Will HCE revive NFC mobile payments? No.

18 03 2014

As of late there has been a lot of press coverage regarding HCE (Host Card Emulation), which in a nutshell allows devices to make NFC based mobile payments without needing the mobile operators secure element on the device. Both VISA and MasterCard are backing this new approach, in the hope that finally, they can kick start mobile payment offering with NFC, effectively locking merchants back into the card schemes for mobile. Google is also heavily behind HCE, because they need a way of getting their Wallet distributed on actual devices and networks. Google has already had a rocky time with NFC, supporting it, then ditching it, only to now attempt to bring it back to their offering through HCE.

There are many companies pinning their hopes to HCE, touting their solutions and the promise of mobile payments. But is HCE really the saviour of NFC based mobile payments, or is it simply the same old issues dressed up in a new party frock?

 

Secure NFC in the cloud

Effectively HCE allows secure details to be stored in the cloud. This makes a lot of sense if you want to bypass the mobile operators and effectively quash their mobile payment offerings (ISIS in the USA and WEAVE here in the UK). But does it actually add any value for the consumer or for the merchant? Is there actually any real difference? The answer is pretty much no.

If you are using the solution in its pure form, then your phone (no matter how it gets details, from the cloud or a secure element on the device) will broadcast card scheme data to the merchant’s terminal. No matter what that data is, it is being broadcast and is data that is used to complete the payment. This is actually very powerful if you are looking for mass distribution, potentially. I say potentially because though there are businesses accepting NFC contactless payments, they are still small in their numbers. In addition, the merchant still has to opt into accepting contactless payments – and it is worth noting that contactless payments in pure card form are not the same as contactless payments using your mobile phone. In many cases the “handshake” is different requiring businesses to invest yet again in contactless for mobile phone. Do we really think SME owners will continue to invest in technology for zero benefit to their business?

So does HCE make any difference here? No…

 

Availability

HCE and NFC are only available on Android based devices (and not all of them). Though Windows Phone 8 supports NFC, it is locked very much into the Secure Elements, so no HCE support there. If we then look at the most successful mobile smartphone out there (iPhone), we should note no NFC or HCE support (and it doesn’t look like there ever will be). So with this in mind, you are only available to customers on 1 of the top 3 mobile platforms. Though many will say that Android has the lion share in the mobile world, it’s worth noting that they are a distant third in their share regarding mobile web being used. This indicates that the majority of Android users are not embracing all the features on their smartphone, and as such, these probably are the same users that will not look to be early adopters of any form of mobile payment.

Essentially, the consumer base that could potentially look to HCE and NFC payments is quite limited.

 

The customer experience

Many articles will talk about adding value into the mobile phone payment option, but when we do this, any distribution advantages you may have due to card schemes and contactless being accepted vanishes. You may ask why, but the fact is that the acquiring banks (the people who actually operate those contactless card devices) will not be accepting data regarding a discount, or loyalty scheme. To be blunt, they simply can’t accept that data as it’s meaningless to VISA, MasterCard, the Acquiring bank and the customers bank. So in order to accept that data, the mobile payment provider needs to sign the merchant up to their particular version of mobile payments, in order for them to enjoy any added value. Therefore the argument for NFC as an open loop environment using card scheme rails doesn’t fly.

So what does HCE bring my customers in terms of experience over what they have currently with a card. The answer is nothing, unless I buy into a particular vision of HCE by a particular company, and if I am going to do that, I may as well look at alternative payment solutions, that save my business money.

 

Payment processing costs

Do these decrease with HCE? Nope, the poor old merchant is still paying full wack for their card processing, and maybe in some situations more. They will be paying for more expensive NFC based infrastructure on a monthly basis too, so mobile is now costing businesses more to accept. That’s simply not good news for any business owner.

 

HCE a game changer? Nope…

To make mobile attractive to businesses it must be cheaper for businesses to run, maintain and it must bring some added value to their business. It also needs to be available to the vast majority of my customers, so that means available to the top 3 mobile operating systems (Android, iOS, Windows Phone). HCE simply doesn’t stack up on any of these basic business needs. It’s more expensive and provides no added value.

Mobile will no doubt be a game changer in the payments world, but it will not be changed by solutions that look to the same old rails dressed up in a pretty new mobile dress. It will be companies that offer real added value through mobile services, and companies that deliver savings back to businesses with large reductions in payment processing fees.

