Using mobile devices for securing payments has been, and continues to be, a key area of interest for Consult Hyperion and our customers.  We have helped many of our clients in this space from: providing advice on the market landscape, advising on security, testing security, developing security architectures, and building solutions.  Apple’s purchase of Mobeewave a couple of weeks ago has caught our, and everyone else’s, attention.  This gives us some time to reflect on this and consider what it means for the SoftPOS industry and ecosystems.

Let’s start with the basics, who are Mobeewave, and what do (did) they do?

Mobeewave are a Canadian start-up, who have been around for some time now and are one of the pioneers (alongside Worldpay, First Data and others) in using mobile phones to accept card payments.  Mobeewave have raised significant levels of funding over the years, with investors including Mastercard and Samsung.

Mobeewave does not compete with Square, they do not sign up merchants, nor do they acquire transactions directly themselves.  Mobeewave provides solutions to acquirers around the world to enable Samsung mobile phones to become POS devices by signing up and downloading a mobile app.  These solutions include the secure phone app and the back-end attestation and processing systems.  The use of the Samsung TEE (Trusted Execution Environment – think Apple Secure Enclave) to protect sensitive data and process card payments limits the Mobeewave solution to Samsung devices, however given Samsung’s substantial presence in certain markets this has enabled Mobeewave to sign deals with major acquirers such as National Bank of Canada, Commonwealth Bank of Australia and Polskie ePlatnosci in Poland .

So what’s in this for Apple?

Mobeewave knows how to write payment acceptance applications using the Samsung TEE.  This is not trivial, having been involved in SoftPOS since the Cyanogenmod first made access to a mobile’s NFC possible, Consult Hyperion understands the complexities of payment acceptance kernels and security, as do Mobeewave.  NFC acceptance is not simple, each card scheme has different requirements for POS devices to read their cards, these payment acceptance kernels are intricate. Mobeewave has experience developing secure acceptance kernels for Visa, Mastercard, Interac, and eftpos within the TEE.  It is this experience and understanding of the complexities of NFC payment acceptance that Apple gains from this deal.

What will Apple do?

There are several options open to Apple, once Mobeewave develops these payment kernels within the Apple Secure Enclave, and the NFC capabilities within the Apple iPhone and iPad are unlocked to make them fully capable of reading contactless bank cards to accept payments.  The question really is how that acceptance ecosystem might be used.

POS Acceptance

It seems unlikely that Apple will set up as a competitor to Square and other acquirers, but will they enable the capability for these acquirers to use the Apple ecosystem for payments acceptance?  This would be quite an attractive proposition for FIS, FISERVE, Global Payments etc, and quite scary for POS manufacturers such as Ingenico, PAX and Verifone. 

All the transactions would pass through Apple’s back end infrastructure, for a fee, but with no POS hardware to purchase, and with Apple looking after the payment acceptance User Experience this could be quite attractive.

There are issues in this approach.  To support all payment cards, Apple would need to implement and maintain a payment kernel for every international and domestic payment scheme, not a trivial task, which would also eat up space in the secure enclave.  Unlike contact payments, where there is a single core payment application, EMV NFC kernels are all independent of each other creating development, certification, distribution, and support issues for everyone involved in the ecosystem. 

Merchant identification needs to be solved to ensure the transactions are routed to the right acquirer etc.  A tie in with Apple ID to solve for this shouldn’t prove too difficult. 

Personal e-Commerce

e-Commerce transactions were increasing before the pandemic and have risen even more since.  There is plenty of scope for a better payment experience in e-Commerce, and if that solution also solves for e-Commerce fraud, then it could be quite attractive.  What if your iPhone or iPad becomes your personal e-Commerce POS device?  At checkout, you simply tap your NFC card / phone and enter your PIN or Touch ID to authenticate.  This turns card not present transactions into card present transactions, reducing fraud rates and interchange fees for merchants, whilst providing two-factor authentication for issuers.  This is the type of solution maxa (formerly iAxept) has been promoting for a few years, and as e-Comm transactions volumes and fraud levels rise, one that makes sense for merchants and consumers.

Now Apple is already present in e-Commerce, with Apple Pay for in-App and web-based transactions.  However, merchant adoption has been low, due to the changes required to their processors and acquirers backend systems, and the insignificant impact on the merchant’s interchange fees and liabilities.  The backend changes for a card present version of Apple Pay would be simpler, making it easier for merchants to use the service, even if it is only available to some of their customers. 

ID & Auth

Financial regulators around the world have endorsed the use of remote document verification solutions for onboarding new customers.  Many banks have adopted these solutions, recognizing that they simplify the bank’s AML/KYC processes and facilitate frictionless opening of internet accounts.

