Agile Apple Pay – P2P Is Coming

Before Agile methodology surfaced, waterfall methodology was used for software development; after requirements were collected, the software was designed, developed, tested, deployed and maintained. This process could take a long time if the project had a large scope. Sometimes, the product might not be delivered on time or delivered but did not meet the needs of the customer.

An example would be the Softcard mobile wallet (formally named ISIS); a joint venture between AT&T, T-Mobile and Verizon with billions in investments. Since its launch in November 2013, consumers didn’t adapt the product. It was finally shutdown in 2015 after Google purchased some of its IP. The technology (Near Field Communication) has great potential; yet, most of the consumers didn’t even know their mobile phones were NFC enabled.

Agile, a very different approach, works at a sustainable pace to develop minimal software with minimal functionality and a shorter development cycle. With shared responsibilities between the product owner, scrum master and development team, each development cycle delivers a work release.

Using mobile payment as an example, I think Apple Pay was implemented with an Agile approach. When the whole NFC world was waiting for an NFC wallet to be delivered on iPhone 5s and 5c (released in 2013) and it didn’t happen. Instead, iPhone 5s enabled Touch ID; a fingerprint authentication mechanism. Not until the iPhone 6 release in 2014, NFC payment came through with Apple Pay using Touch ID to provide a “single touch to pay” user experience. This year, Apple Watch enables Apple Pay for iPhone 5, 5s and 5c.

It might not be fair to compare Softcard and Apple Pay development since Apple owns its devices and can pace their software/hardware features/functionalities in a more integrated approach while Telecoms didn’t have this ability.

Now, what is next for Apple Pay? Apple was just granted a patent for peer to peer (p2p) mobile payment today. The Patent states that NFC and Bluetooth can be used for one device sending a payment to another device securely and at no cost.  This is another effort to enable quick communication between devices in order to move into the world of IoT (Internet of Things).

So shall we conclude that Apple Pay is an Agile product? Love to hear your thoughts.

agile5

Three Reasons You Don’t Want an Apple Watch

After a long anticipated wait and a two week pre-order launch, Apple Watch was finally released on April 29th. I walked into an Apple store yesterday and was excited to see all of the Apply Watches on display.  They were beautiful! See all models here.

After trying on a basic Apple Watch Sport, I was told that there were no watches available for purchase in store. Ordering an Apple Watch Sport ($349) might take weeks.

The most interesting feature to me was Apple Pay, powered by NFC (Near Field Communication). A rep was nice enough to show me the steps to set it up:

  • Enable Bluetooth setting on my iPhone6.
  • Click on the Apple Watch app icon on my iPhone6 and see the pairing screen as the picture shown below.
  • Click on “Start Pairing” box.
  • Hold Apple Watch up to the Camera and align it with the viewfinder as the picture shown below.
  • When pairing is complete, you can use Apple Watch to perform Apple Pay.
  • You have to have your iPhone with you.

paringparing1

There are three reasons you don’t want an Apple Watch

1. You have a Windows phone or an Android phone. Since Apple Watch only pairs with an iPhone, you can’t use your phone with it.

2. You have an iPhone 4 or iPhone 4s.  Since Apple Watch only pairs with iPhone 6/6+/5/5c/5s, your iPhone is too old.

3. You only want a watch. Without carrying your iPhone, your Apple Watch won’t work.

It’s a bit odd to me to invent a wearable that depends on the existence of your mobile phone. However, when pairing with Apple Watch, iPhones 5/5c/5s obtain Apple Pay functionality. This significant feature has not been discussed much. NFC chips are embedded in iPhone 6 and iPhone 6+, enabling in-app Apple Pay functionality in those phones, a feature not available on previously released models.  If Apple Watch starts to be adopted, the addition of NFC functionality into iPhone 5/5c/5s would help mobile payment (Apple Pay) taking off.

