NFC MOBILE PAYMENTS: AN INDUSTRY SNAPSHOT Mobey Forum s HCE workgroup May 26, 2015 Mobey Forum www.mobeyforum.org
Chairs: Zaf Kazmi CaixaBank Kristian Sorensen Nets Contributors: Sverker Akselsson Nordea Mamoun Alhomssey Abu Dhabi Islamic Bank Angel Alonso BBVA Bent Bentsen DNB Bank Mario Brkic Erste Bank Jonathan Bye RBS Michel-Ange Camhi Worldline Özge Çelik BKM George Charalambous HSBC Bhaskar Chaudhary Mahindra Comviva Pablo Chepalich BellID Shanley Coman Bank of Ireland Patrick DiFerdinando Inside Secure Nicholas Dinh MasterCard Eduardo Galvao Sibs Yuri Grin Intervale Jordi Guaus CaixaBank Michael Hoffmann Danske Bank Hans Ilstad Evry Nitin Jain Mahindra Comviva Henrik Karlsson Ericsson Jonathan Kidd Bank of Ireland Douglas Kinloch Inside Secure Thor Ragnar Klevstuen Evry Bastien Latge Inside Secure Teresa Mesquita Sibs Neal Michie Helixion Susanne Molkentin-Lacuve Oberthur Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 1 / 16
Ciara Myers Allied Irish Bank Srinivas Nidugondi Mahindra Comviva Sirpa Nordlund Mobey Forum Tom Pawelkiewicz Scotiabank Ciara Rohan Allied Irish Bank Philippe Roy Danske Bank Luis Saiz BBVA Ben Smith American Express Neil Smith Proxama Ville Sointu Ericsson Rajasekaran Soruban Mahindra Comviva Philippe Stahel UBS Mirko Theodoloz Accarda Julien Traisnel Oberthur Tapio Vailahti GieseckeDevrient Martin Wimmer Erste Bank Jukka Yliuntinen GieseckeDevrient Andre Zoelch PostFinance Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 2
Contents NFC is here. Welcome to the jungle.... 4 Dusk or dawn for the Secure Element in NFC services?... 4 Living together: the challenge of securely managing multiple NFC services... 5 The future of third parties... 7 Establishing comprehensive market reach... 9 Devices supported... 11 Analysing the business models... 12 A tough call: which horse to back?... 13 Microsoft Pay? Rumours abound... 14 Conclusions... 15 Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 3
NFC is here. Welcome to the jungle. After years of hype and uncertainty, NFC is finally here. Countries in which plastic card use is the norm have witnessed a recent explosion in the mobile payments ecosystem. The emergence of Apple Pay, Samsung Pay and HCE all indicate that, this time, it s here to stay. The real credit for revolutionizing the mobile payments arena, would have to go to Google s Host Card Emulation (HCE) support announcement at the end of 2013. This was when mobile payments really cut loose. The success of Apple Pay was backed by the payments industry to boost contactless technology and, as a result, Apple has successfully created a desire for mobile contactless payments amongst consumers. Although the emergence of new mobile payments methods is good news for the industry and for end users, the explosion in available options can cause a serious headache for financial institutions when deciding which of these payment solution to implement. In this paper, Mobey Forum has attempted to produce a one-stop-guide to assist our banking industry colleagues to better understand and compare the various payment options currently available. No solution has emerged from this analysis as a clear winner, indeed it may be that in some cases more than one payment option is a suitable fit. This paper will assess and compare the impact of the Secure Element, the role of third parties, current acceptance status, the devices supported and the business models available for each of the options. It is important to emphasize that this report is not a comprehensive analysis of the mobile payment options available. Rather, it is a guide intended to aid comparison between the major solutions available at the time of publication: SIM/UICC-based solution, Apple Pay, Samsung Pay, HCE and Google Wallet. Dusk or dawn for the Secure Element in NFC services? HCE technology has not completely taken away the need for the physical embodiment of NFC security: the secure element (SE). The secure storage of payment credentials remains essential, and despite the availability of solutions that enable tokens to be stored in the handset s memory, some of the most popular payment schemes continue to use the SE, in one form or another, often in a hybrid model that uses both HCE and the SE. Discussions relating to the SE model frequently raise the same dilemma: who owns the physical SE? After all, the ownership of the SE helps to determine which stakeholder has control over the resultant payment service. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 4
In the SIM/UICC-based model, the mobile network operator (MNO) is usually the owner of the SE, since the SE resides on the UICC. This gives the MNO considerable control over the business conditions, together with the prevailing wallet solution, allowing them to set constraints on the design, branding and other elements of the wallet. In Apple Pay, the SE is embedded in the handset (commonly referred to as ese ) and controlled by the handset manufacturer. This model gives Apple complete control over the service. If industry speculations turn out to be accurate, in Samsung Pay Europe, the SE will also be embedded on the handset. The recently announced Samsung Pay US service is based both on the magnetic stripe technology and EMV contactless payment technology. If a terminal doesn t have NFC contactless capability, it