Can I see your ID?

credit_card_transaction_paul_burns18 March 2015


A major retailer just called me this AM. Theme of conversation is that the industry is creating a “perfect storm” for issuers in acceptance.  While LoopPay is very secure (because of Visa/MA tokens, phone ID, and transaction counters), the existence of a commercial grade mag stripe emulator in the hands of “bad guys” will create a little chaos… particularly when the cashiers think nothing of consumers (or fraudsters) waving their phones at the POS.

While both Visa and Mastercard have set rules that prohibit merchants for asking for IDs in a contactless EMV transaction (EMV), LoopPay (Samsung calls it MST) muddies the waters as it uses the phone to talk to the magnetic reader of the payment terminal. MST transactions are magstripe transactions which merchants are (and have always been) allowed to ask for IDs. Merchants can make the case that they have no idea which is which, and they have no way of “prohibiting” either, thus they must assume that it requires them to treat as something that requires them to validate (signature).

Let me see if I can list the different acceptance methods (looking for input into what I miss)

Acceptance Options


Add to this list Token authority (Tier 1, Tier 2, Visa, Mastercard, TCH, Bank, …) and TSM for GSM style NFC and we have quite a complex mess. The good news is that issuers have control over where their cards are presented.. Problem is that there are many new “exploits” which can be attacked by very well funded fraudsters.

Normally, all of this seems to put pressure to update and lock down your payment terminals. But merchants don’t bear any costs for POS fraud where they have validated signature/ID… it moves to the banks. How can Banks force merchants to lock down terminals? The incentives are very complex.. so complex that it may mean “can I see your ID” happens in every case.  So much for mobile making things easier.

In EMV transactions, issuers are normally in control of when PIN is required.. In mobile  there is no physical payment instrument (card)  for the cashier to validate signature … so when they ask for ID what do they validate against? (ie no embossed card with your name on it). This means issuers will naturally like PIN for mobile. In the US consumers don’t know their PIN (for credit cards)..

This is just too confusing.. lets just say small issuers will have a very challenging time adapting here, while the big issuers will maintain a substantial advantage. This is the normal course of [big] bank fraud strategy:  if a bear comes to your campsite you don’t have to be faster than the bear.. just faster than the slowest fellow camper (small banks)

Google+Softcard Levels Field Against Apple

24 Feb 2014

Well done Google. As predicted last month, Google announced last night that it had acquired “some exciting technology and IP from Softcard”. The price? My guess is around $50-60M, plus multi year revenue share (below). This is a FAR cry from the $3-$4 BILLION that these same Mobile Operators wanted for “NFC RIGHTS” in 2011. Google proposed a rev share back then too.. but MNOs were convinced they could go it alone. After dropping almost a billion in ISIS/Softcard with no future revenue of any kind in sight the drivers of the deal were obvious. Not only did carriers need an exit for their investment, they needed a partnership that gives them a role in the future of mCommerce.

What technology will stay? The SE Keys and the vending machine acceptance terminals.. seriously.. 98% of what ISIS/Softcard was is completely dead. My biggest unknown? I would love to see if Amex Serve could pick up the pre-paid card from Mastercard.. as the banks wanted to beat up my good friend Ed McLaughlin for doing what I still think was one of the best most innovative deals ever (Google pre-paid).SONY DSC

What did Google get? MANDATORY GOOGLE WALLET. That’s right, now EVERY ANDROID phone sold by the carriers will have wallet installed. This addresses a key advantage that Apple has in mandating an iTunes account (with credit card) for activating the iPhone. Apple’s brilliant registration process allowed it to know its customers (ID, card on file) where Android/Google did not. Many analysts believe that this ID/Payment deficiency is THE KEY reason why Apple’s environment is 8x-10x more profitable with less than 20% of the handsets. Now Google can compete in all things which require identity+payment. Not JUST in buying apps/music in Google Play, but in orchestrating commerce and brokering identity. I cannot understate the win here for Google. A brilliant move, and I firmly believe that this was the primary driver of the deal. Don’t look at this as a ApplePay competitive thing, it is about enabling Google to identify every Android holder as a default “opt in” during phone activation (iTunes Account Mandatory = Wallet Account Mandatory).

The Carriers? A partner that will share revenue. Where Apple takes 15bps for itself, my guess is that Google will give that to the MNOs, plus some revenue share for play services. My TOP 2015 prediction was that this would be the year of partnerships.. This is certainly my top new one for the year. MNOs are losing sleep about Apple’s unmatched “walled garden”, no one plays but Apple here. Google is developing an open model and this deal may be the first template for MNO/Platform revenue sharing.

Banks? Google will likely slowly “roll out” of its Google Wallet Card (also see TXVIA blog) which wrapped all other cards in a Mastercard Debit. Banks will be able to sign up for Google Wallet through network agreements just as they do for ApplePay today (at same rates/rules). This will mean that the networks will provision bank cards as tokens, and that Google will also benefit from forthcoming CNP token rules this summer. The primary difference in GW operation is HCE+Tokens (see blog). The Google Wallet model is not dependent on the SE Keys, or SD storage.. but it CAN operate in a non HCE model (from its GW 1.0 lineage).

Payment Networks. BIG WIN. Cards are the defacto standard for everything in mobile. I’m interested to see if the networks recognize (certify) the HCE card emulation application, as of 3 months ago it was still not certified. My belief is that they certify as part of tokenization scheme acceptance. This is a funny side story in itself. Most would ask how Google Wallet could run a non-certified card emulation app. Remember that the ONLY card being emulated was a Google owned mastercard debit.. just a brilliant work around. Note that in ApplePlay, Apple operates as a tier 1 token requestor in the current ApplePay model, and V/MA/Amex are tier 2 token requestors (see this excellent blog by SimplyTapp). In the Google model Visa and Mastercard will act as both Tier 1 and Tier 2 token requestors.