If you wear a watch and carry an iPhone now, you might really like the convenience that Apple Watch provides; such as receiving messages/calls, checking maps and mobile payment, etc. If you are like me, always pulling out my iPhone to check the time, Apple Watch could make a great Mother’s day gift… even if it does come a bit belated.

About the Author:

Hsuan-hua Chang has over 20 years of experience in wireless technology, holding many corporate positions ranging from software engineer, technical architect to product marketing manager. She is the author of “Everyday NFC Second Edition: Near Field Communication Explained”

NFC Mobile Payment options: HCE vs SE

When Google made Hosted Card Emulation (HCE) available for its mobile payment in order to bypass telecoms’ control, the debate of HCE and Secure Element (SE) continues.

A webinar “Evaluating NFC security strategies: The role of the secure element in the evolving landscape” was hosted by NFC World on January 20, 2015.

A few highlights of the webinar is as follows:

  • The NFC adoption rate is increasing rapidly based on the stats of NFC SIM shipped; 16M shipped in 2011, 30M in 2012, and 72M in 2013.
  • Geographic stats show the demand in different regions. In 2013, 37M was shipped to Japan/Korea, 24M to North America and 14M to Europe.
  • The pros and cons analysis of HCE and SE technology.
  • A SIMalliance recommended deployment model based on security and market reach, application and technology requirements.
  • A case study on Canada’s success as the #1 mobile payment country in the world. Some stats are as follows: All of Canada’s major MNOs now offer SE based NFC payment capability to their customer; 2/3 of the phones are Android and BlackBerry; 5 of Canada’s “Big Six” Financial Institutions do the same; over 84% major retail merchants have contactless EMV terminals

SIMalliance anticipates a future where SE and HCE will continue to co-exist and in many cases converge. This will be the basis of an optimally efficient and secure NFC ecosystem.

To watch the free seminar, click the link.

blogNFCphone

Using Apple Pay the First Time

On 10/20/2014, Apple Pay, Apple’s mobile wallet,  became available on iPhone 6 and 6+. I couldn’t wait to give it a try.

To use Apple Pay, iPhone consumer needs to do two things:

  • Add a credit card / debit card into the Passbook
  • Download iOS 8.1

Apple Pay is integrated into the Passbook through iOS 8.1; there is no need to download an app. When you add your card to Passbook, a unique Device Account Number (DAN) is assigned to it. DAN is encrypted and stored in the Secure Element (SE), a dedicated chip in iPhone. DAN is used in payment process instead of your actual card number.

When you are ready to use Apple Pay:

  1. Place your finger on Touch ID

  2. Point your iPhone6 at the contactless reader

NFC (Near Field Communication) enables this contactless payment. The Device Account Number, along with a transaction-specific dynamic security code, is used to process the payment. Your actual card number is not shared by Apple with merchants or transmitted during the payment. Apple doesn’t store any of the details of the transaction. This security protects the consumer.

The steps I took to use Apple Pay were as follows:

  • Downloaded iOS 8.1 by going to Settings, General, Software Update.

  • Configured my iPhone 6 as instructed after downloading was completed.

  • Clicked on the Passbook app.

  • Clicked on the + sign on the top right corner to add my business VISA from Alaska Airlines.

  • Used camera to read my card and typed in Expiration data & security code. iPhone 6 showed “Verifying Card” a few seconds and returned “Your Issuer Doesn’t Not Yet Offer Support for This Card”.

  • Added my America Express Card successfully and saw the recent purchase history at Costco since September. That surprised me.

  • Added my personal VISA from Alaska Airlines successfully.

  • Went to Wholefoods and used Apple Pay for my purchase. Since Touch ID had trouble reading my fingerprint; the passcode screen was displayed that enabled me to enter my passcode.

  • Apparently VISA from Alaska Airlines is my default card. The purchase history at Wholefoods is accessible from the phone (see attached picture) and Bank of America also sent me notification of the purchase.