will leverage what Samsung calls a Magnetic Secure Transmission (MST) transaction (a term inherited from Samsung s acquisition of LoopPay) which emulates a swipe transaction made via the magstripe reader on the terminal, offering an additional alternative way to execute a contactless transaction. From an acceptance perspective, this model provides a much broader array of active terminals for the Samsung S6 and Samsung Pay to utilise for the service. Apple Pay, on the other hand, requires contactless-enabled terminals for its tap and pay functionality to be performed. Living together: the challenge of securely managing multiple NFC services The viability of multiple NFC service applets residing on the same SE remains a key sticking point in discussions relating to NFC service deployment. The main benefit is that several stakeholders need only one SE to manage all of their secure credentials, thus emulating the characteristics of a physical wallet containing plastic payment cards. Both the SIM/UICC-based solution and the Apple Pay ese model allow for multiple applets in the same SE. We know that in the case of Apple Pay implementation in the United States at least, different payment schemes have their own stakes in the solution, in the sense that they each perform the role of Token Service Provider (TSPs). For its European launch on the other hand, it is unclear whether the payment schemes will continue to play the role of a TSP, or if the local payment processors (now turning digital) may also wish to provide TSP services. For HCE solutions, the multiple applet question is slightly different. Understanding that difference here is key to understanding how an HCE solution can support the coexistence of multiple credentials or accounts on a single handset. With a SE, there is a separation between the sensitive and non-sensitive parts. The sensitive parts (the account credentials and the computation required to make the payment) are located in the NFC service applet on the SE, while the non-sensitive user interface is implemented as a standard mobile application. With HCE, on the other hand, the application selection mechanism is handled jointly by the OS and the mobile applications. This gives the developer a great deal of control and can easily support multiple accounts (of one type or many types, payment or non-payment). Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 5
With HCE, therefore, the key question is not can multiple applets coexist?, but can multiple apps coexist? Contactless payment specifications define an addressing system for the credentials. This allows multiple payment credentials to be active and the Point of Sale (POS) terminal to select the credential appropriate to the payment service being used. The Android Operating System (together with other HCE-enabled devices) support this addressing system and so, provided the HCE applications follow the rules, multiple applications can indeed coexist. The challenge lies in communicating to the POS terminal which of the NFC service credentials the device user wants to use thus avoiding payment being taken from the wrong card. That means providing the POS with a prioritised list of credentials (at present this is most often a list of one, but it is anticipated that this list will grow as multiple NFC payment services are utilised by the device user). This list will be provided by the default (or master) application. Android gives the user control over which application is the default through the phone s settings menu. This, however, can cause friction in the end user experience if the user regularly switches between several HCEenabled payments applications; in some instances, using a secondary payment app can prevent the OS from defaulting to the user s primary app. The challenge is compounded if the user wishes to have active credentials from multiple applications. In this circumstance, the applications need to communicate with each other in order to present a combined, prioritised list of available credentials to the POS terminal. With the SE / ese models, the SE owner can take responsibility for managing this. For HCE solutions, however, there are no known mechanisms available to manage this process. In the (anticipated) case of Samsung Pay, how the multi-applet scenario will be managed remains unclear as, at the time of publication, the European model is not yet available for public scrutiny. Figure 1, below, summarises Mobey Forum s analysis of the prevailing NFC models and major services, relative to SE ownership, stakeholder control, applet co-existence and tokenisation. A number of generations of Google Wallet have existed since the solution launched to market. 1 Mobey Forum expects a new version to launch following the Softcard merger. This paper references the Google Wallet version with HCE interface enablement. 1 Google Wallet s (GW) rough version history : GW 1.0: Launch: ese with First Data + MasterCard + Sprint + Citibank (Nexus S only, US only) GW 2.0: Enhanced version: ese + Bancorp virtual MC + MasterCard: Worked on Nexus and jailbreak devices and any US issued payment card. GW 3.0: With HCE: Otherwise the same as 2.0 but without ese and worked on any MNO and theoretically on any 4.4+ Android device. NFC/HCE with US issued cards only. This paper s referrals to GW are to GW 3.0, unless otherwise mentioned. GW 4.0: Future version with Softcard implementations? Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 6