Big Losers? Samsung. OUCH!! No wonder they had to buy loop. Their new wallet strategy was to have a DUAL NFC/LOOP wallet. Google just got all the SE keys for the Samsung Phones. This means that Samsung’s wallet will only work on new phones.. a rather rough place to start.  Paypal.. with the birth of a new CNP scheme this summer driving ApplePay and Google Wallet beyond Apps to mCom checkout.. Paypal has no future in Mobile…  Except in emerging markets.

More to come.. but wanted to get this out today.

What do Retailers Want in Mobile?

1 Nov 2014

Money2020 is next week, and I’m moderating the ApplePay session on Tuesday at 5pm… hope you guys can come. I’m more than a little sad that I can’t get any retailers up on stage with me. Why? The top 60 retailers are in MCX, and it makes little sense for them to get on stage and tell the world what they are NOT going to do and why. As I’m preparing to leave for Las Vegas tomorrow, was thinking “what could I write about? What unique perspective can I offer?” Well given I can’t get them on stage with me, let me try to articulate the Retailer’s view of the world. My twitter feed is blowing up as I work to explain why CVS and Rite-Aide turned off NFC. Please know I’m only trying to give perspective…

Payment Services are a brokering activity between two entities engaged in commerce. Logically, a broker must have the trust of both parties, and deliver some sort of value in managing the financial risk associated with the transaction.  Within Consumer Retail, Visa and Mastercard evolved from Bank owned exclusive networks of the 1960s (see History) to ubiquitous independent payment networks. Few remember that back in the 1960s, merchants took either Visa or Mastercharge but not both as the Merchant’s acquiring bank could only be a member of one of the networks. For merchants, the value proposition was clear: consumer credit.

Payment networks thus evolved from a closed and focused value proposition, to a settlement “infrastructure”. However the rules and governance process by which many parties (merchant, acquirer, processor, issuer, network, VASP, …etc) participated in defining operation of this “brokering” activity did not evolve. This is the central issue restricting the future growth of Visa and Mastercard. One I believe both are acting on. My firm belief is that rebalancing network rules will unleash a massive new phase of value creation for these networks.

Let me take a quick side bar here..

Network Theory – Openness

As I’ve stated many times, closed networks always precede open networks until scale is reached (Building Networks and “Openness”, 2011). Weak Links (nodal affinity) influences network creation, and there are VERY few open networks which exist in Nature. This is logical as Networks form around a function rendering generic open networks less “efficient” than specialized networks around any given specialized need.

Scale-free distribution (completely open networks) is not always the optimal solution to the requirement of cost efficiency. .. in small world networks, building and maintaining links between network elements requires energy…. [in a world with limited resources] a transition will occur toward a star network [pg 75] where one of a very few mega hubs will dominate the whole system. The star network resembles dictatorships in social networks.

-Weak Links

Networks NATURALLY form around a function and other entities are attracted to this network (affinity) because of the function of both the central orchestrator and the other participants. Open networks (internet/TCPIP, Visa, NASDAQ, … ) succeed where a common infrastructure benefits MANY NETWORKS.

Visa and MasterCard have transitioned to become common network infrastructure, a position FAR MORE valuable than that of a closed credit delivery system. They are a network of networks. However their rule making and governance processes do not match the other open networks listed above (NASDAQ, Internet, …). Most Banks, have also lost their traditional role of “brokering” and risk management (in retail) by creating a card rewards system that encourages card use paid by the merchant. This creates a brokering incentive separate from the commercial transaction… impacting brokering independence.

What do merchants want? A neutral broker!!

A top 5 merchant told me a few months ago “Retailers like Starbucks have proven that we are best placed to deliver value and influence consumer behavior. I don’t want to force my consumers to do anything, but similarly I want to networks that let me play on an even field. These next 5 years are going to be complete chaos for consumers. What do we want them to do? Swipe, dip, chip, pin, tap, QR…? We have been planning for EMV for 3 years… am I really supposed to jump to Apple in 4 weeks?”


These guys are good friends of mine, and I think their business vision is well placed. They want a network where they can play on an equal footing. A neutral broker.. or at least one where they can have a seat at the table when rules are set. Will MCX be a massive success? It depends on the consumer value proposition. Are the merchants motivated to work together in creating a neutral broker? Hell yes.

One merchant said it this way “Tom I didn’t think we would ever have someone more difficult to work with than Visa and Mastercard, but I was WRONG. Apple is a nightmare! At least we knew what was coming with Visa and Mastercard, with Apple they don’t talk to us, respond to our letters, or offer any kind of value proposition. Why on earth would I want to let another brand in my store without understanding what it will do for me? They are a great company, with great products, and certainly have a much better approach to data than Google.. but anonymity is NOT a value proposition, in fact Apple makes our efforts to deliver value to the consumer even harder as we have no defined way of using Apple to engage our consumers”. See Brokering Identity – Part 1, ApplePay and Merchants, Digital Transactions ApplePay Issuer Agreement.

Getting a card number from consumer to merchant is NOT innovation. There is just no problem here. My payment friends are already rolling their eyes. Apple does have great security and great ability to manage fraud.. but fraud losses for CP are 3.2 bps. What about store data losses? That is not “fraud”, and certainly a problem for merchants that keep PANs. Tokens do solve this problem… but so does better security, and more intelligent approach to tracking loyalty. Apple must move to create a merchant value proposition, and define how they will help with consumer engagement. I believe Google will far outpace Apple here.

Retail is a zero sum game.. I’m not going to buy MORE gas and groceries.. differentiation is about switching, product selection and pricing on data, ..the fluxonce this flux dies.. steady state resumes.  Perhaps all iPhone owners will only shop at whole foods, but data shows that consumers don’t make decisions this way. In fact payment is not in the top 5 reasons for consumers choosing a new iPhone.

Why are MCX merchants turning off NFC? To give themselves a little breathing room, make Apple create a merchant value proposition (engagement), get a seat at the table in a new network, and help to establish a consumer behavior that works for them too (Most Important Payment Race: Consumer Behavior, Apple’s Platform Strategy: Consumer Champion ).