However, many of the remote document verification service providers rely on manual verification of the pictures submitted.  While the documents that they are validating have smart chips in them that are used to authenticate the document at the Point of Service.  The standards governing their operation and use are already adopted by Border Control and emergency services.  An Apple/Mobeewave solution capable of authenticating documents with embedded chips will facilitate their use for less.

This also opens up a “deliver to card” solution, where an Auth & ID is performed on delivery, reducing the opportunity for chargeback fraud.   

Apple cash ecosystem

Apple now has the capability of creating a complete Apple Cash ecosystem enabling a P2P or P2B payment ‘simply’ by tapping two phones or a phone and an iPad together.  The on-us transaction can be routed outside existing scheme rails and operate on devices anywhere in the world.  The service would compete directly with local debit schemes, which are currently favoured by small merchants due to their minimal transaction fees.

Square, iZettle and others have already encouraged those merchants to replace their POS devices with a tablet.  Now, in theory, those same merchants will be able to operate without their mPOS terminal.

How does this impact the SoftPOS industry?

The SoftPOS industry, whilst still young, is maturing with security standards and evaluations bringing a common baseline, which will reduce the number of pilot programs under scheme waiver, which have been the norm until recently.  However, with the need for two-factor authentication to secure transactions, we still await the “CPoC + PIN” standard from PCI which will become the defacto standard for SoftPOS deployments in the future. 

Apple’s purchase of Mobeewave and future entry into the SoftPOS ecosystem, in whichever form they decide upon, is a statement of intent, and good news for existing players and a boost for SoftPOS as a whole.  The major payment schemes have ambitious targets to grow contactless payment acceptance points, unlocking the Apple ecosystem marks a major step in this direction.  

In the short term, the void left by Moobewave’s departure from the Android ecosystem (we don’t expect them to continue on Samsung) has to be filled.  Which presents an opportunity for solution providers such as MYPINPAD, PayCore, Phos, etc, with ready to go systems.

Acquirers who don’t have SoftPOS solutions under pilot, or current plans for SoftPOS must now understand the impact of SoftPOS as a whole and how they can play effectively in the space, whether it be in deploying their own solutions for their merchant base, or simply acquiring transactions from SoftPOS providers.

SoftPOS opens up a new world of opportunities for Merchants in how they can control the user experience for their customers and take payments anywhere. 

The competition for the traditional acquirer and POS vendors, the PayFacs such as iZettle, Square & SumUp can unlock the remaining “new to card” market, who until now find the need for an mPOS dongle prevents them accepting cards.  An app only software solution also removes the barriers to entry for short term merchants for yard sales, sports club fees, one off payments, download the app, connect to your bank and start taking payments.  Suddenly everyone’s a merchant. 

There are issues, one of the main ones being the number of payment kernels Apple would have to support to provide a truly global acceptance infrastructure.  We have seen this in transit deployments where Visa, MasterCard and American Express acceptance is enabled and others such as Discover, JCB, eftpos lose out.  Perhaps we will see some rationalisation here, or QR solutions will win out. At Consult Hyperion we are excited by SoftPOS and the opportunities presented by Apple’s acquisition of Mobeewave.  We understand in detail how to monetize and deliver them efficiently and securely across all markets.  Our consultants are motivated by the difficulties you will face implementing, certifying and launching your new service.  Get in touch with us and we can help you navigate the world of SoftPOS effectively and efficiently.

Footnote

Thank you to Nick Norman, Executive VP Sales Americas, Consult Hyperion for his insightful contribution to this post.

Gary Munro

About the Author Gary Munro

Gary Munro, Principal Consultant, has over 30 years experience in electronic payments, including design and delivery of point of sale solutions to meet the specific requirements of the larger UK Acquirers, including Worldpay and Global Payments. Since joining Consult Hyperion, Gary has led Consult Hyperion’s retail transaction activities, advising retail banks, acquirers and start-ups on the hardware and software solutions that best meet their commercial and functional requirements. Gary led the team that delivered the world’s first mobile downloadable card payment acceptance device. He has helped international card schemes with all aspects of EMV card acceptance and national debit schemes with e-commerce acceptance.

2 comments

  1. Apple are about to enter a new world of pain with certification. It’ll be interesting to see how they approach CPoC or if they try to circumnavigate it and try to bully the industry.

    1. Great point, as we say in the blog the certification for security and payments around SoftPOS is complex. Something needs to be done to simplify the need for so many acceptance kernels, otherwise the major schemes will win out at the expense of the smaller international and domestic debit networks. CPoC on it’s own makes little sense, the upcoming CPoC + PIN standard from PCI will be the basis for future SoftPOS developments.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: