Open Mobile Wallets - Key to Accelerating Mobile Payments

NFC-based contactless mobile payments is clearly one of the most exciting opportunities in the global mobile financial services markets.  NFC-based mobile payment services (such as Google Wallet) have already been introduced in the United States, with several other initiatives (such as Isis) expected to roll out in 2012 and 2013. The mobile phone may not yet completely replace the leather wallet – however, in a few years the phone will replace our cards, our keys, our driver’s licenses, and various other types of credentials. 

NFC need not be a “disruptive” model for the established financial ecosystem service providers. There are enough opportunities for different industry participants to extend their expertise into mobile to deliver NFC-based services.  The roles of different types of industry participants for NFC payments are actually quite well defined. Telecommunication industry participants won’t become banks, and banks won’t be rolling out wireless networks to be able to deliver mobile payments. They will have to work with each other to deliver NFC and benefit from this exciting opportunity. In fact, NFC creates several opportunities for specialized solutions providers (such as a Trusted Service Manager, or TSM) to bring about this “dynamic collaboration” between different types of companies.  This is actually a very simplistic representation of how NFC works –the key challenge in NFC is to satisfy the key expectations of all the stakeholders (banks, mobile operators, device OEMs, TSMs, chipset vendors, NFC middleware providers, and others) and ensure that each party achieves its business objectives – which could range from enhanced revenues to new customer acquisition.

Following diagram depicts the value chain for NFC-based mobile payments.

NFC 1.0 – Current Market Implementations

Google Wallet and Isis represent two different approaches for how the secure element (SE) should be installed in the handset. However, there are striking similarities in how the wallet experience is delivered to the consumer. For example, in Google Wallet, you have a Google Wallet application that accesses the Citi MasterCard (or the Google Prepaid Card that can be funded by other cards) that has been uploaded in a digital form on the Sprint Nexus S 4G devices. A similar architecture will be available in Isis, where a wallet/container application will be able to access and manage the secure credentials – stored in the UICC or the SIM card in this case – that are delivered and managed by Gemalto. The key point here is regarding access to secure credentials stored within the SE – consumers currently can access their payment cards only from within the Google Wallet or the Isis Wallet application. Enterprises wanting to deliver NFC-based payment services have to work with Google for inclusion in the Google Wallet. This is probably true for other wallet initiatives currently planned as well. That is the way things have been designed for these services, and that is what we call NFC 1.0.

So what is NFC “2.0”?

In the current scheme of things, only the approved wallet application can access these credentials directly. There is no way (yet) to allow third-party applications to access these credentials from outside the designated wallet. This is fine, as long as we are only talking about made-for-purpose mobile wallets( or “containers”) whose only purpose is to manage access to a very few cards stored in a digital form on the mobile handset. However, limiting access to a user’s credentials to only one wallet application could become an issue with consumers in the long run.  For example, imagine a consumer using a merchant provided application to check in-store offers by using the GPS capabilities of their NFC-enabled devices. The same consumer may then have to open up the separate wallet application to use his credit card (or the merchant-provided coupon) at the retail POS for checkout. Another scenario could be related to a transit application. Users may use a transit application to check train schedules, and have no means to use the digital ticket from within that application to access the train station (for example).  The same user will have to use a different application (the wallet) for payments since that is the only approved application to access the secure credentials stored on the mobile phone. NFC 2.0 services will be designed around providing access to secure credentials to multiple approved applications on the mobile phone. I would not go as far as saying that these credentials can be used from within the mobile web experience (for example), however it is only a matter of time before the industry participants start exploring different possibilities to deliver a unique ‘mobile-enhanced’ commerce experience. This “cross-application data sharing” is going to be an important part in defining what NFC 2.0 services will look like in future.

Roadmap and Path to NFC 2.0 Services

To be fair, the current implementations also have a roadmap for allowing multiple parties have access to the handset SE to allow a wide range of mobile payments, security, and other types of NFC applications. There is a desire to be “open”. As Drew Sievers, CEO of mFoundry (a leading provider of mobile banking and payments solutions in the United States) recently commented - "The same way that nature abhors a vacuum, the SE will yearn to be open." That is quite a lot said in a very few words. However, this open architecture may not be that easy to implement – there are various legal, operational and even technical issues that come into play for storing and sharing of sensitive financial data on the mobile phones. Additionally, there is only so much storage space on the handset SE – the challenge will be to manage multiple organizations expectations regarding access to the handset SE.  Entities that own and manage the SE will have to design a set of best practices to manage the limited handset SE space in a judicious manner – especially as consumers start expecting an increased number of cards (and other security credentials) to be stored on their devices. It might be worthwhile to consider the option of “dynamic” storage allocation as well, in which high security credentials (payment and identity) can be stored within the SE and low security credentials (like coupons and loyalty cards) can be stored in secure virtual memory( the “Cloud”) and called into the SE for emulation purposes.

Providing access to on-device NFC resources to multiple applications in a secure manner; and, dynamic allocation of SE memory space are perhaps two very important trends that will emerge in future. Different types of organizations (such as banks, merchants, other service providers) want to provide commerce and security services to their internal and external customers on NFC phones. We already have branded cards in the physical commerce world – there is no reason for not emulating the same experience on the mobile phones.  Think of all the applications that are built on top of the Apple iOS platform. Apple maintains end-to-end control over the type and quality of applications, yet, by providing access to various resources on Apple devices, Apple has successfully unleashed innovation in the mobile applications space. Consumers can now choose from hundreds of thousands of applications that are available in the app store and are the ultimate beneficiaries of this approach. The same “platform” approach is needed for NFC.

Key building Blocks for NFC 2.0 Services

So how can this multi-app management be provided in a secure manner?  It is not only about providing access to the SE. There has to be a way for different organizations to upload (or provision) the handset SE as well, and then access their associated credentials on the mobile devices as and when needed. Apps should be able to access only their associated secure credentials and should have not have access to data not belonging to the app owners.  In order to enable this, the software platform managing the SE has to be able to integrate with the existing TSMs that may be already used by the different organizations (for example, some banks may have their own internal issuance systems). Sequent Software is an example of a company that can provide the necessary middleware to enable multi-app management capabilities on the handset. In short, there are several financial and technical efficiencies that could be realized by a separation of the Credential Issuance and SE management roles – by focusing only on SE management, Sequent promises to help drive the industry toward realizing its vision of open NFC 2.0 services.

-Special thanks to Phill Armstrong at Sequent Software for providing insights into the Sequent Software offerings for NFC.