  • Removed my America Express from the Passbook and was sent a notification that read: “Your Default Card Has Been Changed to “BofA Visa Credit”. That is a minor bug since BofA Visa was my default card, wasn’t it?

In general, Apple Pay is easy to use. I think NFC will be promoted through Apple Pay’s good user experience and tapping will become a habit soon. Job well done! Apple.


ISIS Mobile Wallet / Google Wallet / iPhone Mobile Payment

Yesterday when I was checking out at the Wholefood Market, I was delightfully surprised by their new NFC-enabled reader. At the top of the screen, it said “Swipe/Tap Your Card/Phone”. According to the excited cashier, I was the first one using my phone to pay.

ISIS Mobile Wallet has been available since November 2013. Jamba Juice was chosen as the main promotion partner; a free drink for payment made with ISIS. Jamba Juice was committed to give away one million drinks. For a while, I was having Jamba Juice every day. What a treat!

James D. White, chairman, president and CEO of Jamba Inc., in a company press release, said “Facilitating 1 million transactions through the mobile wallet over the last seven months confirms that the era mobile commerce has arrived. I am proud that Jamba has been able to serve as a leader in the space”.

I appreciate their leadership for this emerging technology.

There are many discussions about Apple’s potential mobile payment and the possibility of an NFC-enabled iPhone 6. I think it might be helpful to describe two approaches to implement an NFC mobile payment. If you want more technical information, please check out the details in this Android page.

I. SIM based Secure Element (SE):

In order to be able to use ISIS mobile payment, you need to get an ISIS SIM card from your service provider. The SIM card includes a Secure Element (SE) that contains your credentials.

When an NFC Reader is tapped by an NFC device, the NFC Controller routes traffic to the SE for authentication.

This approach is very secure because it is difficult to hack the SIM card.

II. Hosted Card Emulation (HCE):

When you use Google Wallet, you don’t need a specific mobile payment SIM. Google wallet uses HCE.

The NFC card is emulated using HCE. When an NFC Reader is tapped by a device, the data is routed to the host CPU. This approach uses the credentials that are stored in a remote server for authentication.

HCE is considered to be a threat to the SIM-based SE and is adopted in various NFC secure applications.

Now the questions is “When iPhone adopts NFC, which mobile payment approach will it choose?

Source of pictures: developer.andriod.comhttps://developer.android.com/guide/topics/connectivity/nfc/hce.html

Using a Smartphone to Replace Passwords

Yesterday (7/14/2014), the WSJ posted an article “The Password Is Finally Dying, Here’s Mine”. Mr. Christopher Mims revealed his twitter account’s password to his readers to make the point of “password is dying”. He wrote “Google is working on an as yet unnamed protocol that allows you to connect to your online accounts on any device by authenticating yourself with your smartphone.” He explained that using the device-based authentication was more secure than using a password.

Using a Smartphone for digital authentication is also a mechanism that is built into mobile wallet; for example ISIS Wallet uses Near Field Communication (NFC) SIM-based solution and Google wallet uses NFC Hosted Card Emulation (HCE) solution. So whatever Google is working on probably is also an NFC based solution.

In June, AT&T introduced NFC Connect that enables customers to use digital credentials on their mobile device. The system is being piloted at Tulane University in New Orleans and Quinnipiac University in Connecticut. Students use Samsung Galaxy S III, an Android smartphone and an NFC SIM to access buildings, meal purchases, laundry, copying and printing. This system requires a Trusted System Manager (TSM) to provision a user’s digital credential into SIM Secure Element (SE) over the air when one signed up the service.

It is likely that Google’s digital credential solution is not a SIM-based solution based on its development of Google Wallet. The cost for users could be lower since a provisioning TSM is not required. That’s my speculation.

In another note, in the AWS Summit NY last week (7/10/2014), Amazon announced Amazon Cognito, one of the new Amazon Mobile Services, as a fully managed user identity and data synchronization service. The goal of the service is to help users securely manage and synchronize app data across their mobile devices. It looks like the Mobile market is Amazon’s next move.