What do Retailers want in Mobile?

Following from my big blog Static Strategies and the Rewiring of Retail.

  • Consumer Engagement
  • Consumer Acquisition
  • Consumer Loyalty
  • Allow Retailer to be in control of data
  • Partners that allow Store’s brand front and center
  • A Partner either IN CONTROL of the consumer experience (Apple/Google) or one that already has massive consumer adoption (ie Facebook).
  • Creating a fantastic customer experience from end-end
  • Ability to manage campaigns, data or your business
  • A Partner that can reach/influence consumers WHERE THEY ARE.. not where you want them to be.
  • Payment..? I guess if that comes too… 

shopper marketing

How will this play out?

  • Much has been made of the MCX contract provisions that prohibit participating retailers from allowing other forms of mobile payment. This is just not accurate. Any retailer can choose to turn on NFC, any retailer can sign up for MCX. Can an MCX retailer turn on NFC? Yep.. Large retailers are not participating in ApplePay because Apple has completely failed in a merchant strategy, they have not articulated one, nor have they worked directly with merchants. This is really no different than Apple’s failure to work with Banks. Banks are just fuming over the take it or leave it terms Apple offered to them. Merchants had no terms…
  • Apple will rollout a merchant friendly beacon product, and loyalty product for consumer engagement in next 6-9 months, this will also include a renewed focus on BLE. The product will fall flat until they can create an new merchant organization. Google has 4,000 sales people working with merchants, apple has around 16… so it is a big task.
  • Apple will ROCK in App payments.. it will be their homerun… I will make a further bet: Apple will WIN in every situation where they can control the consumer experience from beginning to end.
  • Visa and Mastercard are beginning a shift toward the merchant. They may not win the top 60, but Visa has 36M merchants.. that leaves 35,990,940 that will be open to new ideas. These are my biggest personal holdings, and I know both of the CEOs. Everything I’ve written here they know already.
  • Consumer authentication is VERY disruptive to retail and banking. As Ross Anderson said “if you solve for authentication in payments.. everything else is just accounting”. The need for an independent broker and their services are dramatically different if either the consumer or payment can be authenticated (ie cash, bitcoin). Why do you need a payment product at all? Just present the identity to the bank. This is what Sofort/Klarna does… Why not do this? Because the banks have no ability to MONETIZE the transaction (no merchant agreement). There are many better ways to leverage authentication, but no other ways to currently MONITIZE IT (outside card). Perfect Authentication… A Nightmare?
  • Apple is pursuing an “anti-google” approach: keep no data, closed platform, control everything. Google is 2-4 years behind on platform security.. but is catching up. The Google platform is much easier to build in and control (ex HCE), but consumer adoption lags as each Android participant must move consumer to their vision. Apple has successfully delivered security and authentication, but has not laid out a way for many apps to leverage it. Retail is a REALLY big business, with 1000s of specialists. It cannot be throttled by one company.. thus Apple will work fantastically in environment it can control. (sorry to restate).
  • ApplePay and overall contactless adoption will begin with small merchants and infrequent purchases. Most phones have the capability today. MCX will not stop contactless.. but it will impact consumer behavior substantially

ApplePay Vs Google

  • Is NFC/Contactless Acceptance required as part of EMV rollout? NO!!  This is the most widely held mis-understanding. While the large terminal manufacturers have no products in their official product list without contactless, the top 60 merchants order bespoke or custom terminals to fit their needs.

iPhone 6 – Apple’s Strategic Opportunity

8 September 2014

We are likely to see much innovation in the iPhone 6, but I suspect there is even more innovation that we won’t see. Purpose of blog today is to help my friends navigate through the coming tsunami of press, to what really matters. What are the things I’m looking for? If you are looking for a list of new iPhone 6 features in this blog.. you will be sadly disappointed.. I’m much more attuned to payments, network strategy, commerce, security/Auth.. admittedly myopic. Note payments stuff is in last paragraph


Don’t get caught up in buzzwords like NFC, payments, tokens, BLE, Secure Enclave. Will it have a new security architecture? Yes, industry leading from hardware through firmware, OS and Apps.. Will the iPhone be able to do payment? Sure… Emulate a hotel door room key? Yep, in fact it could virtualize and emulate any chip card including the GSM SIM. Yet focusing on this stuff is kind of like talking about what the internet could do…  can I email my Aunt in Singapore? Buy a book from a seller in Seattle… The key questions for investors and start ups in the Valley is: HOW WILL THE iPHONE 6 CHANGE COMMERCE?.

Why am I excited about the iPhone 6? It is the dawning of a new age of mobile “platform”. This leads to the obvious question of: what is a platform, and how can anyone lead it? My favorite book on platforms is Platform Leadership: How Intel, Microsoft and Cisco Drive Industry Innovation. The authors provided a great model to assess the 4 Levers of Platform Leadership

  1. Scope of Firm: What is done inside, how they encourage outside investment and focus
  2. Product Technology: Architecture, Interfaces, Modularity, What do they expose to partners?
  3. Relationship with Complimentors: Support of Complimentors, acting on ecosystem needs, path to consensus and standardization, profitability
  4. Internal Organization: What is the “core”, and how are resources allocated to core activities vs support for partners.

Apple has a massive check mark in #2 (Product Technology), as they are 3-5 years ahead of every handset maker (integrated hardware thru OS and Software). How do we measure this lead? Admittedly technology is a little harder to quantitatively measure than financials and market share, so for the later: Apple captures 70% of industry profits (from 18% market share), #2 in consumer brand (behind Google), and #1 in retail sales per square ft. Most would agree its hard to get to these stratospheric numbers on crappy hardware.

