Contact-free and App Clips in Apple’s iOS 14

pexels-photo-887751.jpeg

The Use of Contact-free is Accelerating

At Consult Hyperion, we have already seen the pandemic accelerate the adoption of contact-free payments in the face to face environment as customers have become wary of catching COVID by touching shared devices, such as self-service terminals and PIN pads.  The use of personal devices for payments is hardly new but the attraction of an in-app/in-store version of mobile payments, whereby the consumer uses an app on their own device to interact with the retailer or service provider and pay for services, has just increased dramatically. Solutions for parking (RingGo) and for restaurants (like the Wahaca app, powered by Judopay) were already demonstrating the benefits of such an approach for customers and businesses before COVID struck.

Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

When is an acceptance mark not a mark of acceptance?

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

Much ado about Near-Field

Act I, Scene I.

A Dashing Brit (DB) traveller in the Big Apple notices that the iconic New York yellow cab whisking him through the concrete canyons to his lodgings is fitted with a touch screen and a contactless card reader.

DB: “Can I pay by card?”

Taxi Driver: “You don’t have any cash, man?”

DB: “No, I just got here. You do take cards, right?”

Taxi Driver: “Yeah, but you know, they charge us like $5 to take your card…”

DB enters $5 tip on the touch screen, then, with a flourish, taps his iPhone fitted with a splendid MasterCard PayPass sticker against the reader. Nothing happens, until the transaction times out.

DB: “Can you do it again, thanks.”

Having asked the clearly exasperated driver to re-enter the transaction and trys both contactless Visa and contactless Amex cards. None of them work. In the DB sheepishly uses the magnetic stripe on his British Airways Amex cards and swipes his way to success. A receipt is printed, and DB goes on his way.

Act I, Scene II.

Broadway. It’s late, but the heat from the day’s sun is still leaking from the asphalt, bathing the pedestrians in an unwelcome June warmth. The street is a cacophony of voices, languages, dialects, creoles. In a few seconds, the sounds of conversation in German, Mandarin and Spanish drift by. A Dishevelled Bearded (DB) grey-haired sage is walking in the road because the sidewalk is full. He glances down a sidestreet and sees a garish sign, the gist of which is that Dunkin Donuts is open round the clock.

“What a country” he thinks to himself as he is drawn towards the light int he clutches of a tractor beam forged in primal fires from sugar and fat, “but I really do heart NY”.

He moves slowly, precisely to the racks of deep-fried delight on display. But he is momentarily distracted by what he thought was an advertising display but has now realised is an ATM. His chemically-dependent slavish devotion to the evil geniuses behind the brand goes to 11: they have their own-brand ATMs. The own-brand money cannot be far behind.

DB muttering: “What a country…”

He shakes his head and turns back to the massed ranks of super-dense calorie containers.

DB still muttering: “…what a country!”

IMG_0400


Act I: Scene III.

It’s late June in New York. The heat is oppressive, the air pregnant with rain, a thunderstorm must come soon. A Distressed Businessperson (DB) on his way to an appointment, staggers into a west-side neighbourhood coffee shop. He stands in line, feeling the uncomfortable sensation of sweat running from his receding hairline to his eyebrows. Even with his advanced years, he can hardly not notice the scantily-clad, petite twentysomething blone woman in front of him. She addresses the Indian coffee cup server in a charming local manner.

Petite Blonde: “Just a cawfee, plenty of room for milk”

Indian Server: “$2.50”

The petite blonde proffers a debit card that prominently display the brand of a well-known internationally-famous banking house.

Indian Server: “Sorry, cash only”

Petite Blonde: “Are you serious? You’re kidding right?”

Indian Server: “No cards. You can use the ATM”

He waves toward and ATM that sits, with big red lettering in a strangely old-fashioned typeface, next to the cream and sugar station.

Petite Blonde: “Fugget it…”

She turns to leave, then hesitates and turns back, starting to open her wallet (for our English readers: purse).

Petite Blonde: “No, wait… maybe I got it”

She rummages in the wallet and eventually uncovers a dollar bill and some change. She hands to the Indian server and takes her coffee, while DB begins to rummage in his backpack, certain that he remembers seeing a $5 in his Moleskine yesterday.


Act I, Scene IV.

