NFC Mobile Payment options: HCE vs SE

When Google made Hosted Card Emulation (HCE) available for its mobile payment in order to bypass telecoms’ control, the debate of HCE and Secure Element (SE) continues.

A webinar “Evaluating NFC security strategies: The role of the secure element in the evolving landscape” was hosted by NFC World on January 20, 2015.

A few highlights of the webinar is as follows:

  • The NFC adoption rate is increasing rapidly based on the stats of NFC SIM shipped; 16M shipped in 2011, 30M in 2012, and 72M in 2013.
  • Geographic stats show the demand in different regions. In 2013, 37M was shipped to Japan/Korea, 24M to North America and 14M to Europe.
  • The pros and cons analysis of HCE and SE technology.
  • A SIMalliance recommended deployment model based on security and market reach, application and technology requirements.
  • A case study on Canada’s success as the #1 mobile payment country in the world. Some stats are as follows: All of Canada’s major MNOs now offer SE based NFC payment capability to their customer; 2/3 of the phones are Android and BlackBerry; 5 of Canada’s “Big Six” Financial Institutions do the same; over 84% major retail merchants have contactless EMV terminals

SIMalliance anticipates a future where SE and HCE will continue to co-exist and in many cases converge. This will be the basis of an optimally efficient and secure NFC ecosystem.

To watch the free seminar, click the link.

blogNFCphone

ISIS Mobile Wallet / Google Wallet / iPhone Mobile Payment

Yesterday when I was checking out at the Wholefood Market, I was delightfully surprised by their new NFC-enabled reader. At the top of the screen, it said “Swipe/Tap Your Card/Phone”. According to the excited cashier, I was the first one using my phone to pay.

ISIS Mobile Wallet has been available since November 2013. Jamba Juice was chosen as the main promotion partner; a free drink for payment made with ISIS. Jamba Juice was committed to give away one million drinks. For a while, I was having Jamba Juice every day. What a treat!

James D. White, chairman, president and CEO of Jamba Inc., in a company press release, said “Facilitating 1 million transactions through the mobile wallet over the last seven months confirms that the era mobile commerce has arrived. I am proud that Jamba has been able to serve as a leader in the space”.

I appreciate their leadership for this emerging technology.

There are many discussions about Apple’s potential mobile payment and the possibility of an NFC-enabled iPhone 6. I think it might be helpful to describe two approaches to implement an NFC mobile payment. If you want more technical information, please check out the details in this Android page.

I. SIM based Secure Element (SE):

In order to be able to use ISIS mobile payment, you need to get an ISIS SIM card from your service provider. The SIM card includes a Secure Element (SE) that contains your credentials.

When an NFC Reader is tapped by an NFC device, the NFC Controller routes traffic to the SE for authentication.

This approach is very secure because it is difficult to hack the SIM card.

II. Hosted Card Emulation (HCE):

When you use Google Wallet, you don’t need a specific mobile payment SIM. Google wallet uses HCE.

The NFC card is emulated using HCE. When an NFC Reader is tapped by a device, the data is routed to the host CPU. This approach uses the credentials that are stored in a remote server for authentication.

HCE is considered to be a threat to the SIM-based SE and is adopted in various NFC secure applications.

Now the questions is “When iPhone adopts NFC, which mobile payment approach will it choose?

Source of pictures: developer.andriod.comhttps://developer.android.com/guide/topics/connectivity/nfc/hce.html

Using a Smartphone to Replace Passwords

Yesterday (7/14/2014), the WSJ posted an article “The Password Is Finally Dying, Here’s Mine”. Mr. Christopher Mims revealed his twitter account’s password to his readers to make the point of “password is dying”. He wrote “Google is working on an as yet unnamed protocol that allows you to connect to your online accounts on any device by authenticating yourself with your smartphone.” He explained that using the device-based authentication was more secure than using a password.

Using a Smartphone for digital authentication is also a mechanism that is built into mobile wallet; for example ISIS Wallet uses Near Field Communication (NFC) SIM-based solution and Google wallet uses NFC Hosted Card Emulation (HCE) solution. So whatever Google is working on probably is also an NFC based solution.

In June, AT&T introduced NFC Connect that enables customers to use digital credentials on their mobile device. The system is being piloted at Tulane University in New Orleans and Quinnipiac University in Connecticut. Students use Samsung Galaxy S III, an Android smartphone and an NFC SIM to access buildings, meal purchases, laundry, copying and printing. This system requires a Trusted System Manager (TSM) to provision a user’s digital credential into SIM Secure Element (SE) over the air when one signed up the service.

It is likely that Google’s digital credential solution is not a SIM-based solution based on its development of Google Wallet. The cost for users could be lower since a provisioning TSM is not required. That’s my speculation.

In another note, in the AWS Summit NY last week (7/10/2014), Amazon announced Amazon Cognito, one of the new Amazon Mobile Services, as a fully managed user identity and data synchronization service. The goal of the service is to help users securely manage and synchronize app data across their mobile devices. It looks like the Mobile market is Amazon’s next move.

It will be interesting to watch the development of digital authentication with smart devices. What is your thought on this topic?

HCE is Here to Stay

SIMalliance published a whitepaper last month entitled “Secure Element Deployment & Host Card Emulation”. It stated that, “SIMalliance contends that while HCE is good for the NFC ecosystem as a whole, the technology remains immature, unstandardized and, relative to SE-based deployment, vulnerable to malicious attack.”

In general, an evaluation becomes meaningful when context for it is set. I am glad to see the white paper set the following context: “Given HCE’s current and anticipated limitations, SIMalliance considered HCE to be best utilised in use cases where stringent security requirements, optimal transaction speeds and always- available functionality are not mandatory.”

