We were delighted to get a lot of good feedback on Neil’s previous blog on Mondex Memories and CBDCs and its relevance to CBDCs and thought it would be interesting to respond to some of the more interesting – and difficult – points raised in a follow-up blog. Before addressing those I wanted to put the Mondex program into some historical context. They were very different days – we didn’t have an intranet until 1996, let alone internet access. There were no SDKs – although actually we did build a precursor to one of those – or APIs and the idea of remote payments was still in its infancy (although we did that too).
Every year Consult Hyperion publishes our Live 5. We try to shine a lens on the year ahead and think about what will be impacting our clients. The themes for 2021 are:
Today I want to explore the topic of micro location from the point of view of (mostly) Apple ecosystem, and how developers can leverage application programming interfaces (APIs) to build useful apps. In order to understand that, first we should visit the topic of location in general – how do devices know where they are?
Today marks the 10th anniversary of Safer Internet Day in the UK. Each year Industry, Educators, Regulators, Health & Social Care workers and Parents rally to raise awareness and put into action, plans to tackle findings from significant research on the topic of trust and safety on the internet. This year one of the research pieces talks of the challenge ‘An Internet Young People Can Trust’. As a mum of two school age children, I am sat here wondering if the internet will ever be safe … for them or me.
If I think about life BC (before COVID), my eldest used social media for broadcast communications to her friends. She was guided on the appropriateness of certain apps and our acid test on the content she was posting, was always ‘would you go up to a stranger in the street and give him your name, age, location and a photo of you in a bikini’ … her reaction was always ‘err, no’. My youngest had never been online apart from BBC Bitesize for homework assignments. We’re not online gamers so have never had constant nagging to go online. Additionally, you have to remember the internet (and mobile internet) has been significant in my work world since 1990 so I have a heightened understanding of the pitfalls and have seen many fall foul of their online reputation, tarnishing their in-person reputation.
At this time of year my colleague, Dave Birch looks forward, his annual “Live Five” started as a bit of fun, but over the years has become a thought provoking look at what might impact our industry in the coming year, if you haven’t read it yet, please follow this link.
As we come to the holiday season, we know that we will be bombarded with reviews of 2020 on television, in our newspapers and online. A conversation with some colleagues about how long they had worked in the payments industry, prompted my own review when I realised that on the 8th December, I clocked up 40 years in the industry, how technology has changed our lives in that time.
Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.
The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:
- Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
- Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.
As I am sure many of you will remember, the thing I was most wrong about – ever – on the Tomorrow’s Transactions blog was that I was convinced that Apple would not bother with an NFC interface for the iPhone. Luckily, my blog is not a blockchain, so I could go back and delete this post if I wanted to. But I am gentleman and man of integrity and I cannot do sufficient violence to my conscience to rewrite history in this fundamentally misleading way. Hence my error stands as testimony to my integrity. My reasoning at the time of this broadcast error was that since “app and pay” would eventually come to dominate “tap and pay”, I thought that Apple would focus on the big picture and ignore the age-old card/POS interface. I assumed that they would use Bluetooth, wifi and mobile to link the customer and merchant and eventually dispense with the card in the middle, whether using stripes, chips or NFC. At that time, we had already built an HCE-over-BLE app for a project that we were involved in, so I knew that we could easily obtain better-than-chip-and-PIN security without having to tap anything, and I thought Apple would just ignore it: what did they care, I reasoned, if you can’t use your iPhone to ride the bus* in London?
Well, I was wrong. Apple implemented their own sort-of-NFC (they did not implement the full NFC standard) and they locked down the interface so that third-parties could not gain access. They implemented just enough to get the banks to spend gazillions on the tokenisation infrastructure that was needed to bring that better-than-chip-and-PIN security to online and mobile commerce. Well, it worked. They have created a secure and convenient payment platform. As I wrote before…
Select Apple Pay, thumbprint, done. Why isn’t all in-app purchasing like this. Come to that, why isn’t all purchasing like this. Actually, it soon will be…
This indeed where Apple is heading, and I’m not the only one who thinks that perhaps people who were focused on the NFC interface at retail POS (and complaining that not enough retailers take it and therefore Apple Pay is a bit of a flop) were missing the bigger picture.