A Dog-Tired Backpacker (DB) is slumped at his breakfast table in a downtown Manhattan hotel. Unable to sleep, he has been awake since the early hours. Unable to concentrate on his tasks at hand, he has been composing nonsensical observations about financial services of niche interest, intending to foist them on an uncaring universe via a web log. All around him are the men and women who are the beating hearts of commerce and trade. Not all of them are international: one on a nearby table is American and he is yelling into his iPad, having a Facetime video conference with a colleague. At breakfast. In a public place. DB is driven from his Raisin Bran by this performance and stomps across to the coffee station to grab some Joe to go. In his haste to get away from the blockhead banging on about business prospects for the next quarter, he fails to attach the lid to the coffee cup securely, with the natural consequence that it falls off, and he slops coffee on his chinos.

On his way back to the room to attempt an emergency clean-up on Aisle 1, he remembers that he saw a men’s clothing store a block away. He heads overt here and finds a pair of Dockers in the right colour (ie, any) and the right size (REDACTED). He pays with his Amex card, because his John Lewis MasterCard was cancelled following a suspicious transaction and the replacement hasn’t arrived.

Menswear Assistant: “Cash or card?”

DB: “Card.”

DB takes his Amex and swipes it through the terminal in front of him. He is then invited to sign the large, clear screen using a plastic stylus. He does so (signing it, as always, “Snoopy Dogg” as a fraud prevention mechanism — if a fraudster steals the card, then they would sign it DB, because that’s the name on the card, thus any forensic investigation would immediately flag the transaction as bogus).

Menswear Assistant: “Thank you sir, please call again.”

DB wanders into Starbucks next door and orders a medium coffee with an extra shot and an oatmeal raison cookie.

Cheery Barrista: “$4.85 please”

DB hands over pre-paid US dollar Travelex MasterCard, which the Cheery Barrista swipes in an instant and returns.

Cheery Barrista: “Do you want a receipt?”

DB: “No thanks.”

Cheery Barrista: “Have a great day.”

DB turns toward to counter where patrons queue to pick up their completed beverage orders. He stops, puzzled, lost in thought. He thinks to himself “Hhhmmm… there’s no way that contactless technology is going to make that transaction any faster, and customers don’t care about security, because it’s not their problem, so how is it going to catch on in the US?”

As the dark clouds of thunderstorms stack above the skyscrapers of Wall Street, DB ambles toward the Museum of American Finance, only to find that it doesn’t open on Mondays. Lost in tortured thought about the mobile wallet and the competitive strategies of his clients, he reaches for his iPod, turning the corner of Broad Street to the sounds of “Brainbox Pollution” by the world’s greatest ever popular beat combo, the mighty Hawkwind.

Exit, pursued by bronze bull.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Yet more about NFC and business models

Eric Schmidt’s very bullish comments about near-field communication (NFC) technology in the US retail market have got people talking about business models again.

Eric Schmidt, Google’s executive chairman, believes that a third of check-out terminals in retail stores and restaurants will be upgraded to allow wireless “tap and pay” from mobile phones within the next year.

[From Google’s Schmidt predicts widespread “tap and pay” within a year | FT Tech Hub | FTtechhub – Industry analysis – FT.com]

These follow a series of statements by Google executives that, whether they are true or not, seem to have legitimised the technology in the eyes of a broad range of businesses.

She added that there is a ton of activity around NFC in international markets, giving the example of a successful trial of the technology that Starbucks ran in London.

[From Google Commerce Chief: We’re Making A Huge Bet On NFC As A Company]

I’ve never heard of this Starbucks NFC trial, so if anyone can point me in the right direction I’d really like to read up on it. But that’s beside the point. The point is that lots of people are now taking NFC seriously in the retail space and the mobile operators are developing NFC strategies. But what business model will there be for them? And what options do they have?

The question will then be how operators manage to regain relevance for their role in NFC transactions (which will come later, if at all), when the first trillion NFC interactions will have bypassed them.

[From Dean Bubley’s Disruptive Wireless: What will be the business model for free NFC-based interactions?]

You can see the problem that he is alluding to, but it may not be immediately obvious why it is such a problem specifically for operators. Look at the issue from a slightly different perspective, one that stems from security. I would argue that there are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.

Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. These are what Dean means by “interactions”. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. These are what Dean means by “transactions”.

Working out how to do implement secure electronic transactions is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?

In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).

In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Nexus handset, not on the SIM). The operator has no control over the SE and can extract no “rent” for its use. I notice that in the Nilson report (#972, page 7) it says that the Nexus S is the only smartphone in the US market with an SE not controlled by the mobile operators: it might have said that it’s the only smartphone in the US with an SE, full stop. The operators (in the form of Isis) are not yet in the marketplace. Why are Google being so active then? Well, on the Catalyst Code I read a while back.

Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

Karen is, as usual, spot on about this. But I’m not so sure about this…

What’s amazing is that Google was the first to connect all of these dots

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators and from these experiences have developed (I think) a reasonably accurate map. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.”

So how come banks and operators didn’t connect the dots, then? Banks and operators have smart people in them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments but they didn’t sell any NFC tchotchkes, such as blank NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets for a gig you and your mates are running… well, hard luck. This is problematic, because we need lots of people to be experimenting, developing and playing with the new interface to create the new, open applications.

In April, Nokia’s vice president for industry collaborations, Mark Selby, speaking at the WIMA NFC conference in Monaco, contended that NFC applications not securely stored on SIM cards, embedded chips or other secure elements will account for two-thirds of the revenue that NFC technology will generate through 2013.

[From Nokia Introduces Its Second NFC-enabled Smartphone | NFC Times New – Near Field Communication and all contactless technology.]

I hope Mark won’t mind me mentioning that we discussed this over dinner a couple of weeks ago and, while I agreed with him about the market, I bored him at length with my moaning about the slow development of the ecosystem. Where are the Nokia NFC tags for kids to buy? Where are the NFC USB sticks to connect laptops and phones?

But, looking forward, there’s another issue here. This classification of open/interactive vs. closed/transactional NFC uses is too simplistic, because as the technology spreads in the mainstream, interactions will need to be secure too. When I tap my phone against an advert at the bus stop, I want to find out more about “Kung-Fu Panda 2” and not get directed to a porn site, a reverse-charge premium rate phone call to Honduras or send a text message to someone who wants to sell my mobile number to commercial organisations. I want my phone to check the digital signature on the tag and make sure that it is valid, and that it is signed by an organisation recognised by UK phone operators, or banks, or the government, or whoever. But signing the tags (which is part of the NFC standards, but no-one uses at the moment) means that someone has to distribute keys, and certificates and all that stuff. None of this exists right now, but in the future it will have to.

So… Not only is there no ecosystem for transactions, there’s no ecosystem for interactions either. Now you can see why the mobile operators are going to have to work so hard to stay in the NFC loop. A couple of years ago they could have started to roll out the handsets for open, interactive purposes and started many communities off on experimenting with the new technology while they developed the necessary infrastructure for both secure transactions and secure interactions, but they didn’t because they couldn’t see a business case. What’s the business case for selling public key certificates so that advertisers can digitally sign tags using their internally-generated private keys?

It’s hard to work out a conventional business case around a business that simply doesn’t exist yet, and I understand that. But I think that even three or four years ago, the consumer response to the early pilots and trials was so positive that it was clear that the technology would make the mainstream. Now that Google’s activities have served, in an odd way, to legitimise both NFC technology and the business models around it, maybe the operators should adopt a more Google-like approach to business model: start building way more cool stuff, monetise what works and then be ruthless in killing off what doesn’t.

My employer, Consult Hyperion, has provided paid professional services to some of the organisations named here in connection with products and services discussed here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public

Why use contactless?

The results from the first couple of years of contactless payments use in the UK show that, as expected, contactless is being used as cash replacement for small transactions.

The average value of a contactless transaction is only £4.93.

[From Tap-and-go is on the move to a shop near you | Mail Online]

It’s not always used simply because of the convenience, as one commentator noted in the comments on this story:

I have swtiched to using the contactless payment method to purchase sandwiches at shops such as Pret A Manger and Eat mainly because I am fed up with them ofloading their fake pound coins on me in their change

[From Tap-and-go is on the move to a shop near you | Mail Online]

Bizarrely, I was thinking about this the other day. I parked in Derby, which is in the midlands and when I returned to the car the local council wanted to charge me £11.20. In some kind of hommage to Derby’s past, the machine didn’t take cards or mobile payments, so we were reduced to emptying out our pockets, rummaging in the glove compartment and searching the floor of the car for change. Fortunately, my fellows had plenty of pocket change. But when we started feeding it into the machine, four out of the ten £1 coins we had amassed were repeatedly rejected, presumably because they were fake. I’d never really thought that the avoidance of fake currency would be part of the retailer’s business case, but I need to revise my opinion!

But what is the business case? Is it just about payments? For some kinds of retailers, the convenience of contactless payments makes sense only when it is also part of some bigger model, generally involving value-added propositions such as loyalty. The was recognised by Bling Nation, when they decided to refocus on the loyalty side of things…

John Paul Coupa of Coupa Café has the system in all three of his northern California locations. “It gets used a lot,” says Coupa, “(even) more than American Express.” Coupa recently implemented the FanConnect system.