On the technology side, Apple is the only vendor (since RIM) to have developed a secure mobile platform for biometrics, encryption, smart card emulation, …etc. All using a proprietary architecture from A8 Processor, Secure Enclave, OS, Apps and integrated into cloud services. For example, Apple has thrown the GSMA’s NFC under the bus in favor of their own unique design. I think of it this way: RIM started with security in mind and then tried to bolt on a browser and other features consumers wanted beyond secure e-mail. Apple started with the consumer and is now (with the iPhone 6) rolling out the most secure mobile platform in history. I believe Google is 18mo-3yr behind (with ARM/TEE and SE Linux) primarily because they don’t have the same HW control as Apple (see Secure Element, NFC, HCE, EMV, Tokens and Cards).

From a platform perspective the REAL question is Can Apple pull levers 1, 3 and 4?

Platform Leadership

Most all of us know the Microsoft/Intel Story (see reference). WINTEL’s pace of innovation crushed Apple by creating industry standards (ex PCI Bus) and allowing hundreds of companies to specialize on many subcomponents (dives, processors, applications) which further increased performance, decreased price and expanded usage… which in turn drove more investment. Intel’s Architecture Lab (IAL) was centerpiece of this success: an investment in defining and supporting the platform (ex the common infrastructure “bus”) that allowed for specialization and defined interaction (and accelerated Intel’s dominance). No one asked Intel to lead.. they TOOK IT (with great success). Leadership is not creating APIs and taking a 30% cut of revenue, it is recognizing that a business where 100s of companies can succeed is a much bigger business. This is particularly true in Commerce.

In physical commerce, I look at Visa and Mastercard as the best “commerce” platforms. This comment will draw ire from all my merchant friends, but it is factual (total volume processed). The beauty of the V/MA business model is that 1000s of banks invest (and merchants pay) billions of dollars to make this work. They have struck a tremendous balance between bank, consumer, and merchant. They have become the standard for interaction. One that will start to shift significantly toward merchants in next decade (for another blog).

With respect to platforms and mobile, I was in Hong Kong last year constructing scenarios with a major investment bank, with the key question: Where will value flow in mobile once handset hardware is a commodity? (Battery life, processors, screen resolution, are all good enough). What are the FACTORs of competition today? Can someone else change the game? I went through this analysis in my blog on Stage 4 Value Shift.

As we look for where the form of mobile competition may change, it would seem to be outside: hardware, software and network bandwidth. If hardware is good enough, and not the primary factor of competition, it must be software, services or data that will drive competition in the next phase… If platform is decided on software only.. then software platform with most open standard and most users (ANDROID) should dominate as any connected devices (handsets and everything else) have lower cost and more ability to “specialize”, particularly if intelligence is in the network (not the device).  But software is currently not the point of competition either… If not DEVICE software, or hardware, or network connectivity.. then what?


… Orchestration and Trust:  mobile phone transforms into the networked device “bridging” the virtual and physical world then value (and profitability) will shift from platforms executing transactions to coordinating interactions.

Apple’s greatest asset is its ability to change consumer behavior (see blog Apple and Physical Commerce, and Consumer Behavior). Apple’s reputation is well deserved and earned “the hard way” by remaking: phones, music, mice, computers, apps, …etc.  Through consistent delivery of value within fantastic hardware delivering great (and fun) consumer experiences they earned trust for their products and brand. The greatest NEW opportunity for Apple to influence consumers beyond the individual (music/contacts/calendar) and eCommerce (browser, apps) to the real world: Commerce. Apple’s core gap? How will it allow for investment, specialization and define interaction of aligned participants.

Commerce Platform

I’m assuming Apple will get its consistent A+ in hardware, and there will be a bundle of new capabilities in the phone and connected devices (ie iWatch). But commerce is between a consumer and a merchant/manufacturer. What “platform” will exist to assist Merchants? What is Apple’s role in mediating platform (and consumer) with the merchant (beyond the app store)? How will Apple enable 100s of other companies to invest billions of dollars to make its Commerce Platform the centerpiece of value orchestration? Beacons (see Apple iBeacon Payment Experience)?

Google, Amazon, Facebook, all organize millions of businesses, and billions of consumers. Apple is missing the business side… in a BIG way (remember iAd). From a network strategy perspective, Apple has created a consumer focused nodal platform (vs hub centered orchestration). They certainly have the opportunity to create a hub (ie iCloud), but their hardware centric organization may keep this from maturing (Lever 4). Thus Apple is 5 years behind Amazon, Google, Facebook in delivering value to merchants, and orchestrating Commerce. As I stated above, handsets are becoming a commodity, Apple’s new handset will not lead in screen resolution or battery life.. consumers will start to look at the VALUE it provides in connecting to other REAL WORLD businesses.

A January 2001 Harvard Business Review Article: Where Value Lives in a Networked World put it this way:

In more general terms, modern high-speed networks push back-end intelligence and front-end intelligence in two different directions, toward opposite ends of the network. Back-end intelligence becomes embedded into a shared infrastructure at the core of the network (cloud), while front-end intelligence fragments into many different forms at the periphery of the network, where the users are. And since value follows intelligence, the two ends of the network become the major sources of potential profits. The middle of the network gets hollowed out; it becomes a dumb conduit, with little potential for value creation. Moreover, as value diverges, so do companies and competition. …. In a connected world, intelligence becomes fluid and modular. Small units of intelligence float freely like molecules in the ether, coalescing into temporary bundles whenever and wherever necessary to solve problems.

where value lives

Apple’s strategic opportunity is to orchestrate these information bundles and consumer insight in a way WHICH THE CONSUMER CONTROLS. This was the focus of my previous Apple Strategy Blog: Apple’s Platform Strategy: Consumer Champion.  Unfortunately, it seems that Apple’s management team may be so hardware focused that they are missing this opportunity. Retailers like Nordstrom, Macy’s, CVS, and Starwood will show (tomorrow) how excited they are to work with Apple. But Apple needs a version of Intel’s IAL, that is focused on Retailers, Gimbal and Commerce.  Actually, I believe Apple’s gap here is so large that they must find a way to partner/acquire someone else in this space (not paypal). This is a $100B opportunity, and if Apple doesn’t move on it, it will be left competing on screen resolution, and hyper sensitive affluent consumers seeking data privacy.  (Note to Apple, one of my companies would love to pitch you a few ideas here).

