The HCE tap is open, let NFC services flow
I was prepared for Mobey Forum’s third annual Mobey Day event to be a lively affair. Bringing banks together with, amongst others, GSMA, chip manufacturers and mobile payment software providers to discuss the future of near field communication (NFC) was always going to ignite debate.
What I was less prepared for, however, says Sirpa Nordlund executive director of the Mobey Forum, was just how far and how fast that debate has evolved in the past few months, let alone the last year.
For years, NFC-for-payment services have been hamstrung by deployment complexity and commercial power plays. This year, things are refreshingly different. Wind back the clock to November 2013; Google kick-started a wave of change by including support for host card emulation (HCE) in Android KitKat. Banks and other NFC service providers began to ask a very big question: ‘Could HCE replace the SIM-based secure element?’ Or, put another way: ‘Could HCE solve our technical and commercial go-to-market problems with NFC services?’
In March, follow-on announcements of support for HCE from Visa and MasterCard, together with EMVCo’s release of its first tokenisation framework, confirmed for many service providers that HCE was indeed a serious contender in the market for secure NFC service models.
Contest gives way to consensus
Wind forward a few short months to October and the HCE debates at Mobey Day had evolved almost beyond recognition. Evangelists were present on both sides, but a broad consensus became apparent on a number of previously contested themes. Firstly, that HCE is a force for good but does not signal the death of the secure element (SE) in NFC services. Neither the SE nor HCE NFC will dominate the NFC services industry, not least because both models present service providers with different sets of advantages and challenges.
In 2015, we are likely to see multiple deployment models establish, where the SE (either on the SIM or embedded in the device) will both coexist and cooperate with HCE to form hybrid solutions that can provide enough security for the service in question. This puts the ball firmly back in the service provider’s court. Banks especially, for whom mobile data security has always been a zero-sum game, are now faced with a new question, one that must seem entirely alien: What constitutes ‘enough security’?
And with that the rug is pulled, once again. If banks are to abandon the pursuit of ‘maximum security’ (as delivered via the embattled SE/TSM model) in favour of ‘proportionate security’ (via a service-appropriate blend of HCE/tokenisation/SE/software-based security) in order to finally get their solutions to market, they must first decide what an ‘acceptable security risk’ looks like. I fear that this expression will stick in the throat of many a bank’s mobile payments manager in 2015, as they try to explain to a frustrated board why they are now proposing to write-off a fair portion of SE-NFC investment and, at the same time, drop down a security peg in order to enable widespread deployment via an all-HCE or hybrid based solution.
Look to ApplePay and its TouchID biometric authentication for the route through the maze, advised David Birch of Consult Hyperion, who reminded us all not to get too hung up on security: “We’re buying coffee here, not launching nuclear missiles,” he argued with characteristic alacrity. “Convenience trumps security every time. Every time.” For evidence, Birch drew on the elegant simplicity of Apple’s biometric TouchID. Sure, fingerprints can be stolen and recreated, but how often is this really going to happen? And even if it did, would the genius thief not have bigger ambitions for this new found power than pick-pocketing iPhones? TouchID’s simplicity and convenience will drive consumer adoption at such a rate that it will dwarf any issues that emerge relative to its security. Indeed so beguiling is TouchID and its ability to authenticate payments via ApplePay, that Birch believes it may hold the power to entice Android defectors back to the iPhone in swathes. Let’s see.
ApplePay featured heavily across the two days of presentations and was met with universal admiration for its model. One notably insightful comment came from Mario Maawad at Caixabank who observed that ApplePay’s value to the whole NFC ecosystem was not only in bringing NFC to all those iPhone users, but by doing so with a user experience so frictionless that consumers will finally realise that conventional forms of payment are indeed inconvenient. This revelation alone will drive a shift in the consumer mindset, he says, and heighten awareness of the mobile channel’s potential to make life that bit easier. That must surely be good for all stakeholders in the mobile industry.
Beyond ApplePay, Mobey Day’s speakers offered a variety of other thought provoking insights for delegates to digest. Kristian Luoma, head of business development at Finland’s OP Pohjola Bank, made a notable distinction between how the next generation of mobile-specific social media platforms make the end-user feel. Facebook’s mobile user experience, according to Luoma, which focuses on connecting people, doesn’t feel anywhere near as good as the instant-response mobile world of WhatsApp, the handset-dedicated messaging platform, which is designed to serve groups of connected people. His point here is that mobile payments must be made to feel good, as well as operate conveniently and securely. In his words: “In mobile payments the winners will be those that can make the payment feel as good as sharing a selfie.” An interesting (and ambitious) challenge for payment providers everywhere.
Despite softening the blows with FIFA and street football analogies, the hard truths delivered by Amir Tabakovic, chair of Mobey Forum’s Mobile Wallet Workgroup, about the disintermediating threat that merchant-oriented prepaid mobile wallets pose to banks, really struck a nerve. Prepaid’s growing utilisation as an alternative banking platform, together with its unrestricted regulatory environment and easy integration with merchant loyalty programmes, combine to make it a defining force in the near-term future of mobile wallets, he says. Banks will ignore prepaid at their peril.
There is a string that ties all of these elements together. Mobile financial service providers everywhere now need to focus, above all, on the end-user experience. Today’s ecosystem is teeming with influential, agile and powerful stakeholders, many of which are on a mission to make the cumbersome business of paying for goods vanish completely from the consumer’s mobile shopping experience. If banks don’t move to broaden their horizons and establish a new and visible role in the end-user’s mobile experience, they may find that they too become unfortunate victims of the great ‘payments vanishing act’.
Which of the Mobey Day presentations struck a chord with you? How do you see NFC mobile payments moving forward in the coming months and years? I’d be delighted to hear your thoughts via firstname.lastname@example.org or tweet us @MobeyForum
The author of this blog is Sirpa Nordlund, executive director, Mobey Forum