So if you are a small business, look to see what alternative payment solutions out there provide you with the added value and services you want to move your company forward, helping you increase sales and increase your profitability? It’s an exciting time, and a chance for businesses to break away from the old and embrace the new more productive world.





Payment Security. Has it been forgotten?

8 11 2013

People may think I’m not being serious with this post title, but I really am. These past few weeks yet more examples of security not being taken seriously in the payments market have emerged. It started with an article I read on Finextra regarding Google bypassing the secure element on an Android phone for NFC based transactions. It’s the launch of HCE (Host Card Emulation).

 

HCE and NFC

I’m not going to go into too many details and technicalities about it, but my own take on the whole situation with HCE, NFC and Google is that Google and the card schemes are changing the rules in which payments are supposed to be made. They are doing this to better fit with their own solutions, and to potentially lock out ventures like ISIS in the US and WEAVE here in the UK and at the risk of security.

There are strict reasons behind PCI compliance and the use of EMV (secured chip and pin to most of us) and it seems that these are now causing issues for Google and others, so instead of looking for real solutions they change the rules. A great take on this can be found on finextra here

 

QR/Barcodes in transactions

These are the choice of many payment solutions out there, including my own companies CloudZync with Zwallet. However, QR and Barcodes are easy to create, especially static ones, so using these for passing payment information has to be taken into consideration, and I would never allow an authorisation of a payment to be made just because a valid code has been scanned. Yet I have witnessed many solutions out there now that do this…

With Zwallet we always make sure the consumer is involved in the authorisation process fully, so we keep intelligence in the process at the cost of 1 second in the transaction process. For me, 1 extra second making a payment is well worth it to aid in security. (I would like to point out that Zwallet transactions are still dramatically quicker than typical card based transactions, even with the added 1 second for security).

 

Security underlying cause for concern?

So what is the underlying cause of security concerns with payments? What really causes so much effort to go into technology a trying to patch security issues or catch fraud post a transaction? The answer is the actual card scheme itself and the infrastructure behind it.

Let’s be real. Cards are amazing. For the last 40 years they have steadily dominated the way in which most of us pay for goods and services. But, has security increased much in that time? A little is the answer. There is a lot more technology backed behind it, but fraud is back on the rise again, so we must ask ourselves why. And the answer is simple, cards were never designed for the digital economy. Everything that we do to utilise the card infrastructure is a cludge, a patch/hack in tech terms. All this technology and security to try and secure something that is very insecure, 16 digits on a card, mixed with two dates and 3 digits on the back.  If we lose control of those details then a fraudster can do whatever they want with our cards, and that’s why so much is invested in fraud detection post a transaction and so much is invested in risk management.

My fear is, while card based transactions using Chip and Pin remain ok, the way we use cards digitally isn’t so secure. Throw into the mix mobile payments and companies actively trying to utilise card details in their solutions to make payments, and holes start to appear. In essence, trying to use technology to secure something that by its nature is not secure causes all sorts of issues. And though great lengths to make things much more secure are possible, the costs behind these rack up.

No matter how you try to secure card details, or to what lengths you go, the fact remains that the infrastructure for cards requires those simple card details, and fraudsters are becoming increasingly intelligent, innovative and capable of getting their hands on those details and using them.

 

The security solution

The only real secure option is to start with a blank sheet of paper for payments and wake up and realise that the digital economy requires payments to be carried out on an infrastructure that is designed for digital transactions from the ground up. It also MUST include more human elements in the process and not just require everything to be automated.

Real intelligence still remains with the consumer and the business. By removing them from the process more and more, we may make the payment process a little quicker, but we increasingly make it less secure. After all, the process of me having to know my PIN to make a payment is far more secure if I have lost my card, compared to just waving my card in front of a reader and making a payment.

These are the reasons behind the security approaches we have at CloudZync, the reasons why we make sure the consumer has to actively be involved in the purchase process and actively have to authorise each and every payment. If we remove them too much, then there are more gaps for fraudsters to exploit.

I’m not saying everything can be 100% secure, it simply can’t, and intelligent innovative fraudsters will always find a way to exploit processes and technology, but we must actively make it as hard as possible, and currently, in the race to stamp authority on possibly the payments method of the future, security seems to be being overlooked…That is a great concern of mine, and should be a great concern for each and every consumer out there and business owner…