HCE moves on

In payments, as in so many other fields, Kazakhstan is a beacon to the nations. I notice, for example. that they have recently launched a new tap and pay service that uses host card emulation, or HCE as it is known to us afficionados.

Customers of Kazkommertsbank (KKB) in Kazakhstan can now make host card emulation (HCE) based NFC mobile payments using a new service launched in partnership with Visa.

From Kazakhstan gets HCE payments • NFC World+

An advanced nation. In fact, as I wrote a decade ago…

So here is a picture for Borat to take with him next time he visits America. It’s an EMV terminal.

From Cultural learnings of Kazakhstan for make benefit glorious nation of America

For those of you who think that HCE is old news, I have to tell that you my colleagues at Consult Hyperion have been working on wide variety of HCE products and services and not only for customers in the financial services sector, but also in retail, ticketing and other fields. The ability to conduct transactions with chip and PIN levels of security via mobile devices is useful in many different applications and more and more service providers are taking advantage of it to deliver a better service to card customers. Take a look at what American Express are doing with it now, for example, or what Barclaycard launched earlier in the year. Or, for that matter, what Barclays announced today about using their Android app to withdraw cash from their new contactless ATMs.

What’s more, of course, is that now that the industry is building expertise and obtaining feedback from a number of different operational services in different countries it is a good time to survey the landscape again and have a look at where to go next. I’m very keen to see how it will develop, especially beyond the “traditional” NFC channel. HCE over Bluetooth looks like pretty interesting avenue to explore as well! Anyway, all of this is why I was happy to accept an invitation to chair the HCE Summit in Amsterdam on 24th November and I’ll look forward to seeing you all there at the end of the week.

Barclaycard contactless mobile is up and running

I can’t remember if I told you about this cool project that Consult Hyperion has been helping out with over the last year or so. One of our very favourite clients, Barclaycard, decided to exploit the Host Card Emulation (HCE) technology in Android mobile phones and make a payment app so that customers could pay with their phones at any of the 300,000+ contactless terminals in the UK.

Barclaycard is set to become the first financial services provider in the UK to introduce contactless payments from any NFC enabled Android phone via its app

[From Mobile App Transforms Android Phones | News | Home.Barclaycard]

Well, they started rolling it out to customers, and it’s great. It’s the Barclaycard Contactless Mobile app, and it has some interesting features that you should know about.

  • While the contactless limit in the UK is £30, with the Barclaycard app you can perform transactions up to £100 by entering you card PIN on the phone.

  • The app works with Transport for London (TfL) so you can use it to ride the bus and get on the tube.

  • Customers can choose to have “PIN to Pay” on, in which case you have to enter your PIN before all retail payments, even below £30 (except at TfL gates – even with “PIN to Pay” you can just tap and ride).

It’s been designed to be very simple to use, just a single card enabled at any time (no card clash!) and just requires the screen backlight to be on to work for payment. Here’s what it looks like.

Barclaycard HCE

You can choose between your cards and select the one that you want to be active.

Barclaycard HCE

And here’s our very own Matt Barker using the app to buy an actual coffee. When you try the app, you’ll be surprised by how fast and convenient it is.

Barclaycard HCE

And just to prove it – here’s the receipt.

Barclaycard HCE

One of the features I rather like is that they have a real-time replacement service.

Barclaycard customers will be able to use the host card emulation (HCE) function being added to the bank’s app to have lost or stolen plastic cards instantly re-issued to their mobile devices

[From Barclaycard to use HCE to instantly replace lost and stolen cards • NFC World+]

So well done to all the team up at Barclaycard. It’s a great app, and it works really well, and I’m genuinely not just saying that because we helped out. I said from the beginning that HCE would make for some interesting developments. Remember this, from a couple of years ago?

Visa’s support for cloud-based payments follows the introduction of a new feature in the Android mobile operating system called Host Card Emulation (HCE); HCE allows any NFC application on an Android device to emulate a smart card, letting users wave-to-pay with their smartphones, while permitting financial institutions to host payment accounts in a secure, virtual cloud.