Secure Element (SE) is a more mature and established technology supported by standards groups (ETSI, 3GPP, GlobPlatform and Java Card). Not only does it provide more security for NFC services, but also it has an established certification process. At the same time, SE embedded in SIM cards are controlled by the telecoms, and SE embedded in devices are controlled by device manufactures. They are not open to developers to use freely. Therefore SIMalliance recommends that, “MNOs should request OEMs to implement default NFC routing to the SE”.

So the questions are how many NFC apps need to have stringent security requirements, and how fast telecoms and device manufacturers can implement default NFC routing to the SE. Telecoms and device manufacturers want to make a profit by controlling SE access. That’s why Google is using HCE to implement Google Wallet thereby bypassing the control. I think HCE is here to stay until all stakeholders decide to work together in allowing NFC technology to develop to its full potential.

NFC HCE and Payment Trends

On April 17th, David Marcus, President at PayPal said, “I’ve been looking at three technologies that might truly change the retail experience as we know it.”

One of the technologies David is looking at is NFC HCE (Host Card Emulation). It is an alternative way of using SE (Secure Element) to implement security mechanisms for NFC technology. In my previous blog, I explained why Google has chosen HCE. David Marcus said, “I’m moving from being a massive skeptic of NFC, to being cautiously optimistic on NFC HCE take-up in very specific shopping use cases.”

He envisions two scenarios that would popularize NFC. One is the credit card EMV movement, which would lead to more NFC-enabled terminals at points of sale, and the other is Visa embracing the HCE approach.

I understand David’s point coming from the payment industry leader he is. At the same time, I believe that NFC will take off regardless of payment trends. From my personal experience advocating NFC to business owners, the technology is received with excitement. Entrepreneurs are inspired by the possibilities presented through the integration of NFC tags and chips for enhancing and marketing their products and services. They also wonder why they haven’t heard about the technology sooner.

AT&T, T-Mobile and Verizon spent a huge amount of money on ISIS mobile payment implementation based on NFC, yet they are not promoting the technology proactively or effectively. Not many subscribers know about NFC or ISIS.  What is the missing link?

 

IMG_0321[1]

Frustration over my ISIS enabled iPhone

I am getting a bit tired with my ISIS enabled iPhone. The case added weight to my iPhone. Most of the ISIS transactions didn’t work well. The only good thing is that I am getting free drinks from Jamba Juice until the end of March. Other than card emulation mode, none of the other NFC modes work. I can’t tap an NFC tag or an NFC enabled phone with the case to get the full benefits of NFC.  I think I might switch to an Android phone. Most of the Android smartphones are NFC enabled.

Looking back at the history of NFC’s development, I find the situation kind of ironic.  We had an NFC enthusiast, Google, demonstrate NFC card emulation mode’s value by implementing mobile wallet. Telecoms disabled the capability from the phones because they were developing their own mobile wallet solutions and wanted to control SIM-based NFC. So Google dropped SIM-based NFC, the most direct and secured way to protect security and privacy with Secure Element, and implemented HCE (Host Card Emulation) based mobile wallet. Even though it’s not as secure as a SIM-based solution, the HCE solution is beyond the control of telecoms.

Control provokes innovation by requiring creative solutions to market dominant. History repeats!

On the other end, Apple has been filing patents for NFC communication technology but still hasn’t added NFC capability into their devices. Their blue ocean strategy is to find a market space with no competitors. At the same time, their actions have slowed down the adoption of NFC technology and pushed BLE forward. Apple is also exercising a control with its vast user market. Again, innovation will emerge to escape the control. History will repeat.

NFC Solutions Summit 2014 will be held in Austin, TX on June 2-4. I trust that the NFC ecosystem will demonstrate strength and creativity on mobile wallet solutions through collaboration and innovation. Extreme early discount to purchase a ticket is available until April 2nd. Reserve your seat now!

 

NFC in 2013

NFC had a good run in 2013. Every month, we heard exciting news about NFC products or trials being launched. These launches have extended far beyond the “mobile payment” category to include product/service marketing, toys, games, furniture, printing, utilities, machine-to-machine (M2M) communication, quality control, inventory management, service automation, and more.

ABI research pointed out that smartphones will continue to account for the majority of NFC shipments in 2013 as volumes jump by 129%. However, from 2014 onwards, computing products, peripherals and automotive will have greater adoption of NFC, and consequently, smartphones will decline from a peak of 80% of all NFC device shipments in 2013 to less than 60% in 2017.

NFC and other connectivity enablers are greatly expanding an “Internet of Things (IoT)”. It’s obvious that we are becoming increasingly connected through wireless technology, and M2M communication is on its rise. A good example is that Google and Apple are about to expand their battle to a new front: the automobile. This was reported by the WSJ a couple of days ago.

Big data is a buzz word nowadays. NFC, RFID, QR Code, and Bluetooth Low Energy (BLE) are all types of sensors that contribute to the big data scenario. Big data analytics are going to produce valuable information about consumers and merchandise. It’s also going to change the retail store shopping and mobile phone experience.

One of the usages of NFC is mobile payment. Recently, AT&T, Verizon and T-Mobile launched ISIS – NFC mobile payment using a SIM-based secure element that manages payment credentials. It will take a while before the consumer market adopts this technology since NFC is not yet a familiar technology, and mobile payment is not a yet a common practice.

In addition, a different approach to implement mobile wallet emerged. Google Wallet led the way to adopt the Host Card Emulation (HCE) approach in order to implement NFC secure app independently from telecom’s control of SIMs. Tim Horton’s, a North American coffee chain, has also launched an NFC mobile payment service using HCE at 3,500 locations in Canada and 800 in the United States. It will be interesting to watch the battle between various NFC mobile payment implementations and adoptions.

2014 should be an exciting year as NFC products and services continue to grow in availability and usage.