Deep in the mists of time (that is to say, the early-1990s), I led the team from Consult Hyperion responsible for Mondex specification, design and development. For those not familiar with paleo-payments, it was one of a clutch of (contact) smart card based electronic cash systems, none of which survived beyond, let’s say, early adolescence. There were two main reasons for their demise, one technological and one business. The concept was ahead of the capabilities of the underlying technology. Transactions took about the same amount of time as cash plus change, which wasn’t a compelling reason for anyone to leave their wallet behind. The promoters of the schemes (retail banks and payment brands) did not target particular niches where there may have been a business case (I always thought car parking might work) but instead blanketed retail outlets in particular cities or small countries. So, mostly unused devices were put under the counter, and people forgot about the schemes after an initial blaze of publicity.
I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
I had assumed that the world had got bored with talking about mobile wallets by now, but that certainly wasn’t the case in London last week, where I had the great fun of chairing a couple of discussion panels on the topic and found new perspectives on the likely marketplace trajectory.
I’ve got Seasonal Affected Disorder (SAD). I get this every season when I try to buy something using my mobile phone.
The most important thing in digital wallets will be identity, not money. If you’re sick of listening to me about this, listen to @Jack.
Eric Schmidt’s very bullish comments about near-field communication (NFC) technology in the US retail market have got people talking about business models again.
Eric Schmidt, Google’s executive chairman, believes that a third of check-out terminals in retail stores and restaurants will be upgraded to allow wireless “tap and pay” from mobile phones within the next year.
These follow a series of statements by Google executives that, whether they are true or not, seem to have legitimised the technology in the eyes of a broad range of businesses.
She added that there is a ton of activity around NFC in international markets, giving the example of a successful trial of the technology that Starbucks ran in London.
I’ve never heard of this Starbucks NFC trial, so if anyone can point me in the right direction I’d really like to read up on it. But that’s beside the point. The point is that lots of people are now taking NFC seriously in the retail space and the mobile operators are developing NFC strategies. But what business model will there be for them? And what options do they have?
The question will then be how operators manage to regain relevance for their role in NFC transactions (which will come later, if at all), when the first trillion NFC interactions will have bypassed them.
You can see the problem that he is alluding to, but it may not be immediately obvious why it is such a problem specifically for operators. Look at the issue from a slightly different perspective, one that stems from security. I would argue that there are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.
Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. These are what Dean means by “interactions”. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. These are what Dean means by “transactions”.
Working out how to do implement secure electronic transactions is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?
In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).
In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Nexus handset, not on the SIM). The operator has no control over the SE and can extract no “rent” for its use. I notice that in the Nilson report (#972, page 7) it says that the Nexus S is the only smartphone in the US market with an SE not controlled by the mobile operators: it might have said that it’s the only smartphone in the US with an SE, full stop. The operators (in the form of Isis) are not yet in the marketplace. Why are Google being so active then? Well, on the Catalyst Code I read a while back.
Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.
Karen is, as usual, spot on about this. But I’m not so sure about this…
What’s amazing is that Google was the first to connect all of these dots
This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators and from these experiences have developed (I think) a reasonably accurate map. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.”
So how come banks and operators didn’t connect the dots, then? Banks and operators have smart people in them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments but they didn’t sell any NFC tchotchkes, such as blank NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets for a gig you and your mates are running… well, hard luck. This is problematic, because we need lots of people to be experimenting, developing and playing with the new interface to create the new, open applications.
In April, Nokia’s vice president for industry collaborations, Mark Selby, speaking at the WIMA NFC conference in Monaco, contended that NFC applications not securely stored on SIM cards, embedded chips or other secure elements will account for two-thirds of the revenue that NFC technology will generate through 2013.
I hope Mark won’t mind me mentioning that we discussed this over dinner a couple of weeks ago and, while I agreed with him about the market, I bored him at length with my moaning about the slow development of the ecosystem. Where are the Nokia NFC tags for kids to buy? Where are the NFC USB sticks to connect laptops and phones?
But, looking forward, there’s another issue here. This classification of open/interactive vs. closed/transactional NFC uses is too simplistic, because as the technology spreads in the mainstream, interactions will need to be secure too. When I tap my phone against an advert at the bus stop, I want to find out more about “Kung-Fu Panda 2” and not get directed to a porn site, a reverse-charge premium rate phone call to Honduras or send a text message to someone who wants to sell my mobile number to commercial organisations. I want my phone to check the digital signature on the tag and make sure that it is valid, and that it is signed by an organisation recognised by UK phone operators, or banks, or the government, or whoever. But signing the tags (which is part of the NFC standards, but no-one uses at the moment) means that someone has to distribute keys, and certificates and all that stuff. None of this exists right now, but in the future it will have to.