Figure 1: NFC models and major services, relative to SE ownership, stakeholder control, applet coexistence and tokenisation The future of third parties The various service deployment models are not the only aspect of the NFC Payments landscape to have diversified since the introduction of HCE. The role of the trusted service manager (TSM) has also become more varied and has since been accompanied by a new actor in the service chain: the token service provider (TSP). It has become clear that the existing or former TSMs and other 3rd parties may also become the managers of HCE solutions on behalf of issuers. In the HCE environment, such issuers are not limited to banks, they can comprise a wide variety of NFC payment service providers. In some cases, where existing TSMs have expertise on tokens and application security and have the links to the bank s back end, TSMs may also play the part of the TSP. This would make them a one stop shop for issuers, regardless of which technology the issuer decides to utilise. In other cases TSMs and TSPs may be used independently of one another. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 7
Trusted Service Managers In the SIM/UICC-based solution the TSM s role is vital in safeguarding access to the SE. In the Apple Pay service in the US, although not officially TSMs, the payment schemes have assumed this role. Samsung is working with LoopPay, who will empower some of the functionalities specific to magnetic stripe technology. In Europe, where EMV is both mature and widespread, Mobey Forum expects Samsung to trial a different approach, allowing banks to have their existing TSM connect with it directly. This point of difference may well give Samsung an edge over Apple Pay in the race to market. Tokenization Providers In the SIM/UICC-based model, a tokenization service is in development, and is anticipated to become available in the near future. Mobey Forum believes that the most likely arrangement will be to make use of a one-time device PAN (that sits inside the SIM/UICC) with the help of a tokenization service hosted by the provider of the overall NFC wallet solution. In this case, the token could be used to store the key, or alternative security data that will enable the service to securely connect to the cloud. In the Apple Pay service in the US, the payment schemes are the TSPs. It is possible that Europe may mirror this model, however local payment processors may also seek to become TSPs in bid to further their revenues and influence in the service chain. What s more, Samsung may well be more flexible than Apple has been to date, which may, in turn, push Apple to allow this too. At this point, however, such overtures are no more than speculation. When it comes to an HCE-based solution, the TSP role remains completely open; it may be the payment processor, the schemes or the NFC wallet provider. It may also be built and managed inhouse, as has been demonstrated by Bankinter in Spain. Alternatively, there may be no TSP at all; a bank may decide to dedicate a BIN or a BIN range to HCE-based mobile payments and use alternate PANs to behave like standard cards in the whole network. Figure 2, below, summarises Mobey Forum s assessment of the current state of third party roles relative to NFC deployment models and services: Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 8
Figure 2: The current state of third party roles relative to NFC deployment models and services Establishing comprehensive market reach It is vital for any bank weighing its options for NFC service deployment to also think beyond the prevailing deployment technologies; critical consideration must also be given to market reach. Here, the SIM/UICC-based solution was the first model to become available. At a first glance, since all smartphones contain a SIM which could potentially be leveraged for NFC, the market reach seems to be better than with alternative models. But when examined more closely, this conclusion holds less weight; not all the SIM cards are NFC capable. Also, to successfully engage this model, the bank in question must establish commercial agreements with all the MNOs that operate in the desired service zone, and integrate their services with each MNO s unique mobile infrastructure, if they wish to deliver their service to all customers. In the case of Apple Pay in the US, over 700 banks are already part of the initiative which, despite its infancy, reflects the readiness of American financial institutions to accept its solution. The recent Apple Watch also promises to expand this breadth of acceptance, since users of an iphone5 (an older generation of iphone which doesn t support Apple Pay) are reported to be able to use the solution via the watch. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 9
