new iPhone App, with Chase following in the footsteps of USAA’s Deposit@Mobile. Application is from Mitek Systems and it is just super, and for small merchants this may become the payment method of choice (when compared to card):

Merchant benefits:

  • No transaction costs (savings of 150-350bps)
  • Usability and simplified enrollment
  • Same day availability of funds
  • Fits existing consumer behavior pattern (checks)
  • Legal protections/enforceability (paper checks vs. electronic signature)
  • Instant verification, risk and fraud management
  • Leverages bank imaging systems and processes (regulatory and consumer receipt)
  • Notification/receipt to consumers

JPM Business Case

  • Check imaging (op expense)
  • Small business acquisition (Customer Net Revenue for SME = $3-$5k)
  • NRFF for non-customers (NIM on settlement funds held)
  • Future “directory” business case, cards growth
  • Prevention of DDA Account Number Breach

The JPM Quick Deposit application was reportedly built in-house, other Vendors such as EasCorp’s Depozip provide similar functionality. As for the success of this application, NetBanker reported USAA’s recent numbers for Deposit@Mobile. (update 20 Aug, my friends at BAC tell me that they have been trialing the Mitek application for almost 3 years now, fine tuning the app and the support process and are set for launch any day) .

Given that the audience for this blog (investors, start ups and innovators), you might ask why it takes 2 years for a bank to roll out this type of innovation. An excellent question! The iPhone app itself is the easy part, perhaps consisting of less then 20% of the overall budget. The “hard work” is in integrating it into existing systems and risk controls. For example, the primary value proposition, for QuickDeposit, is improving check acceptance and funds availability. At the teller line, banks have tools like DepositChek which allows the bank to determine if information on the check is correct and the account is in good standing (stopping check fraud before the check image gets into the system). These same tools must be integrated into the online and mobile process to reduce risk. I’ve picked this particular example because it is a tool unique to bank entities (not available to non-banks). In addition to the technical integration costs, banks have become very prudent in testing, and accessing impact of new functionality to call center support costs. Given the wide availability of both of these applications, it is essential that they are intuitive to JPM customers.

These applications are a great retail success. I understand that the JPM cards team is also poised for a major release in mobile soon (with multiple alliance partners). Well done JPM!

Enroll for QuickPay – www.chase.com/QuickPay

Overview of Quick Deposit  – www.chase.com/quickdeposit

Thoughts appreciated