It will be interesting to watch the development of digital authentication with smart devices. What is your thought on this topic?

iPhone6, NFC and ISIS

On June 23, 2014; Barron posted an article about iPhone 6 after an Asia trip. It mentioned “Following supply-chain conversations, we are increasingly confident that the iPhone 6 will support near field communications (NFC) radios supplied by NXP. This is consistent with our prior view of NFC in the iPhone 6 given the deployment of mobile NFC-enabled VeriFone terminals in Apple stores, the China UnionPay agreement, Apple payment patents and NXP’s mobile-payment licensing agreement. Additionally, we believe Apple will deploy an NFC radio without the secure element in the iPhone 6. While some investors may be disappointed by an NFC-only solution, we view this as a positive and incremental revenue opportunity for NXP. We anticipate an iPhone 6 NFC win to represent a significant catalyst for NXP.”

If NFC is integrated into iPhone6, it will be disruptive to the mobile payment ecosystem. Currently, Google Wallet and ISIS Wallet are leading the mobile payment market in the United State. Google uses Host Card Emulation (HCE) and ISIS uses SIM-based Secure Element (SE) for authentication.

Google has tried SIM-based SE approach for Google Wallet. That approach didn’t work since telecoms blocked the Google Wallet app. That’s why Google Wallet adopts the HCE approach that doesn’t have a dependency on telecoms.

ISIS Wallet was released in 2014. It’s a product sponsored by AT&T, Verizon and T-Mobile. ISIS runs on NFC-enabled Android phones and iPhones when an external NFC case is attached. ISIS Wallet uses SIM-based SE for authentication to provide ultimate security. ISIS wallet has encountered adoption problems since it was released. Two main reasons were 1. Consumers were not familiar with the NFC technology and didn’t know they were carrying an NFC-enabled phones; 2. IPhone doesn’t have NFC capability and iPhone users had to buy and carry an external case in order to use ISIS Wallet.

If iPhone 6 is NFC-enabled, it will help promoting NFC applications including mobile payment. iPhone might not use SIM-based SE for its mobile wallet solution to eliminate the dependency on Telecoms. And it does not stop telecoms from offering the ISIS solution with it. The reason is that ISIS Wallet is an app that requires ISIS enabled SIM to operate and telecoms own the SIM cards.  The ultimate choice might be up to the consumers and the mobile payment market will start emerging.

I can’t wait to see an NFC-enabled iPhone and the mobile payment market evolution. The Money Event will be hosted in CTIA on September 9 to 11 in Las Vegas. That’s a good place to be if you are interested in mobile payments.

ISIS

HCE is Here to Stay

SIMalliance published a whitepaper last month entitled “Secure Element Deployment & Host Card Emulation”. It stated that, “SIMalliance contends that while HCE is good for the NFC ecosystem as a whole, the technology remains immature, unstandardized and, relative to SE-based deployment, vulnerable to malicious attack.”

In general, an evaluation becomes meaningful when context for it is set. I am glad to see the white paper set the following context: “Given HCE’s current and anticipated limitations, SIMalliance considered HCE to be best utilised in use cases where stringent security requirements, optimal transaction speeds and always- available functionality are not mandatory.”

Secure Element (SE) is a more mature and established technology supported by standards groups (ETSI, 3GPP, GlobPlatform and Java Card). Not only does it provide more security for NFC services, but also it has an established certification process. At the same time, SE embedded in SIM cards are controlled by the telecoms, and SE embedded in devices are controlled by device manufactures. They are not open to developers to use freely. Therefore SIMalliance recommends that, “MNOs should request OEMs to implement default NFC routing to the SE”.

So the questions are how many NFC apps need to have stringent security requirements, and how fast telecoms and device manufacturers can implement default NFC routing to the SE. Telecoms and device manufacturers want to make a profit by controlling SE access. That’s why Google is using HCE to implement Google Wallet thereby bypassing the control. I think HCE is here to stay until all stakeholders decide to work together in allowing NFC technology to develop to its full potential.