Samsung Pay was only announced for the US market at the Mobile World Congress (MWC) 2015. Currently no official date has been communicated for a European launch. It is likely that the service will only be available for Samsung 6 and newer devices, so establishing a broad and active user base will take time. It stands to reason that Samsung would follow Apple s strategy and launch via several banks simultaneously, on the expectation that other banks would then follow. At the time of publication, however, this observation remains nothing more than speculation. The potential market reach for an HCE solution depends entirely on the bank in question. Timing here is a crucial factor; an early mover should be able to drive wider and greater acceptance. This observation is borne out by the impressive customer usage results of banks which already have HCE-NFC payments solutions live, ranging from Spain to Poland to Australia to Canada. It is also possible to deploy an HCE solution to any handset that supports NFC and Android KitKat (or later), unless the issuing MNO has disabled the functionality. It is also important to emphasize that a variety of factors can impact adoption rates, in addition to speed to market. The customer experience and demonstrable security also vital in this regard. The POS acceptance infrastructure can remain the same for most (if not all) solutions, apart from Samsung Pay in the US which will only work on non-emv terminals. In order to comply with all the ongoing mobile payment options, the POS terminals must be set up according to the latest POS specifications. Figure 3, below, summarises Mobey Forum s assessment of NFC deployment models and services relative to market reach and POS acceptance: Figure 3: An assessment of NFC deployment models and services relative to market reach and POS acceptance Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 10
Devices supported It is safe to state that the SIM/UICC-based solution has limitations when it comes to the devices the model can support. To achieve comprehensive national reach to a bank s customer base, the bank needs to establish commercial agreements with all the major MNOs in the market, each of which have their own lists of supported devices. In addition, the SIM cards must be UICC cards supporting NFC payment capabilities, which requires the customer to change the SIM. This has proven to be one of the biggest challenges for wider take off. Unfortunately, other deployment models have challenges, too. HCE is available on Android version 4.4 and later 2. Even then, payments can only be enabled if the device is equipped with an internal NFC antennae. Samsung Pay will only be available on its S6 device or later models and Apple Pay only on the iphone 6 and beyond. The Apple Watch will also enable iphone 5 devices to execute Apple Pay NFC payments, although the required authentication method will be different as the device does not feature Apple s Touch ID. For the Google Wallet service, users need an Android device 2.3 or higher. Figure 4, below, illustrates the device requirements for the each of the NFC deployment models and services: Figure 4: Device requirements by NFC deployment model and service 2 As of this year May the 4 th, Android 4.4 or newer account for 50% of activated Android phones Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 11
Analysing the business models Negotiating a business model with MNOs complicates the SIM/UICC-based business model. In addition to the MNOs, the bank has to come to an agreement with the TSM. In some instances there is more than one TSM, which adds further complication. Unfortunately, however, the options are neither better nor worse for banks engaging with Apple Pay; the bank must establish an agreement with Apple, together with the payment schemes, or the local payment processor, to take care of the required tokenization. The same situation applies to Samsung Pay. In the HCE-based model, although there is no SE owner, there are a host of different complexities to grapple with. Either the bank has to pay a solution provider to deploy the HCE solution, or it must build the solution in-house, which requires time, skills and significant investment. Winning here will depend on the banks strategy and which model they choose to get involved in. In terms of customer experience, the SIM/UICC payment part can provide a very good user interface. The different MNOs involved may all require different wallets and different branding, which can lead to a situation where the customer experience for a single bank s service differs between MNOs. Regarding Apple Pay in the US, the bank has little control over the payment experience, but some control over user interface, mainly in terms of branding. Mobey Forum expects this situation to be similar when Apple brings its solution to Europe. There are also expectations that the forthcoming Samsung Pay European service will offer more flexibility, but nothing has been announced to qualify this speculation. The Google Wallet doesn t allow the bank any control over the user interface, either. Meanwhile, the HCE-based solution does allow banks to create and control their own wallet, branding and marketing, thus enabling a consistent user experience for all customers. Bank s decision on which solution to choose, it is good to realize there might be other costs involved than direct monetary costs. For example the ownership of data. Important to consider, there are different levels of data which is also regulated in different ways in various countries: transaction data, product level data and meta data related to transaction. By agreeing to Apple Pay, the bank agrees to share a fair amount of information: it is not just about payments, but also about other type of data. Apple emphasizes that they will not use the transaction data, but no-one says they might use for example the time and place of the transaction. Figure 5, below, summarises Mobey Forum s analysis relative to the business models presented by each of the NFC deployment models and services. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 12