He says Apple Pay is appealing, but he wouldn’t switch banks just to access that one feature. “Not over that. There’s too much work involved just for tap-and-go,”
You can see the point. If you already have a contactless card that works everywhere, it’s not that exciting to be able to tap your phone instead of the card. So people don’t. They already had a perfectly good solution to the card payments problem: a contactless card (or, in my case, a contactless sticker). But the fact that it’s not exciting to tap the phone just does not matter. It’s not the play. There are reasons why I love Apple Pay (especially because I have on more than one occasion forgotten my wallet when going to the office) but when I dropped my iPhone in the toilet and was on an old phone for a couple of days, it didn’t really matter that much because of my contactless Curve card in my back pocket.
The thing is: paying with a plastic credit card isn’t really that difficult. With Apple Pay, the bigger point is that it’s also a way of paying for stuff online.
Brian Rommele, who I always take very seriously about this kind of thing, says that it is already clear that Apple Pay in the browser will be a very big deal indeed. I already find it frustrating when I go to pay in-app and I have to enter a CVV against a card-on-file just as if it were 1996 all over again (I’m talking about you RingGo) instead of just thumbing it so I can see that the in-app and online experience will be transformed.
In my early testing I can confirm that the checkout abandonment rate for websites that use Apple Pay Safari will be reduced significantly.
Who won’t use this? For Apple Pay, Android Pay, Samsung Pay and every other pay, #appandpay is way more important than #tapandpay and way, way more disruptive. Note also that it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware alongside the revocable EMV payment tokens…
* I use my iPhone to ride on London underground, buses and Dockland Light Railway all time. All the time.
The Tomorrow’s Transactions Forum, that is. I arrived in good time (it’s always best to add on a few minutes to give yourself time to buy a ticket) for the 7.39 Flying Glacier to Waterloo via Misery and Degradation.
Of course, Woking station has changed a lot since this picture was taken. There’s a Flying Coffee Bean on Platform 2 now.
Hurrah! When I got into the ticket hall I discovered that they have installed machines to allow you to pick up a ticket that you have purchased online. Great. I have the excellent The Trainline app on my iPhone and it is integrated beautifully with Apple Pay. So you look up the tickets you want, hit “Pay with Apple Pay”, thumb it and away you go. When you get to the station you just thumb it again and tap your iPhone on the machine, it shows you the list of tickets you have purchased, you choose the ones you want and hey presto your tickets pop out.
Except it isn’t. The machines don’t work this way. You have to take a payment card with you and insert it into a slot and then type in a confirmation number that you were sent by e-mail. It’s actually quicker just to go to one of the other machines and buy your ticket in the usual way.
The new machine on the block.
I don’t get it. Surely the Apple Pay token used to buy the ticket can be matched to the Apple Pay token presented at the machine? You should only need to put the card in if you’re forgotten your phone or it is out of battery (and even then they should do it by implementing PARs properly).
Surely South West Trains, when they were planning these machines a few years ago, had at least heard about mobile phones even if they hadn’t actually seen any. And surely they had noticed that something was going with contactless technology? Perhaps one of the South West Train’s Executive Board had overhead their servants talking about “tapping” cards to ride the bus in London and never asked what they meant? Or did they just take it be a some new lingo below stairs, a slang term for writing out a cheque?
They must just have thought that contactless was something happening to other people.
This left me wondering if other train-like options are adopting contactless. I thought I’d give it a try at Heathrow, so I downloaded the Heathrow Express and tried a couple of times to buy a ticket to see if I could use Apple Pay, but the app asked me to scan in my credit card (presumably for some hello-1996 card-not-present transaction) then crashed, so I never to got to see it in action.