My top strategy questions for tomorrow

  • Does Apple see strategic growth for iPhone as working in real world (Commerce)?
  • What level of investment/support will Apple give to “community”? How (IAL)?
  • Where does Apple “Stop” and partners “stop”
  • Apple’s organization.. anything changing? Is it still H/W dominated?
  • Apple’s phone is no longer differentiated by external features.. so what is different and why is it valuable to consumers? Merchants? (Can Tim articulate)
  • Does Apple see itself as the Consumer data/privacy champion? How do you monetize anonymity?
  • How will retailers work with Apple?
  • How will beacons be supported?

Security, Authentication and Anonymity

The biggest features we will see (IMHO) surround  how Apple is completely reworking the role of authentication and security in the platform (see iPhone 6 Secure Enclave, great article from Networked World). Apple’s proprietary mechanisms for “smart” card emulation (credit card, hotel door key, transit pass) will impact many, many industries (see Authentication in Value Nets).  Apple has ROCKED THE CART substantially with this capability. My guess is that they will demonstrate the obvious tomorrow with contactless card emulation (V/MA/Amex) and security keys (Starwood hotels). The much more sensitive area is virtualizing the GSM SIM. I believe the iPhone 6 is capable of virtualizing the SIM, I have no idea if they will demonstrate the capability.

From a consumer perspective, the big changes will surround Apple’s efforts to limit ad tracking will significantly impact advertisers (see Tech times ). I believe there is hidden genius here as they turn themselves into the ultimate consumer protector… both online and in the physical world.  They are the gatekeeper and orchestrator… the only entity that can know what a consumer is doing. Question is can anyone else work with Apple (and the consumer) to request that the gate be opened. For example, will Apple be the primary publisher (please send phone ID 187349387 the following message .. and Apple approves).

Payment Stuff

Most of my readers are in this area.. so sorry for saving this till last. I described how payments will work in the new iPhone back in March: Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”. The key innovation in iPhone 6 should be credited to Visa and Mastercard: tokens. No longer will Primary Account Numbers (PANs) be sent in the clear as we have with EMV, and NFC today (I know, hard to believe.. see this blog for background). Now if someone steals your phone.. and breaks Apple’s unbelievable security.. they have a number.. that is COMPLETELY worthless.. they can’t use it anywhere.  At time of manufacture and OS load, Apple has loaded 6 tokens: Visa credit, Visa Debit, MA Credit, MA Debit, Amex, China Union Pay, (and perhaps a few backups).  These numbers are locked up in the secure enclave, they are 16 digits long and are BINs that processors can route to the appropriate network. The networks operate as TSPs (Token Service Providers) and map the Tokens to the Actual Bins. The primary key for the mapping is Token, plus Token Assurance Information, plus Phone ID.  Technically.. everyone of us could have the same exact 16 digit token and Visa/MA/Amex could still map the correct card based upon the other unique information.

My biased view is that the networks emulated what Google (under Osama Bedier) put in place 3 years ago as Google also operates this Token environment within their TXVIA acquisition. The big plus for Google is that the consumer can register any card they want, as Google does not charge the banks anything.

The biggest “surprise” over last 2 months is that Apple has squeezed 15-25bps from the 5-6 participating banks at launch (C, BAC, COF, JPM, Amex and perhaps WFC). The challenge for phone wallet companies has always been there is no economic model for them. Banks know that wallets will not work without cards.. for example Apple has little chance of success if Chase, Citi and Cap One don’t participate. Thus someone must have “blinked” and the others followed. No one wants to be left out of the Apple launch. Thus to participate in the Apple wallet, Issuers will need to cough up the fee to Apple. There are 3000+ issuers in the US.. so this may be a little challenging on the consumer side. I also have firm G2 that BAC, C and possibly WFC will enable debit cards (have no idea how these will be priced).

My G2 tells me that the Issuers refused to give on CNP interchange, so even though Apple has tokens and can sign them with same assurance information a “tap” at the POS will have a different rate than an eCommerce/mCommerce CNP transaction. One of my bigger unknowns is how Paypal will play in all this launch. I understand Apple is near launch of an “off Apple” eCommerce payment scheme (?EasyPay?).. will Paypal be the merchant acquirer and white label a PayPal like button (pay with “Apple”).

Strategically, Payments are moving to be part of the Operating System. What does that mean? See blog. My favorite payment quote is from Ross Anderson at a Federal Reserve meeting. If you solve for Authentication in payments, everything else is just accounting. This is a key example of how Apple has the potential to completely turn the world of payments upside down. For start ups this means that payment is no longer a specialized function, just as TCP/IP was not in Windows 95 launch.. and became part of the standard stack.. so are payments with iOS and Android. There will be no more Paypals in the future.. A key WIN for Visa, Mastercard and Amex is that Amazon, Apple, and Google are all of one mind: Let consumers pay they way they want to pay.

Arcane payment stuff. I’m more than a little interested in how Apple will actually get paid beyond the honor system. Card emulation applications have no idea who they presented the card to, or size of transaction. Visa/MA/Amex will be able to track transactions, but don’t know of any formal facility to pay a wallet company within the settlement stream, meaning that the issuers will be cutting the check based upon data that only V/MA and/or the issuer themselves have. So beyond the pure “TSP” role, is there also a role for wallet settlement in the overall V/MA scheme. Optimally, issuers would have one way to register cards for participation in any given wallet, this was a significant flaw in the NFC TSM card provisioning flow. It would be very smart for V/MA to take this on. In other words a new V/MA process for registering card/token scheme/Assurance information/approved wallet (ex HCE).