So… Not only is there no ecosystem for transactions, there’s no ecosystem for interactions either. Now you can see why the mobile operators are going to have to work so hard to stay in the NFC loop. A couple of years ago they could have started to roll out the handsets for open, interactive purposes and started many communities off on experimenting with the new technology while they developed the necessary infrastructure for both secure transactions and secure interactions, but they didn’t because they couldn’t see a business case. What’s the business case for selling public key certificates so that advertisers can digitally sign tags using their internally-generated private keys?
It’s hard to work out a conventional business case around a business that simply doesn’t exist yet, and I understand that. But I think that even three or four years ago, the consumer response to the early pilots and trials was so positive that it was clear that the technology would make the mainstream. Now that Google’s activities have served, in an odd way, to legitimise both NFC technology and the business models around it, maybe the operators should adopt a more Google-like approach to business model: start building way more cool stuff, monetise what works and then be ruthless in killing off what doesn’t.
My employer, Consult Hyperion, has provided paid professional services to some of the organisations named here in connection with products and services discussed here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public
I happened to be leafing through my (signed) copy of “Services for UMTS” by Forum friend Tomi Ahonen and his colleague Joe Barrett. In section 7.10, writing a decade ago, they say that “becoming a trusted partner money community should therefore be a strategic priority for the mobile service networks”. This was an obvious strategy then, and many people thought that mobiles would become wallets, and many people thought that transactional opportunities would drive the mobile operators to develop a central role in the future of payments. What’s more, many people (well, me) thought that the role of the mobile in the future of payments would be so disruptive as to have an impact not just on those payments but on the future of money. Having just seen the most recent figures from M-PESA in Kenya — which show 4.33m net additions in the last financial year and 28,000 agents — this prediction seems accurate. But in the developed world, progress has been slow, because of the need to negotiate a path with existing stakeholders and incumbent players. Nevertheless, there have been a couple of key developments in the past week or so.
Orange last week unveiled its Quick Tap service, while rival O2 says it is lining up for a major launch in the autumn. Meanwhile, Google this week launched Google Wallet for Android phones which might soon make the traditional wallet stuffed with cards, notes and coins a thing of the past.
In the UK, Orange and Barclaycard put the first NFC handset with SWP and SIM-based SE EMV payment application on sale. And to prove it works, here I am using it to pay for my son’s haircut!
In the US, the news has centred on Google since Isis’ announcement that their wallet would be open to Visa and MasterCard applications as well, and the Google announcement of their wallet running on just one handset has caused intense interest and comment. Setting aside the wallet play, and just looking at the payment application, a very significant aspect of the Google announcement (at least to people like me) was the location of the application.
Moreover, no mobile operator is believed to be directly involved in the project to put a Citi-issued PayPass application on the Nexus S.
This sharpens the focus of the operators, I think. They’ve been slow to get NFC out into the market and spent a couple of years developing the operator-centric model. If other people are going to put out NFC with secure elements that are not under operator control, then that operator-centric model may not support a business model. In which case, what can the operators do to stay in the payment loop. Well, one way, that I have written about before several times, is (in Europe at least) to find ways to make payments part of the “smart pipe” proposition and stop depending on third-parties (eg, banks) with expensive infrastructure.
French-headquartered IT services group Atos Origin has formed a joint venture with the country’s three MNOs, Orange, SFR and Bouygues Telecom, to develop an internet payment platform to take on PayPal, Google and Apple,
As I’ve been pointing out for some time, the natural way to proceed is to use the PSD to obtain a PI licence, and perhaps obtain an ELMI licence as well. This is exactly what the French operators have chosen to do, and I absolutely predict that as soon as they get the licence they will join one of the international schemes so that they can issue “cards”.
The new company will apply with the central bank to become a registered payment service provider and aims to launch commercially before the summer.
Now, this would give the operators something to offer RIM, Google and Apple other than the raw bits and a secure element that they don’t want.
Our sources say there is a lot of internal debate at Google about its payment strategy, with some folks wanting to appease the carriers and have them become the payment options. Others disagree and are insistent that Google develop its own payment system – and rightfully so.
You can see why people think like this. The existing mass market payment schemes were never designed for the online world and the mobile operators (aside from the odd exception that proves the rule, like M-PESA) have been slow to seize the opportunity. Therefore, the argument goes, why wouldn’t Google just do something themselves and stuff everyone else. Well, yes and no: running payment systems isn’t quite as easy as it seems, and I genuinely think that if the operators develop new mobile-centric solutions then they can provide real competition to both the existing systems, the legacy infrastructure and the startups. In the long view, the operators can still succeed.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]