[From Visa to Enable Secure, Cloud-Based Mobile Payments | Business Wire]

Now, as we said about it at the time, HCE was an earthquake. It shifted the tectonic plates (the banks, the schemes, the mobile operators, the retailers in my clumsy metaphor) and created new fault lines between them. It’s not as if we were the only people that noticed. Again, from a couple of years ago.

According to Visa head of Digital Solutions for Developed Markets Sam Shrauger, the new cloud-based implementation of its payWave service will free up the NFC payments from a few specialty digital wallets, allowing any developer to embed point-of-sale payment options into their apps.

[From Visa, Mastercard just made it much easier to buy stuff with an Android phone — Tech News and Analysis]

Sam was spot on. Anyone can use HCE to add payments to apps for retailers. But as we’ve seen since that “KitKat” announcement, organisations can also use HCE to add loyalty, ticketing, travel, coupons, access control and all sorts of other fun stuff to their apps! So if you want to take your Android app and figure out how to add secure, reliable tap-and-go magic, give us a call!

The user experience will make, or break, mobile payments

Being a keen consumer of baked pastry goods, and having a firm desire to see the pieces of plastic & cardboard in my wallet transferred to my phone, you can understand my excitement when the award-winning Greggs Rewards app was released early in 2014. The app combines the processes of payment, loyalty, and rewards into a single interaction at the point of sale, with a prepaid payment account which can be automatically topped up via credit card or PayPal. In eager anticipation of a tasty lunchtime treat, I therefore ventured out of the office and off to the town centre.

My first expedition ended in disappointment. In order to perform a transaction the customer opens the app, presses the ‘spend now’ button, and receives a dynamically generated token (an eight digit number) which is to be presented to the POS in the form of a QR code. But… in order to receive the token, I had to have a network connection. Now, whilst there is a very good network connection all the way up to the front door of the store, once through the doors my phone decided to connect to “The Cloud”.  For some reason, my phone has an on-off relationship with “The Cloud” and, it appears, its relationship with this particular hotspot appears to be more ‘off’ than ‘on’.  No matter, I can turn WiFi off. But what’s this? It appears that my mobile network didn’t share my longing for a sausage roll and decided to only let the GPRS signal through the door. It turns out that GPRS, whilst a revelation 15 years ago, does not appear to offer a particularly suitable channel for today’s mobile apps. Unable to obtain a token, I resorted to my plastic card.

Armed with this knowledge, I anticipated a successful second visit. This time, not only did I press the button to obtain the token before I got anywhere near the store, but I also took a screenshot of the QR code just in case. Ready to pay, and having got past the inevitable learning curve for the checkout operator who hadn’t been shown what to do with this new scheme, I was ready to finally scan my code – except that this store didn’t have any scanners at that time. So instead, I had to enter the 8 digit number on the keypad of the card reader. Happily, once the POS had my token, everything else went smoothly. I had redeemed an offer for a free item, paid for the outstanding items, and had a coffee loyalty purchase recorded all in a single interaction.

“But hang on,” I remember thinking, “they already accept contactless cards.  And I have an NFC phone which can talk to their readers. Wouldn’t it be great if the app could do NFC?”

Well, sixteen months later, and Greggs Rewards has now quietly added support for contactless in its Android app. Full of even more excitement than last February (well, I have been waiting for two years to pay for something by NFC) I headed out.

Having informed the operator that I would be paying with my phone, I was interested to note that she enabled the terminal for ‘card’ payment and not ‘rewards’ payment. Having seen that the app requires at least Android 4.4, and so concluding that it must be using Host Card Emulation (HCE), I was hopeful that this meant that it was seamlessly integrated into the ‘normal’ payment process.

Alas, the terminal was actually expecting a payment card and so the transaction failed. The operator told me that, when I had waved my phone at her, she had automatically assumed it was a contactless payment (which, as an aside, is actually good news for this month’s Apple Pay launch.)  It turns out that trying to integrate everything into a more seamless experience means impacting the existing card payment certifications, so for now they’re stuck with having to tell the POS what type of payment it should be expecting in advance.