[From ContactlessNews | Contactless payment scheme enables loyalty via Facebook]

In Northern California, then, things look good. But on the other side of the country, on the apparently more conservative east cost, the results were quite different.

Other merchants have not enjoyed the same level of success. Charles Savas, president of Center Beverage in Stoneham, Mass., got rid of the system after just three months. “They were going to charge me $40 a month,” he says, “and I only had $35 in sales for the first three months.”

[From ContactlessNews | Contactless payment scheme enables loyalty via Facebook]

A mixed picture. But does any of this early experience matter? If contactless is important only as the rails for mobile to run on, then the early feedback from the contactless card deployments doesn’t really matter. It doesn’t tell us anything about the mobile future, does it?

These, and related topics, will be discussed at Contactless Cards and Mobile Payments in London on 20th and 21st June at the Kensington Hilton. I’m chairing the event on 21st and look forward to see you all there. And guess what? The utterly splendid people at SMi have given me a two-day delegate pass worth an astonishing ONE THOUSAND TWO HUNDRED AND NINETY NINE POUNDS to give away on this blog as a competition prize. So if you are going to be in London on those dates and you’d like to come along to learn more about the world of contactless, all you have to do is be the first person to respond to this post with the current maximum payment value for “no PIN” contactless payments in the UK.

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been designed to be carbon neutral. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Yet more about NFC and business models

kjhjhgh

There are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.

Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. Working out how to do this is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?

In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).

In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Galaxy S2 handset, not on the SIM).

So, for example, on the Catalyst Code, I read a while back.

Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

Karen is, as usual, spot on about this. But I’m not so sure about this…

What’s amazing is that Google was the first to connect all of these dots

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.” Banks and operators have smart people them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments (come on guys – you have to eat your own dogfood, as our transatlantic cousins are wont to say) but they don’t sell (for example) NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets to a gig you and your mates are running… well, hard luck.

My employer, Consult Hyperion, has provided paid professional services to organisations named here in connection with products and services mentioned here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public

Inception

At the end of March, we learned that there is no business case for moving to NFC at POS in the USA.

Representatives of three of the country’s largest banks, Bank of America, Citigroup and U.S. Bank, attended a meeting last month organized by the Merchant Advisory Group… to talk about the new opportunities that mobile technologies, such as NFC, will create for the payments industry.

“You know what they (banks) told us? There’s just not a business case right now,” Dodd Roberts, head of the merchant group, said last week

[From Big U.S. Banks Look for A Business Case for NFC | NFC Times – Near Field Communication and all contactless technology.]

That’s a shame, because it’s a fun technology that consumers like. Never mind. Of course, not everyone thinks that banks can’t make a go of it, and going back a couple of years we can find some positive projections.

Celent estimates that a 30% cash displacement ratio, or an incremental US$151 per card account, per year is reasonable, with an average revenue increase of US$1.83 per debit card account per year.

[From The View from the Mobile NFC Finish Line: Bank Economics in a Mature Mobile NFC Payments World]

Anyway, a month after the US banks told the Merchant Advisory Group that there was no business case, we learned that…

France-based POS device manufacturer Ingenico has confirmed that it is working with Google on the development of NFC-based services for retailers

[From Confirmed: Google developing NFC solutions for retailers • NFC World]

Was this an “Inception“-style paradox? A fault line between two sets of dreams that don’t quite connect? A glitch in the matrix that could be eliminated if we all take the bank’s blue pill? Because now someone is offering red pills…

The first NFC service launched by Google for its Nexus S phone is an enhancement to its Google Places service. Customers tap the phone against NFC tags embedded in stickers or decals that merchants affix to their storefronts to access information about the local business, including phone numbers, hours of operation, payment types, reviews and recommendations.

[From Checking in with NFC–Some Social-Networking Start-ups to Use NFC | NFC Times – Near Field Communication and all contactless technology.]

Aha! So now we can see how to resolve the paradox. There’s no business case if you only think about transaction revenues (the bank model) but there is a business case if you “ignore” payments and focus on value-added services that retailers will pay for (the Google model). This has got the mobile operators interested enough to start upping the orders.

Such Android handset makers as Samsung, HTC and likely LG and Motorola are preparing for NFC, based on keen interest or orders from mobile operators, including South Korean telcos, SK Telecom and KT; China Mobile; as well as American and European carriers, NFC Times has learned.

[From ‘Open’ Battles Break Out Among NFC Vendors Over Android | NFC Times – Near Field Communication and all contactless technology.]

But is Google’s interest enough to create the contactless rails for these mobile devices to run on, as we keep talking about? Chris Skinner made a very accurate post about this recently.