So much for joined-up thinking. The whole world is moving to contactless and mobile and the most up-to-date technology on the newest machines installed (I see they got rid of the machine for connecting by video link to customer service) is the decade-old chip and PIN reader. Come on.
OK, so sometimes there’s a bit of queue.
Why can’t we buy our tickets on our phones while riding the bus on the way and then just tap and collect when we get to the station?
The only improvement in the ticket purchasing experience at Woking station since it opened on 21st May 1838 — you still stand in line, they still take cash, they still give paper tickets — is that you no longer have to fill out a “reason to travel” form, and I wouldn’t put it past Theresa May to have these re-introduced in time for the next election.
Well, the circus came to town again. Barcelona. It’s 100,000 people and non-stop meetings and basically no fun whatsoever. But it’s in Barcelona. The calendar is jammed from first thing in the morning until the evening, and then it’s out for dinner and drinks with customers and suppliers. Man, that Catalan pasta was delicious. It’s absolutely exhausting. My feet are killing me by coffee time and I’m not in heels. Loved that lemon beer though, never had that before. The communist traitors down the metro are on strike so we have to queue for buses. It’s lovely and sunny here. Eight halls! Still, let’s take a deep breath and get on with it.
I’ve been interested in mobile payments for 20 years. A decade ago, Consult Hyperion was lucky enough to be chosen by Vodafone to carry out the feasibility study on M-PESA. I can remember seeing the first Nokia with a contactless chip (Mastercard) embedded in it and being blown away by the convenience. I am the archetype for the stereotype in mobile futurists presentations, the person who often leaves the house with a phone but no wallet. Last year at MWC I gave a presentation about the impending shift to in-app payments. So, you can imagine how downhearted I was to see this vista before me on arriving in the host city.
Yep. Twenty years of mobile payments, twenty years of presentations about mobile payments at MWC, twenty years of pilots and trials and tests and MoUs, twenty years of arguing about SIM vs. embedded vs. SE, twenty years of closed-loop and open-loop and three-party and four-party, and there’s a queue a mile long for the ATM because you can’t use your phone to by a metro ticket or ride the bus into town. Where did it all go wrong?
Why aren’t there mobile payments everywhere? In a sane world, as we landed in Barcelona our phones would automatically fire up a Barcelona app that we could use to pay for the trains and taxis, restaurants and hotels. How long would it take for your bank to issue a four day, Barcelona merchant-only token to the handset? Five seconds? Why can’t I pay in-app for my hotel? Karen Webster wrote about this too.
…when it comes to commerce and payments, well, we’re still very much making our way to first base. And that’s more than two decades after the launch of the commercial Internet and nearly a decade after the introduction of the iPhone…
Karen points to the role of the carriers as a fundamental problem, and she is certainly right to note that their attempts to be toll collectors for the superhighway have been a boat anchor on progress in mobile commerce just as it will be for IoT commerce, but I wonder if there’s something more fundamental going on. What if the attempts to shoehorn the existing infrastructure (of PANs and acquirers and networks and schemes and issuers and authorisation and all the rest of it) are themselves responsible for the drag? What if we should have started again? What if we should have just said that the mobile phone gives us a mechanism to establish (and verify) the identity of everyone and once you know who the counterparts are, payments are easy. What if we should have started with mobile ID instead of taking 60+ year old way of doing a payment?
I was lucky enough to be asked to chair the MWC conference session on “Digital Identity for Connected Societies”. During this discussion, it became very clear to me (and, I hope, the rest of the audience) that we already have all of the building blocks that we need to create a strong identity infrastructure based on the mobile phone. If we take that architecture as a given, then what “payments layer” should be put on top of it? You know where my sympathies lie: in the “push to push”. Karen correctly, in my opinion, talks about the reshaping of retailing.