Using the rewards app, even over contactless, still requires the operator to press the a special “rewards” button on the POS. This she did, and the contactless reader was ready to read my phone, the barcode reader was ready to scan my QR, and the terminal was ready for me to type in the number.

Unfortunately, this was the moment my phone decided it no longer wanted to play. With me having accidentally switched apps, on re-opening the Greggs app it decided it needed to connect back ‘home’ again. Because I hadn’t disabled WiFi, I was at the mercy of my phone’s long-term “It’s Complicated” relationship with The Cloud and so unable to provide the token. After disabling the WiFi, restarting the app (which for some reason was complaining that the 4G connection my phone now had was ‘too slow’), inwardly cringing at the complaints from the lengthening queue behind, and ignoring my colleague’s offer to just hand over some cash to get us out of there, I finally performed my first real world NFC transaction and was the proud owner of a free doughnut.

So what can we take away from all this?  Firstly, the mobile app must not rely on hardware or OS services that are not absolutely critical. Reliance on network connections is understandable for e-commerce, or for refreshing the app content, but for a POS transaction the app must be able to work without one – even if it is using dynamic tokens. The card schemes have already worked this out and catered for it in their HCE specifications.

Secondly, the payment experience must be seamless. It is frustrating to be a customer trying to explain a company’s mobile offering to the checkout operator, especially when the payment terminals are adorned with collateral advertising that very scheme. “Why,” I ask wearing the hat of a less well-informed member of the public, “can the till not work out for itself what payment method is being presented to it?  I don’t know about payment certifications and the resulting workarounds; I only care that the process is more complicated than it seems it should be.”

Only those of us with an unnatural interest in mobile payments (or a hearty appetite for pasties) will put up with a poor user experience more than once.  Normal people will give up and uninstall the app if it doesn’t work flawlessly; the people waiting in the resulting queue – such as the woman behind me who observed that “this is ridiculous” are unlikely to try it even that once.

In-app and on-message in Barcelona

Dgwb blog white border

Wandering around #MWC15 in Barcelona this year I got involved in a bunch of conversations about Apple Pay, Loop, NFC and so on. But I thought that focus on the physical, in-store interface, could be diverting people away from the central strategic shift to in-app payments.

Yep, people are interested in NFC again

Dgwb blog white border

As we head back to Barcelona for Mobile World Congress again, there’s more talk about NFC and this time it’s not only coming from the operators.

In her state of the industry address at the GSMA NFC & Mobile Money Summit last fall in New York, GSMA Director General Anne Bouverot said that NFC is gaining traction globally, and it is certainly true the the number of handsets sold with NFC capabilities is steadily rising, even if most consumers neither know nor care that they have NFC. But it’s not just in phones: NFC is springing up in TVs, printers, cameras and all sorts of other consumer electronics. In our corner of the transaction treehouse, however, NFC means making contactless payments in retail environments. This hasn’t been going so well. As I said at the time, consumers can’t use NFC to ride the bus, which was my throwaway and prosaic benchmark of mass-market acceptability. But they might soon.

Madrid-based non-public bus operator Jiménez constellation is to introduce a brand new cloud-based NFC ticketing resolution that allows Nexus five NFC phones to be used as contactless ticketing readers at a “fraction of the value of ancient contactless reader infrastructures”. Ticktrack, developed by Spanish startup Aditium, uses host card emulation (HCE)…

[From Spanish bus drivers to check tickets using NFC host card emulation – NFC Business Cards]

Interesting. Something has changed. There were handsets out there. There were announcements all the time about pilots, trials and even live services. But somehow the technology was (and is, to be honest) struggling to gain traction, and every time that Apple announce a new phone without NFC there are a plethora of articles about the death of NFC. If you do have a handset with NFC in it, let’s say one of the super new Samsung S4s, you can’t use it for much interesting. I can’t log in to my bank and load my credit card onto it, for example. All I can do with the NFC on my Android phone is use it as a slightly more convenient version of a QR code. Except in Canada, where I could download my Tim Horton app and buy coffee with a tap.

