Despite mobile network operators’ assertions that a SIM card-based solution is the best option for delivering near field communication payments services, there is increasing discussion of alternatives such as embedding the payment application in the handset or placing it on a micro SD card. Paul Golden reports
The Mobile Contactless SEPA (single euro payments area) Card Payments Interoperability Implementation Guidelines document issued by the European Payments Council (EPC) at the end of April details the various service models and processes involved in the provisioning and the lifecycle management of a mobile contactless payment application residing in a mobile phone secure element – the place where the payment application is stored.
Having previously focused on the SIM card, the latest document also covers embedded secure elements and micro secure digital (SD) cards. The final version is expected to be published in October.
While remaining supportive of the SIM-based option, the EPC suggests that the solution that can be deployed most rapidly is a secure element embedded in a micro SD card. This allows the issuing bank to own the secure element and if the card includes an NFC antenna and radio stack, no other integration is required. But one of the reasons why the council is so keen to promote debate on NFC is that there is as yet no standard for secure communication between a micro SD card secure element and the handset screen or keypad.
Franco Bernabe, chairman of mobile operators representative group GSMA, claims the adoption of different approaches to NFC “will only serve to fragment the market” and that the operator community is focused on driving the standardised deployment of mobile NFC via the SIM. To achieve this, the organisation will “develop the necessary certification and testing standards to ensure global interoperability of NFC services.”
The head of the GSMA’s near field communication programme, Nav Bains, says the SIM is the best option because it is a standards based memory card that also meets the security standards the banks insist on. “The cards are produced to the same standards as [credit and debit] cards produced for the banks. They can be provisioned over the air, so new applications can be downloaded remotely and if the device is lost, all the applications running on the SIM can be blocked (and unblocked) instantly.”
The Micro SD vs SIM
Micro SD cards are typically mono-band – that is, they support a single application – so users would potentially require multiple cards from different banks, he adds. In contrast, the SIM card can be ‘segmented’ into a number of secure compartments or security domains. “An embedded solution makes it very difficult to transfer applications to a new handset and if there was a technical fault with the device that required repair, the secure element would effectively be in someone else’s hands,” Bains concludes.
It is tempting to describe the NFC payments market as a straight fight between handset vendors – who would naturally favour a secure element embedded in the handset – and network operators extolling the virtues of their SIM-based solution. But according to Mohammad Khan, founder and president of ViVOtech, the micro SD card is a viable alternative.
NFC software and systems developer ViVOtech has supplied more than 800,000 near field communication readers to merchants in 35 countries, with about three quarters of those being deployed in the US. The company is a Google Wallet partner and has worked with merchants and point of sale software vendors to provide integration between NFC readers and current point of sale software.
While acknowledging that SIM-enabled NFC handsets will gain traction this year, Khan is convinced that micro SD has considerable potential. “Over the next few years it will be vital to enable near field communication for people who don’t want to change their existing handset, so we are working on a micro SD solution with Bank of America where the user plugs the card into their phone, which enables them to download a payment application.”
He also predicts significant growth in embedded secure elements. “I am seeing the embedded option growing very strongly because the payment platform providers [such as Google] don’t want all the power to be in the hands of the operators (who control the SIM cards).”
According to Khan, consumers will have the final say on which delivery mechanism becomes most widely used. “The handsets launched to date have been designed with a secure embedded element and are also capable of accepting a SIM-based wallet, but consumers will decide which option is best. Handsets purchased via a contract with the mobile service operator may not support the embedded element, but this will be driven by consumer demand.”
Beth Robertson, director of payments research at Javelin Strategy & Research says the absence of a standard model for contactless payment is hurting the market. “There are few mobile devices on the market with embedded NFC technology, so consumers need access to devices such as stickers or chips to enable their phones for NFC transactions. The presence of competing providers, wallets and other, non-NFC mobile technologies – such as 2D barcodes – means there is currently no single, standard market model for either consumers or merchants to adopt.”
Javelin published a report in April (Contactless Near Field Communication (NFC) Mobile Payments: Framing Mobile Payments on the Foundation of Mobile Banking), which identified mobile banking as the catalyst for mobile point of sale payments. The firm predicts that consumer comfort with contactless payments will increase with growing use of mobile devices for data communication and found that mobile banking – the function closest to mobile point of sales payments – has been adopted by more than 20% of mobile phone owners over the past 12 months.
“Mobile bankers are the most active and interested users of mobile contactless payments at the point of sale,” notes Robertson. “Forty per cent indicated they would be very likely or likely to use their mobile phone to complete mobile contactless payments, compared to only 14% of all consumers.”
Javelin recommends that financial institutions and vendors focus on integrating mobile point of sale payments into mobile banking, which could provide a considerable boost to the micro SD card as the secure element. The challenge of integrating NFC into existing mobile banking platforms is not so much technical as the fact that mobile banking platforms have not generally been designed to support point of sale transactions, suggests Robertson.
“Lack of standards is also an issue,” she continues. “No standards exist for wallet interaction – custom solutions correspond to the type of service that each provider is offering. Furthermore, terminal devices that are currently deployed may not be compatible with smart phones in the future and will therefore require software certification every year.”
Sirpa Nordlund, executive director of the Mobey Forum (a financial industry forum established to encourage the use of mobile technology in financial services) confirms that most of its members are “looking for opportunities” to roll out NFC. However, many are taking a ‘wait and see approach’ to rolling out the technology because they don’t necessarily consider the SIM card to be the best delivery option.
“The secure element of near field communication has been tested and piloted so our members are confident about the application. The focus now is on post-issuance of the card, which needs to be issued and managed ‘over the air’. The SIM card has been widely talked about and is a good option, but now we are hearing that payment platform providers are looking at embedded secure elements.”
The main concern around the embedded option is what happens if the handset is damaged, says Nordlund, who agrees with Robertson that the requirement to upgrade merchants’ payment terminals represents a major barrier to contactless point of sale transactions.
In April, GlobalPlatform (a not-for-profit association that identifies, develops and publishes specifications to facilitate the secure and interoperable deployment and management of multiple embedded applications on secure chip technology, including secure elements) released a standard language that uses web services to facilitate secure and interoperable communication between trusted service managers and the rest of the NFC ecosystem.
Trusted service managers or TSMs are independent and trusted third parties that facilitate the provisioning and secure management of mobile contactless services. Examples of communication include a TSM request on behalf of a bank to a mobile network operator to deploy a payment application, or on behalf of a mobile network operator to notify all parties involved in the delivery of a NFC service that a mobile device has been lost and services to the handset must be terminated.
Gil Bernabeu, technical director GlobalPlatform says the organisation supports all form factors on the same level. “SIM chip technology is very mature. We are working on micro SD because banks would appreciate the same level of maturity in that technology. The advantage of the micro SD card is that you are not tied to either the operator or the handset manufacturer, although some devices do not have the appropriate slot. It would be the obvious choice of secure element for the banks, although they will need to share the cost of card deployment with network operators.”
He went on to refer to the need to attract as wide a range of service providers as possible. “It will be difficult for a single delivery platform to emerge. In order to encourage service providers to develop applications we need to reduce the complexity of the delivery models.”