And here’s the rub: we need more terminals. Maybe they could learn something from Zapa in Ireland, where AIB Merchant Services has worked closely with them to rollout terminals that can use the tags. Half of all AIB’s merchant terminals are now Zapa ready: that’s 40,000 of their 90,000 terminals, with over 1.5 million contactless transactions in the year to September 2010. Compare that with Barclaycard, which has rolled out just 42,500 merchant terminals to date and is processing just over a million transactions by November 2010, and you can see the challenging dimensions they face.

[From BAI | Banking Strategies | Distribution Channels | Mobile | Why Mobile is Critical to Banking]

A characteristically well-informed comment from Steve Mott delves further into resolving the paradox. Perhaps payments are losing their strategic appeal for banks because they are becoming commoditised, utility businesses that just won’t generate the cash that they did in the past.

Consultant Steve Mott, CEO of BetterBuyDesign, who also attended the Merchant Advisory Group meeting, told me the U.S. banks do see the advantages of mobile to increase transactions. But mobile confronts them with an unfamiliar payments landscape at the same time they are being squeezed by regulators with the Durbin amendment,

[From Big U.S. Banks Look for A Business Case for NFC | NFC Times – Near Field Communication and all contactless technology.]

Banks aren’t stupid. They know that NFC is coming, that consumers and merchants like it, that it means disruption. But it is very difficult to change core businesses, especially at a time of great regulatory uncertainty. In the meantime, the non-payment use of NFC will lead it into the mass market. But will the new technology pull in the customers? Sam Shrauger, VP Global Product and Experience at PayPal, puts it succinctly:

People couldn’t care less which technology a hardware or software manufacturer would like to sell them. They couldn’t care less which technology merchants may or may not put in their stores. Ultimately, they just want something that makes their life better when it comes to buying and paying.

[From Why the Mobile Payment Debate Is Headed in the Wrong Direction [OPINION]]

Now, as it happens, I was chatting with Sam last month and I agree with him about many things, but I think that in this particular case he may be underestimating the impact of “tap and go” technology. The point is that tapping is so much simpler, so much quicker, so much more convenient for consumers that it will make a difference to them. People will start looking for the phones that you can tap together to become Facebook friends, or whatever, because that experience blows away bumping, or texting or QR codes or whatever.

This, I think, means risky time for bank payments. Once people are using their non-bank wallets on mobile phones to execute retail transactions, initially using bank-provided payment schemes, it will be a small step to get them to move to non-bank payment schemes inside those wallets. Banks need more active responses to the changing environment and I hope I won’t be offending anyone to say that I know from personal experience with recent projects that banks are losing opportunities right now because they are not able to deliver products in the timescales demanded by other industries.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Bar none

When I was interviewing Christian Lunden from Nordic Choice Hotels for a podcast about their NFC pilot (using mobile phones as room keys) he mentioned in passing that some bars in Sweden have reacted against the introduction of chip and PIN by refusing to accept cards and going back to cash. This is because with chip and PIN the bar staff have to hand a the POS device to the customer, the customer has to insert the card and then enter the PIN, and this all takes far too long. Under the old (ie, US) scheme, the customer would hand over their card to be swiped at POS and then the bar staff would hand back the card with the a receipt for signature. I don’t understand why this was quicker, except I suppose that the bar staff could start working on the next order while waiting for the signature.

The bar owners have now started installing ATM machines (the ATM operators pay rent to the bar owners) so that drinkers can get cash. In a way, you can see that this makes sense for the bar owners. Unfortunately it doesn’t make sense for society, but since the bar owners are allowed to externalise the costs of their payment preference, why would they do any different?

Sweden has far more cash-in-transit robberies than its neighbours and suggests an alignment of the private and social costs: the cost of armed robberies, [the deputy governor of the Bank of Sweden] said, should be accounted in the cost of cash. This means that far from being free at ATMs, cash in Sweden should be expensive. He is, of course, completely correct.

[From Digital Money: The Swedish experiment]

A clear case for contactless, you might think. And this reminded me of an experiment I conducted a few weeks ago in a bar! I was trying to show that paying by contactless and paying by cash take comparable time, so off I went…

Damn that Joe DiVanna!!

Anyway, I think that my point was just about made: using EMV contactless for low value transactions works for the tough case of the bar. The problem is that the POS hasn’t been configured to take advantage of contactless: I don’t think it would be that difficult to put a couple of contactless readers on the bar itself but leave the POS back behind the bar, so that customers could tap their cards on the reader without having the POS brought over to them.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.