Merchant Acceptance

My view is that the MUCH larger problem for Apple is merchant acceptance. As I outlined in Apple Payment Experience, Apple did not want to launch within network contactless specifications, they wanted certification of BLE.  Apple presented its solution back in August of 2013 and the issuers went “nuts”.. going to V/MA telling them “You are going to let Apple own the PATENT for how a card goes from phone to merchant.. I thought that was your job”. Thus we see the press release on tokenization in Oct 2013 that came out of no where.  The networks did not want to fragment acceptance infrastructure and give merchants the opportunity to accept Apple BLE and not NFC.

There will be 2 or more merchants moving from MCX to Apple tomorrow, one rumored is CVS. Of course they could still accept MCX, but rumor is MCX agreement precludes other forms of mobile payment acceptance. Payment acceptance is no peripheral battle to merchants. This is a VERY VERY big deal and I don’t believe Apple understands it at all. Net margin in retail is around 2.6%, so taking a 225bp card is VERY MATERIAL. Retailers tell me that mobile is the #1 thing they think about in strategy, and they are quite confident that they are in the best position to influence consumer adoption and value creation (ala Starbucks). My hope is that Apple can work out its desired BLE experience directly with MCX retailers.. and let the merchant/consumer decide how all this works. See  Value Creation and Distributed InnovationStatic Strategies and the Rewiring of Commerce and in Future of Retail

How will the iPhone 6 Change Commerce?

Remains to be answered pending Apple’s platform support strategy. Where does Apple see its role in value creation? (Or does Apple just see a role in consumer protection?) The Google, Amazon roadmap is much clearer to me.. I don’t want to buy into a hardware company.. hardware is becoming a commodity, value orchestration is the $100B+ opportunity.

This is not a clean wrap up.. but my football game is on and I want to watch it.




Apple iBeacon Payment Experience

14 May 2014ibeacon

Last week I outlined what was coming out in the iPhone 6 from a capability/payment perspective. Today I will cover my best guess at the user experience, a 50% confidence guess…


First a little about Beacons: Qualcomm is the technology behind Beacons and they just spun out Qualcomm Retail Solutions last week with external investors to form Gimbal. My bet is that Apple was in the mix, as Apple’s iBeacon is the brand and handset side of what QCOM developed and owns. Apple’s iBeacon appears to be dependent upon QCOM license (see Patently Apple). You can see the similarity in Apple’s patented logo with QCOM’s logo.


Think of beacons as proximity devices with context. From QCOM

Gimbal proximity beacons complement GPS by allowing devices and applications to derive their proximity to beacons at a micro-level not currently afforded by GPS technology on consumer devices. A user’s mobile app can be enabled to look for the beacon’s transmission. When it’s within physical proximity to the beacon and detects it, the app can notify the customer of location-relevant content, promotions, and offers.

Here is a fantastic blog by beekn outlining how beacons operate and the advantages of the QCOM Gimbal platform. Beacons only transmit…they do not listen. Beacons can operate in a private mode where the UUID is dynamic and resolvable only within the Gimbal cloud, be public (Static UUIDs) where any application can read them, or registered as iBeacons  (see Gimbals as iBeacons).apple bump

Apple Patents

In January, the USPTO published a new Apple patent application: Method to send payment data through various air interfaces without compromising user data (see Patently Apple). PCT/US2013/049622. US20140019367

[0002] Devices located in close proximity to each other can communicate directly using proximity technologies such as Near-Field Communications (NFC), Radio Frequency Identifier (RFID), and the like. These protocols can establish wireless communication links between devices quickly and conveniently, without, for example, performing setup and registration of the devices with a network provider. NFC can be used in electronic transactions, e.g., to securely send order and payment information for online purchases from a purchaser's mobile device to a seller's point of sale (POS) device.
[0003]Currently, payment information such as credit card data in mobile devices is sent directly from a secure element (SE) located in a device such as a mobile phone through proximity interfaces, such as near field communications (NFC), without an associated application processor (AP), such as an application program in the device, accessing the payment information. Preventing the AP from accessing the sensitive payment information is necessary because current payment schemes use real payment information (credit card number, expiration date, etc.) that can be used to make purchases through other means, include online and via the phone, and data in the AP can be intercepted and compromised by rogue applications.
[0004] Thus, there exists a need for a secure method of executing a commercial transaction that is both secure and user friendly.

I believe the patent above describes what Apple is going to market with this October. There are several potential payment experiences depending on the merchant integration and the consumer handset. Specifically the patent seems to be written broadly enough where NFC is NOT a requirement for the “secure commercial transaction” referred to as the second secure link. As I stated Payment via BLE/Beacons will Still Happen, the issues are around:

  1. Issuer certification of tokens,
  2. bluetooth as the transport in the new EMVCo spec
  3. who will provide token assurance information and how will they be compensated, and to what degree will interchange be discouneted
  4. Treatment of token in Card Not Present (interchange)
  5. Merchant Adoption of NFC, Beacons and BLE

In the scenario of a new BLE capable point of sale, with a “second secure link” operating as BLE with the POS there is no need for a payment terminal at all.. and all iPhones with Bluetooth could interact directly with the POS (think Micros/Starbucks). Here is my short list of customer experience use cases

apple ibeacon options

Optimal Payment Experience

Here is my best guess and what Apple would like to have happen:

Set up

  • Consumer has BLE capable phone
  • Consumer enables Apple wallet and permissions payment with physical merchant
  • Banks have loaded tokens into Apple wallet for each registered card (see blog)
  • Merchant installs iBeacons near multi lane checkout, and registers location with apple merchant application. Another option would be to allow payment terminals to broadcast MID/TID beacons.
  • Merchant installs POS Bluetooth capability to receive consumer identifier and send total amount due, as well as eReciept.
  • Merchant payment terminals are upgraded to receive tokens through Bluetooth or other “Air Interface”


  1. Consumer walks up to cash register, beacons determine close proximity and wake up Apple payment application,gimbal-beacon-series10
  2. Consumer preferences are checked and approved merchants receive apple identifier, consumer loyalty card information, applicable discounts/coupons to the point of sale
  3. Merchant scans goods for purchase and processes loyalty, coupon, discount information
  4. Merchant POS (or payment terminal) sends total amount due to consumer phone directly via BLE based upon apple identifier
  5. Consumer receives notice on phone “Pay $100 to Merchant? Please confirm with fingerprint”
  6. Consumer validates transaction with fingerprint biometric
  7. Phone submits Card token to Payment Terminal via Bluetooth (not happening in October.. it will be NFC)
  8. Merchant processor routes token to payment network which translates and routes to bank for authorization
  9. Payment is authorized (as happens today).

October Launch Experience

Since Banks won’t support tokens over Bluetooth, Apple is stuck with NFC. The process is very similar to above, but my guess is that merchants will not be prepared to support the exchange of consumer information.. so it is iBeacon plus NFC only.

  1. Consumer walks up to cash register, a payment terminal beacon provides information to Apple payment application that it is close proximity to payment terminal ID xxxxx (TID),
  2. Merchant scans goods for purchase. No mobile processing of loyalty, coupon, discount information
  3. Merchant payment terminal cannot send total amount due since it does not have Apple handset information/UUID. So how will Apple do it? My guess is Apple will provide UUID to the Payment Terminal via BLE at application wake up to perform a “lite” checkin with payment terminal. Good news is that there would be no data connectivity requirements, but it requires a new payment terminal… For everyone else.. there is no total amount due (99% at launch).
  4. Legacy NFC. At application wake up,  phone asks “pay merchant with Apple wallet”?
  5. Consumer validates transaction with fingerprint biometric
  6. Consumer taps phone (NFC) and Card token presented Payment Terminal via NFC Merchant processor routes token to payment network which translates and routes to bank for authorization
  7. Payment is authorized (as happens today).

Apple’s biggest challenges?

  1. Merchant NFC adoption. Much of it is caught up in the fact that there are no debit cards in the mobile wallets (see blog Forces against NFC)
  2. Merchant adoption of Beacons and new payment terminals. No wonder Verifone is excited.. big merchants know this can all work without ANY payment terminal.. this is the big leap. The decision on payment terminal is now just nuts. EMV, EMV+PIN, EMV + PIN + BEACON, EMV+ PIN + BEACON + BLE…
  3. No business case for Apple in payments. Perhaps one of the reasons they are struggling to get an exec to lead this over there. Apple’s product people should ensure that their Treasury guys aren’t going to kill this thing. Banks know if consumers can’t choose their payment product that wallets will die. Apple should be focused on getting every single one of their 800M cards on file into the wallet, and ensuring the debit cards are added. This is key to making this work
  4. Organizational. No one leading
  5. Bank certification of Tokens in a Bluetooth transfer
  6. Token assurance information
  7. Merchant POS integration (see the optimal example above)


That is how I see it… comments welcome

Another good article on the overall Beacon/Retail Experience.,2817,2425052,00.asp

Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV


EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.


It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.



iPhone 6 – Payment Predictions

30 April 2014

I’m on a roll, so thought I would put this out there as a positive prediction (vs describing how Apple is Throwing GSMA’s NFC under the Bus). My views are as much informed from the “negative” as the positive. For example, my starting hypothesis is Apple will enable a POS payment capability in iPhone 6. It was the reason for the timing of the Oct 2013 “token” announcement from the big 3 payment networks. As most of us asked “where on earth did this come from”…. It came from Apple (or the network response to Apple’s initial plan).

My problem in figuring out what is going on (if anything) is that Banks have no idea what Apple is planning. Current guess below revolves around assumption that the 3 payment networks do understand the plan. Thus the question becomes “what can Apple do in payments that starts with the payment networks, but does not involve the banks”? Constraints? It must involve: tokens, Apple’s security architecture, 600M cards on file, existing card presentment infrastructure, existing rules, recent lessons learned, and be able to expand to iBeacons.

My predictions

  • Apple will have a certified EMV contactless capability from V, MA and Amex in the iPhone 6.
  • Apple’s contactless is a proprietary architecture, based upon both tokens, and 3 card emulation applications (4 perhaps with Paypal)
  • Each Network will act as a Token Service Provider (TSP), with one token in each card emulation application. The TSP specs give this away, per the Spec, the TSP must be approved by issuer and have ability to translate token to Card. Apple may want to be the TSP… but Banks will say no. This solves a BIG problem with card provisioning, with V/MA/Amex already having the “proxy” card/token provisioned in the iPhone, and each bank working with respective network to turn on their card.  This is the Google model, with the networks running the TSP as opposed to Google/TXVIA.
  • Apple will not work in iBeacon model at launch, but rather EMV Contactless. You notice I’m not saying NFC.. from a merchants perspective this will look like NFC, and use the NFC protocol, but certainly not from a GSMA NFC perspective. There are no other vendors in this solution beyond Apple and their hardware suppliers (?Broadcom?)
  • Cards will be “provisioned” into the wallet through complex process involving Issuing banks, TSPs, and Apple. Apple’s inventory of Cards on file will be registered with the TSPs, and Banks issuers will approve based upon Token Assurance information , MNO information, card usage information … (yesterday’s blog).
  • Fingerprint will be key process which unlocks card/wallet and enables EMV Contactless interaction. Customer experience? EMV Contactless, consumer unlocks phone with fingerprint and authorizes purchase on Payment Terminal. iBeacon? Same thing only works on all iPhones via BLE (no proximity/NFC)
  • How will Apple make money on this? They won’t… nada. Altough there COULD be a way forward given that the product presented to merchant is in control of Networks AND the Issuers are in control of their cards.. a potential… but given lack of issuer participation, I have no idea of how they would pull this off. I do believe that there are groups in Apple that want to make money on a card present transaction, but join the club.. there is no economic model in any network agreement for a wallet provider.
  • I want to emphasize again.. this is just the easy payment part. I strongly believe that looking at payments in isolation is the wrong way to view this (see Blog).

I like this.. IF consumers can choose which payment products to store in phone (debit card). I think the Bank Issuers will flip out when they hear that V/MA have locked themselves into the TSP role.. talk about a reversal from TCH. Issuers could make the case that the networks own the fraud loss since it is a network proxy card wrapping the issuers card…. can’t wait for that one to happen.

I’m 90% confident in the above… lets see if I can keep my perfect track record on Apple, Google, Tokens and NFC.


Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC.  I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion


  • There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See
  • Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
  • Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
  • The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
  • HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
  • Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
  • Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
  • In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction.  US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card..  just as they did with within the TSM provisioning model.
  • There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
  • Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
  • MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons).  The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
  • Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
  • 4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.



  • Apple’s biggest asset is their ability to change consumer behavior (blog).
  • Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
  • Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
  • Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
  • -Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
  • Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
  • Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
  • How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
  • Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
  • What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
  • The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
  • Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
  • MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance[5] and if it fits the criteria for being considered a personal area network.[citation needed]

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.


From a mobile payment perspective, NFC is

  1. Protocol. NFC Forum owns the Protocols making up the ISO specifications.  These protocols are the “universal” aspect of NFC that is NOT changing.
  2. Platform for How NFC works in a Phone
    • GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
    • HCE
    • Apple Secure Enclave
    • ??
  3. Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom



Apple and Physical Commerce (not Payments) – Part 4

28 Jan 2014

The mainstream media is hooked on “mobile payments” like Doritos to the Super Bowl… we all like to talk about it…  Difference is Doritos have real consumers.. while “mobile payments” at the POS are a laughable over-buzzed ethereal dream. I continue to be amazed at how badly this is covered, from over blown projections by Javelin ($20 B by 2012), to reports of NFC’s wonderful future from the GSMA. For readers of my blog, this hype is nothing new..HypeCycle

What is Apple doing?

Creating a Commerce Platform that will enable 1000s of Retailers to rewire commerce. Apple is the ONLY COMPANY in the world where Retailers will CHANGE THEIR BUSINESS to create a unique APPLE EXPERIENCE . Why? Apple’s biggest asset is their ability to change consumer behavior.. It is the only company in the world that can move: Retailers AND Consumers AND Manufacturers. There is enormous TRUST in the Apple brand; they have earned this trust (with THE MOST AFFLUENT consumer base) by consistently delivering the best product experience (A very very big PERIOD). They have proven to be THE leader in digital goods, physical retail AND eCommerce. Payments may be a starting point.. but Apple’s patents, technology, products and applications are completely missed if you only look at them from a payment perspectiveiPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

Sorry to sound pompous here guys, but I’m pretty decent in predicting Apple in Payments, and the role of the Handset in Physical retail. Take a look at the consistency of my previous blogs…

Product First

Apple is a tremendous company, with the best product design teams in the world. They care deeply about their brand and the consumer experience, particularly as it relates to the iPhone. Apple also knows physical retail VERY VERY well, with the most profitable stores per square foot in the world (over $5,600 per square foot).  Let me restate this again, Apple is #1 or #2:

  1. Ability to Change Consumer Behavior (see blog)
  2. Handset Profitability
  3. Customer Demographic/Profitability
  4. Product Design
  5. Consumer Experience
  6. Sales of Digitial Goods (App store)
  7. Sales of Physical Goods online (Mac Store)
  8. Physical Retail Sales (Apple Retail Stores)
  9. other (Authentication, developer community, cloud, fraud, security, …)

NOT About Payments

Do you think Apple would risk any of this on something that they could not control or has proven to be a failure? OF COURSE NOT!!

Physical Retail is a  complex business that is undergoing a complete restructuring (see Blog), we are talking about $2.4T in sales (does not included Auto, Gas, Fin Services) vs. eCommerce sales of $180B. Apple has been very well served in acting as a late follower, the key for Apple to add value in retail is their role in changing consumer behavior (See Blog).

Apple’s Strategy

It is to make the iPhone a platform for Physical Retail, to enable retailers and manufacturers to create 1000s of fantastic consumer experiences. Apple will do NOTHING it cannot control, it knows that Banks and MNOs will look to leverage its brand and gain a controlling foothold. Apple and Google are very consistent in the battle to control the consumer (authentication)… the ability to authenticate is critical to bringing together the virtual (cloud, social, pictures, music, payment, ID) and physical worlds ( Blog Who do you Trust, and Authentication Battle ).

I have to run and catch a plane, but as a quick example. What if you were in a shopping aisle and the products could talk to you? They could tell you their reputation, what your friends thought of them, what they tasted like, or how they could best be used? What if you allowed certain retailers to know you were in the store (a form of checkin) and the retailer could give you a special deal on a package of 2 or more things you were looking at, or offer to meet Amazon’s price if they could package a warrantee and same day installation.  When you walk up to the POS, they know your name and ask if you would like to put the purchase on the same card you used last time?

The business case for Apple is not making 10-30bps in payments, it is about making 500bps in advertising and retailer services. It is about cementing iPhone’s role as a platform for both Consumer and Retailer… adding services, adding transactions, adding loyalty and creating a behavior chain with APPLE AT THE CORE.



—————- update

Most of you know I deal with the institutional investor community.  Today I had a funny quote.. “Tom we heard that Paypal is working to be part of the Apple product”. My answer “I’m sure they are… but they have absolutely NOTHING to give them”. Apple would be nuts to include Paypal here, Paypal has NO Physical presence, no merchant relationships, no consumer traction in off line, … Should Paypal let consumers choose to a Paypal “product”? Why? Perhaps linking their debit accounts.. but Paypal is not merchant friendly… it would be a VERY bad way to start a platform business.

As I said before as Payments move to the OS, Paypal does NOT have one.