Mobile near field communication (NFC) technology is in the running for widespread U.S. adoption for both nonpayment and payment applications, driven by such technologies and architectures as host card emulation (HCE), Bluetooth low energy (BLE), and EMV (Europay, MasterCard, Visa chip cards), said speakers at the recent 2014 NFC Solutions Summit, presented by the Smart Card Alliance in partnership with the NFC Forum and the NFC World Congress.
Recently, attention has turned to HCE, which unlocks the potential for near field communication applications without the need for integration with the mobile device’s secure element (SE) or for the support of a trusted service manager. HCE enables quick and cost-effective NFC deployments, but it also raises the question: Are its security capabilities enough for NFC payments and other secure applications?
“HCE is an architecture, not a solution,” said Ted Fifelski, the cofounder of SimplyTapp, the company that created HCE. “When it comes to levels of fraud and risk, HCE offers options. Enterprises need to ask themselves, ‘what are you protecting?’” and add levels of security they deem appropriate.
HCE is “another tool in the toolbox,” that will drive NFC adoption, said Erich Tompkins, the senior product manager, advanced mobility solutions at AT&T, but “the SE is the known good security model.” He said that the SE is the main building block for AT&T’s strategy, but that HCE can be complementary for nonpayment uses cases like ticketing. Tony Sabetti, director of merchant integration and commerce development at Isis agrees, saying that while HCE can get applications up and running quickly, he doesn’t see the hardware SE going away “anytime soon.” He said that cloud-based NFC solutions using HCE can bring about other burdens for data security: “Cloud databases are good places to go hack.”
Michael Gargiulo, the principal consultant at TNG Technologies, talked about the HCE architecture and security considerations at the network, server and device level. According to Gargiulo, if HCE leaves data at rest in the phone at the operating system level, that data is “in the wild.” He said that potential security issues could arise from uninstalled OS security updates, rooted phones, low-strength software security algorithms, and capture of user-entered data.
NFC and BLE will likely complement each other and coexist in the mobile ecosystem because their best use cases differ, John Ekers, CIO, ABnote said. BLE’s quick-coupling abilities are best for use cases that don’t require high levels of security, like in-store mobile marketing and gamification, and will drive consumers into stores and create interest. Payment, though, “is the ideal transaction for NFC,” Ekers said.
Payment is only one application in the world of NFC, where many nonfinancial applications are taking off and enabling the internet of things, according to NFC Forum’s executive director Paula Hunter. “It’s not just about the phone,” Hunter said. “It’s about the wearables, the appliances, the speakers, and the laptops—NFC is being enabled across the whole spectrum of the consumer marketplace.” Hunter cited several nonpayment NFC use cases that are enhancing the consumer experience, including wearable baby monitors, cars that can send alerts for services, and smart thermostats that that allow temperatures to be adjusted on the go.
AT&T’s NFC strategy is focused on NFC opportunities beyond payments and building services for the installed base of contactless/NFC readers, especially for transit and physical access applications, Howard Krieger of AT&T’s Industry Solutions Practice said. AT&T is currently working along with Blackboard on NFC pilots at Quinnipiac and Tulane Universities, giving students access to education, resources, facilities, and funds. Jeff Staples, the vice president of marketing and business development at Blackboard, said that students have embraced the technology and, because they use their phone for everything, see transacting on campus as a natural extension. Blackboard plans to expand the NFC pilot this fall.
Today, the Isis Mobile Wallet has 20,000 wallet activations per day and is enabled on 68 devices, according to Scott Mulloy, Isis’ CTO. With security being the biggest concern for consumers to adopt mobile wallets, Isis has implemented established and tested security techniques into the Isis Mobile Wallet with the key tenet: “Don’t store the data people want.” According to Mulloy, Isis stores no consumer data on its platform, making its data “a fairly uninteresting target.” He explained Isis’ other security techniques, including: PIN protecting every wallet, with 30 minutes the maximum amount of time consumers can set the wallet to be open; robust change/loss scenarios in which wallets can be quickly shut down if a phone is lost or stolen; use of the proven secure element; and generation of unique, dynamic data for every transaction.
David Talach, director business development at PayPal, stressed the importance of the consumer experience, saying that PayPal strives to “bring new experiences that are truly inspiring,” and that PayPal is an advocate for letting consumers choose mobile wallets and technologies freely.
Paul Moreton, vice president of digital commerce at Capital One said that “disruption is coming” to payments and that many mobile wallet solutions will soon hit the marketplace. For its part, Capital One has deployed several NFC-based mobile wallet solutions and sees issuer competition for the mobile wallet market a good thing, as it will spur more innovation.
At the same time that NFC is taking off in the United States, another payments evolution is taking place with the migration to EMV chip payments. NFC payments are complementary to EMV chip payments, using the contactless capability of POS terminals.
MasterCard’s vice president of advanced payments Oliver Manahan sees NFC, contactless, and EMV chip payments as technologies that should be implemented together in the United States. “Do it once, do it right, and future proof yourself as much as possible,” he said. He noted that, in the United States, MasterCard contactless cards are more likely to be top of wallet and that total spend after a consumer starts using MasterCard contactless is 54% higher than those who do not use contactless.
Other experts noted the importance of NFC and EMV together:
“Isis solutions are well positioned for EMV,” Isis’ Mulloy said, and noted that Isis mobile payment applets from the major payment networks are already EMV compliant. He added that merchants today can “cover all of their bases with integrated POS terminals and be ready for EMV contact, contactless, and NFC.” The U.S. migration to EMV chip will be a catalyst for terminal upgrades that include NFC, PayPal’s Talach said, and he “can see a world where we have a reasonable NFC density from a merchant perspective by around 2015.”