Mobile and online – together — is creatively destroying the retail model that’s been in place for millennia – a model that used to rely only on consumers and merchants coming together face-to-face to do business.
Why do we think that we can reshape retail without reshaping payments? Here’s just one example: why do you give card details to the merchant? It makes no sense: it’s because you used to hand your card to merchants in shops. Surely it would make more sense to send the _invoice_ to the bank, have the bank pay it and send back the _paid invoice_ to the merchant. Why should the merchant ever seen your card, tokenised or otherwise? Since merchants are installing BLE anyway, why not just transmit the invoice over BLE to your phone and have your phone send it to the bank for payment? I’m just giving a random example, but you see my point.
Here’s what’s gone wrong: we took amazing new technologies (smart cards, mobile phones, biometrics) and used them to emulate some cardboard hack from 1949. Time to scrub off the whiteboard and start again. I make this vow here and how: if you cannot use your phone to pay the airport bus in Barcelona at Mobile World Congress 2017, then I will never go again.
I can’t remember if I told you about this cool project that Consult Hyperion has been helping out with over the last year or so. One of our very favourite clients, Barclaycard, decided to exploit the Host Card Emulation (HCE) technology in Android mobile phones and make a payment app so that customers could pay with their phones at any of the 300,000+ contactless terminals in the UK.
Barclaycard is set to become the first financial services provider in the UK to introduce contactless payments from any NFC enabled Android phone via its app
Well, they started rolling it out to customers, and it’s great. It’s the Barclaycard Contactless Mobile app, and it has some interesting features that you should know about.
While the contactless limit in the UK is £30, with the Barclaycard app you can perform transactions up to £100 by entering you card PIN on the phone.
The app works with Transport for London (TfL) so you can use it to ride the bus and get on the tube.
Customers can choose to have “PIN to Pay” on, in which case you have to enter your PIN before all retail payments, even below £30 (except at TfL gates – even with “PIN to Pay” you can just tap and ride).
It’s been designed to be very simple to use, just a single card enabled at any time (no card clash!) and just requires the screen backlight to be on to work for payment. Here’s what it looks like.
You can choose between your cards and select the one that you want to be active.
And here’s our very own Matt Barker using the app to buy an actual coffee. When you try the app, you’ll be surprised by how fast and convenient it is.
And just to prove it – here’s the receipt.
One of the features I rather like is that they have a real-time replacement service.
Barclaycard customers will be able to use the host card emulation (HCE) function being added to the bank’s app to have lost or stolen plastic cards instantly re-issued to their mobile devices
So well done to all the team up at Barclaycard. It’s a great app, and it works really well, and I’m genuinely not just saying that because we helped out. I said from the beginning that HCE would make for some interesting developments. Remember this, from a couple of years ago?
Visa’s support for cloud-based payments follows the introduction of a new feature in the Android mobile operating system called Host Card Emulation (HCE); HCE allows any NFC application on an Android device to emulate a smart card, letting users wave-to-pay with their smartphones, while permitting financial institutions to host payment accounts in a secure, virtual cloud.
Now, as we said about it at the time, HCE was an earthquake. It shifted the tectonic plates (the banks, the schemes, the mobile operators, the retailers in my clumsy metaphor) and created new fault lines between them. It’s not as if we were the only people that noticed. Again, from a couple of years ago.
According to Visa head of Digital Solutions for Developed Markets Sam Shrauger, the new cloud-based implementation of its payWave service will free up the NFC payments from a few specialty digital wallets, allowing any developer to embed point-of-sale payment options into their apps.
Sam was spot on. Anyone can use HCE to add payments to apps for retailers. But as we’ve seen since that “KitKat” announcement, organisations can also use HCE to add loyalty, ticketing, travel, coupons, access control and all sorts of other fun stuff to their apps! So if you want to take your Android app and figure out how to add secure, reliable tap-and-go magic, give us a call!