NFC HCE and Payment Trends

On April 17th, David Marcus, President at PayPal said, “I’ve been looking at three technologies that might truly change the retail experience as we know it.”

One of the technologies David is looking at is NFC HCE (Host Card Emulation). It is an alternative way of using SE (Secure Element) to implement security mechanisms for NFC technology. In my previous blog, I explained why Google has chosen HCE. David Marcus said, “I’m moving from being a massive skeptic of NFC, to being cautiously optimistic on NFC HCE take-up in very specific shopping use cases.”

He envisions two scenarios that would popularize NFC. One is the credit card EMV movement, which would lead to more NFC-enabled terminals at points of sale, and the other is Visa embracing the HCE approach.

I understand David’s point coming from the payment industry leader he is. At the same time, I believe that NFC will take off regardless of payment trends. From my personal experience advocating NFC to business owners, the technology is received with excitement. Entrepreneurs are inspired by the possibilities presented through the integration of NFC tags and chips for enhancing and marketing their products and services. They also wonder why they haven’t heard about the technology sooner.

AT&T, T-Mobile and Verizon spent a huge amount of money on ISIS mobile payment implementation based on NFC, yet they are not promoting the technology proactively or effectively. Not many subscribers know about NFC or ISIS.  What is the missing link?

 

IMG_0321[1]

ISIS Mobile Wallet experience with an NFC enabled phone

This is a follow up blog about my exploration on the use of the ISIS Mobile Wallet. I needed to return my iPhone ISIS case to the AT&T store since it didn’t work well. I decided to continue my hands on ISIS experience and picked up an Android phone.  I chose the HTC One.

Here is what I have performed:

  1. Download the ISIS mobile app:

I downloaded the ISIS mobile app from Google Play Store and attempted to sign on to the ISIS mobile wallet. I had forgotten both my password and the answer to my security question. My ISIS account was locked after a few attempts to sign in. With such a security mechanism in place, I felt more comfortable as a mobile wallet user. I called AT&T customer support and they reset the ISIS password for me in a very efficient manner.

  1. Set up of the ISIS Mobile Wallet:

To my surprise, my ISIS wallet was empty and I was asked to add all cards into it.

This is the message I received:

“This is an important service alert from Isis.

Your Isis Mobile Wallet was transferred to a new phone. Any existing installations of your Isis Mobile Wallet will be disabled while you complete the reinstallation process on your new phone.

As part of this process, you may be required to re-activate Payment Cards by your issuers.”

OK, I get it. When I bought a new wallet, I would need to move all of my cards to my new wallet. Since this is a digital world, I expect more from my digital wallet. A better experience would have been for all the cards associated with my wallet being moved to a new phone automatically. Are these cards not associated with my ISIS wallet in the data base? Why do I have to key in all of the information again?

I was also notified that my iPhone wallet was not available. It seems that ISIS only allows one active wallet and each time the wallet needs to be re-associated with all of the cards.

  1. Get Jamba Juice:

The experience at the Jamba Juice store was good. This is the store that was having trouble receiving ISIS wallet from the iPhone case. It received ISIS from HTC One instantly. I am happy about the experience.

  1. Read NFC tag:

I used the HTC One to scan an NFC tag on my book and it didn’t ask for my permission; “do you want to accept the NFC connection?” as my Galaxy III did. Instead, it scanned the URL in the NFC tag and went to my author’s page at Amazon. It’s good to see the read/write mode working and it’s not good to see that there is no security provided. In this case, when my phone is approaching any NFC tag, it will read it and put the phone in danger of a virus attack.

Overall, it’s a better experience to use an NFC enabled phone to perform ISIS Mobile Wallet activities than using an NFC embedded iPhone case. Stay tuned for more exploration.

IMG_0331[1]