Figure 5: Analysis of business models presented by each of the NFC deployment models and services A tough call: which horse to back? In a bid to summarize its analysis of the current payment options available, Mobey Forum has devised a model that separates the current payment solutions into three groups, based on which stakeholder has the primary control over the payment solution. These have been labelled MNO- Pay, OEM-Pay and Bank-Pay (see Figure 6, below). MNO-Pay refers to the SIM/UICC-based payment model. OEM-Pay represents the models where the handset manufacturer or the operating system provider control the payment service. Bank-Pay refers to any technology, such as HCE, which gives banks ultimate control over the service, including the branding and the ability to combine the payment service with other financial services, such as mobile banking or person-to-person payments. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 13
Figure 6: Who has the control? Payment services and models grouped by stakeholder ownership Microsoft Pay? Rumours abound As the Mobey Forum HCE Workgroup has finalised this paper, speculation on the next major global player to enter the mobile payments market has begun. Rumour has it that Windows 10 OS will support HCE. Considered alongside the recent establishment of Microsoft Payments Inc., it seems likely that Microsoft is preparing for an imminent entry into the mobile payments industry. Which route Microsoft will take remains to be seen, but given the company s control over both hardware and its mobile OS, the computing veteran is in a strong position to compete with Apple and Samsung, potentially establishing itself as even more powerful omni-channel support platform provider. Extending the speculation even further, it is possible that Microsoft may also opt for a more collaborative model in a bid to unify competing solutions on its own platform. Mobey Forum will follow the developments closely. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 14
Conclusions Given the momentum now evident in the global market for NFC market, it seems hardly possible that only 18 months have passed since the death of NFC was still being debated. The entire ecosystem has changed in a very short space of time. These changes have brought options to the market, making it possible for banks to choose the way they want to proceed. There is now no question over whether it is time for banks to establish their position in the game: the race is on for the attention and loyalty of their customers, and some of the most powerful and wealthy organisations in the world are now in the ring. This is not only true in mobile payments, but also in mobile commerce and other value added services, especially those specific to financial institutions. To defend their ground and stay on top, banks need to be loyal to their own customer base rather than to Apple or Samsung, and be guided by an objective to offer the best service possible. If they remain true to these values and actively demonstrate them in the mobile solutions they bring to market, Mobey Forum believes that their customers will respond accordingly, with their loyalty. Needless to mention that all the tech-savvy customers will soon be demanding their banks to cater for new ways of making mobile payments whether it be the Apple Pay, Samsung Pay, along with any of the upcoming Pay. In the mobile world, delivering the best possible service not only relates to the range and relevance of the core services themselves, it is also inextricably linked to the bank s ability to deliver an optimal customer experience. How intuitive, convenient and secure their NFC solutions are, will be key determinants here. So too will be the bank s management of the customer data that is generated by the solutions they launch; discretion and confidentiality are mainstays of the banking industry, and careful consideration of what is and isn t acceptable to share with third parties must be given before partner trade-offs are agreed. Ultimately as predicted in Mobey Forum s first mobile wallet whitepaper published in 2011 - providing payments alone will not be sufficient to drive mass-market adoption of mobile wallets. But with the payments scenarios almost in place with NFC as the clear winner, Mobey Forum expects an imminent boom in next generation mobile wallets over the next years as the competition between players (current and new) increases. At the end of the day, it is for each bank and financial institution to draw its own conclusions and formulate its own strategy. It is essential to ensure that decisions are made based on independent information rather than being confused by noise of vested interests in the market. What is certain is that the NFC marketplace is now here to stay and is rich with options and different routes to success. Copyright 2015 Mobey Forum www.mobeyforum.com mobeyforum@mobeyforum.org 15