Something has definitely changed. What? Well, here’s a framing of problem that I often hear. The GSMA (and others) opted for an architecture that put the mobile operators in control. And there’s nothing wrong with that. The GSMA is the mobile operators. But — and let’s be frank, to move the sector forward — the banks and operators have found it difficult to work together. I don’t want to cause trouble, especially since Consult Hyperion advises both banks and operators, but I think we have to be honest and open up the discussions that everyone knows are going on behind closed doors.

These MNOs operate a TSM service and establish the trust. Technically perfect, but this is also the problem that get things stuck. It has no technical issues, it is political. The banks just do not want the MNOs in their food chain.

[From EMV compliant NFC transaction from a mobile phone | The Abrantix Blog]

Maybe. And there is certainly evidence from the marketplace that banks will go to some lengths in order to avoid having to deal with the MNOs. This is despite countless attempts to work together. Personally, I suspect that some of this is down to the sheer hassle of it as much as it is to deep-seated strategic aversion to the Single-Wire Protocol (SWP), but it is nonetheless an observable phenomenon.

Bank of China (Hong Kong) is to introduce a microSD card based NFC payments service before the end of the year… BOC e-Wallet will initially be available for the Samsung Galaxy S4 LTE, Galaxy S III LTE, Galaxy Note II LTE, Galaxy S4, Galaxy Note II, Galaxy S III and LG Optimus G Pro smartphones.

[From Bank of China launches NFC payments in Hong Kong • NFC World]

Phones such as the S4, as noted, already have NFC. So, you might wonder, why bother putting a microSD NFC card into a phone that already has it if not to go around the MNO? This is the nub of the problem. In the complicated (but, let’s be clear, very secure) SIM-based SE model, the MNO calls the shots. And that has turned out to be a significant barrier to progress. It’s not impermeable: in some places (Canada and Australia spring to mind) where there are highly concentrated industries (ie, a small number of big banks and a couple of dominant MNOs) and a determination to work together despite thin margins there are now multiple handsets and multiple banks with functioning implementations in the market.

So what has changed? Why are the Canadian coffee chain and the Spanish bus company investing in NFC ? Well, the most interesting case study from Mobile World Congress last year was, as I have said before, BankInter in Spain. They launched what we called at the time a “NOSE” (NO Secure Element) payment service that uses tokenization to shift the risk analysis balance away from SE levels of security. The reason why this was such an interesting case study was that Bank Inter own an MNO. When you own an MNO, and still find it too much hassle to launch a SIM-based NFC payment service, that has to tell you something about the chosen model. Last year I called it an earthquake, and I stand by that.

Technically, what they did was to use a version of Android that had Host Card Emulation (HCE). At high level, this means that handset can pretend to be a payment card rather than having to have the SIM involved. When last year Google announced that HCE would become part of Android and that there would be no need to patch any more, a lot of people suddenly regained interested in the technology. The responses to this technology change have been very interesting indeed, as they seem to indicate considerable latent demand for a technology that we were being told was finished.

“With the entry of HCE we are free”

[From Spanish bus drivers to check tickets using NFC host card emulation • NFC World]

It wasn’t the technology that was the problem, it was the business model. Having previously criticised the SIM-centric model (with genuine integrity and, I think experience has shown, real cause), I stand in testament to the GSMA’s commitment to explore different views on this important topic and I am delighted to be able confirm that I will be giving part of the breakfast briefing on “HCE: NFC Threat or Opportunity” at the Mobile World Congress in Barcleona on Wednesday 26th February at 8.30am. I am genuinely looking forward to this as I personally think that there is an opportunity for mobile operators to use HCE to revitalise NFC in the mass market and, along with BLE, find new and more flexible business models that will make sense to financial services and other sectors. I expect to learn a lot from my fellow panelists and I look forward to seeing you all there.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights