Alex Lithgow-Smith, Senior Consultant, Consult Hyperion www.chyp.com
There’s been a technology earthquake over the past year that brings together phones, cards, and clouds in a way that may revolutionise payments.
Despite the success of contactless card products like Oyster in London, there are still remarkably few ways in which consumers can use mobile phones for contactless or NFC payments at the point of sale. On buses (and soon the Tube) we reach for our bank cards, not our phones. In Pret and Caffe Nero, we can make contactless payments but we use our cards, not our phones. The few successful phone based schemes, such as the one used by Starbucks, use barcode based technology rather than NFC.
This been largely to do with the difficulty of arriving at business arrangements between banks, phone operators and handset manufacturers about how to store the security features required to make a payment using an NFC phone.
Credit and debit card payments comply (except in the US) with a standard devised by the payments associations called EMV. That means equivalent payments using a phone must comply too. Previously, to do this in a phone meant storing the security keys required for the transaction in a tamper resistant chip on the phone – the Secure Element. That led to the need for negotiations over where that Secure Element was – if it was on the SIM, the mobile operators owned it; if it was in the handset, handset manufacturers owned it. Either way meant problems and expense for the banks.
All that has disappeared with Google’s recent announcement of Host Card Emulation, or HCE, in its latest Android implementation. HCE allows the phone to emulate a contactless card, meaning that there’s no need any more for a Secure Element. Instead the security information is sent direct to the phone. To ensure that the transaction remains secure, just enough information for one transaction or for one day, depending on the way HCE is implemented, is sent via the cloud to the handset. Enough for one transaction is obviously the most secure way, but that only works if the phone can then retrieve the next set of information so that it’s ready for the next transaction. If there’s any chance it might not, for example underground with no signal, then storing enough credentials for a few transactions on the phone is a safe enough approach.
While it’s been technically possible to do this in the past by modifying Android (Consult Hyperion has been working on this for several years) Google’s announcement has made this much, much easier.
So all of a sudden the need for banks to negotiate SIM card real estate with mobile phone operators has gone. One of the first banks to show an interest in this new approach, Bankinter in Spain, has just announced the commercial launch of its “Mobile Virtual Card” (MVC) product. They have had a detailed risk analysis carried out by the Fraunhofer AISEC in Germany — who concluded that the security of the HCE solution is “adequate for EMV online” transactions (that is, where the POS goes online for authorisation) — and are launching the service to their customers and hoping to licence the service to other issuers.
One of the most interesting things about Bankinter’s enthusiasm for HCE is that they actually own a Mobile Virtual Network Operator. So if it’s too difficult for a bank that actually controls the SIMs to go the conventional route, imagine how much easier the existence of HCE is going to make life for banks that don’t.
I honestly think that this may be the jumping-off point for NFC and that after the lack of progress of the past few years, NFC will finally take off. Visa and MasterCard’s recent announcements of their support for HCE appears to reinforce this.
Not that this is all bad news for the mobile operators. While it’s true that some are pressing ahead with pushing the traditional Secure Element based approach to NFC, there are other ways in which they can add value to an HCE based approach.
We’ve always argued that for the mobile operators, their central role will be in digital identity. The Secure Element (SE) is the obvious place to store these digital identities. And by storing digital identities that the app developers can access via standard APIs, the mobile operators can provide something of genuine value to the rest of the stakeholders: an identity infrastructure that both NFC (whether HCE or not) and other technologies, such as potential rival Bluetooth Low Energy, can use.
It could be that information which guarantees that the phone being used to make the NFC transaction is the correct phone, in the hands of the correct owner. After all, it’s the mobile operator that can tell whether the phone has been recently used to call regularly used numbers from regularly used locations.
We’ll be making that argument strongly to mobile operators over the coming year. But in the meantime, Host Card Emulation is exactly the impetus needed to make consumers reach for their phones rather than their cards at the point of sale.