The latest version of Google’s Android operating system, KitKat, will allow NFC-based applications to bypass the inbuilt secure element (SE) required for NFC-based proximity payments through hosted card emulation (HCE). This means the mobile payments market faces a significant point of disruption in its development.
Simply put, in a cloud-based SE environment, telcos no longer play an inherent role in NFC payments, so they risk facing disintermediation and insignificance in the mobile payments space. Technology and security issues persist, for the time being, but given Android’s enormous smartphone OS market share, the place of major telcos in any future NFC mobile payments value chain suddenly appears to be under significant threat.
Moving on from Isis
Google’s move was inevitable following the obstruction by Isis in the US
Since its initial launch two years ago, Google Wallet has been beset by challenges and a widely noted low adoption rate. Chief among its problems has been the inability of most US consumers to access the service in Google’s core home market. This latest move follows on from earlier changes to Google Wallet to ease consumer uptake, and it has inevitably followed the blocking of Google Wallet by three of the big four mobile carriers in the US.
When Google launched its wallet service in 2011, Verizon, AT&T, and T-Mobile blocked it from accessing the SE located on the SIM of their devices. This meant that Google Wallet could not be used by these telcos’ subscribers for NFC-based in-store proximity payments; it could only be used for remote payments. The operators claimed that this was due to security concerns, but it is no coincidence that all three are active in the slow-moving Isis NFC wallet program. Sprint, which is not involved in Isis, placed no such block on Google’s access to the SE.
Google already lifted an earlier barrier to uptake of its service by moving to cloud-based card provisioning in 2012. This made it easier for users to connect any card to their Google Wallet account, and they did not have to rely on cards from banks that had an explicit agreement with Google, or on more complex virtual prepaid cards. Once Google had lowered the hurdle on tying bank accounts to the wallet, it was inevitable that it would then direct its focus toward circumventing the blocks posed by the telcos involved in Isis. If the Isis consortium had not initially blocked Google from the SE, it is unlikely that Google would have pursued a way around it.
HCE and security
The technology underpinning KitKat is not unique in its attempts to get around Isis, and could, in theory, be used in any NFC-based service. By removing the need for a SE through HCE, NFC handsets can remove the SE outright, as has already occurred with the LG Nexus 5, and NFC-based services such as payments, ticketing, and access control can be developed more quickly and implemented more readily.
This means that major telcos that may have been banking on a centralized place in any NFC ecosystem now hold little leverage over the wider environment. Telcos still hold significant opportunities with carrier billing and mobile money in emerging markets, but their position in NFC-based models is less assured as a result of Google’s move.
HCE works by emulating an ISO/IEC 7816 smart card that uses the contactless ISO/IEC 14443-4 (ISO-DEP) protocol for transmission. This is important for longer-term security, as ISO/IEC 7816 is already widely in use and is an agreed standard for EMVCo NFC payment infrastructure. This means that even without the SE element, these services comply, in theory, with existing security and technology standards.
However, emulation is not the same as applying ISO/IEC 7816 protocols, and there are still major questions about just how secure HCE really is. With Android already facing significant levels of fragmentation and overall security concerns, any further concerns, particularly about payments security, will pose a major challenge to both industry and consumer adoption
The application of HCE extends beyond payments and means full NFC capability would be available to any app developer. This includes operating the reader functionality of NFC handsets, which means applications can be developed to turn handsets into contactless card readers. This has notable potential for the mobile point-of-sale (mPOS) market, in particular. HCE technology may open up the market for wider NFC app development, but it may also lead to significant security issues as a result of its open development and emulation approach.
NFC’s future far from guaranteed
Although HCE opens up Google Wallet to all mobile subscribers regardless of carrier, Google’s latest move does not assure the long-term success of NFC. Many consumers, merchants, and financial service providers are still unclear about the use case for NFC, particularly in a payments environment, and it has been on the wane in recent months as alternative technologies such as QR codes gain significantly more traction with the public.
The opening up of the NFC environment through HCE, rather than by applying existing standards, could also increase potential security risks, and, crucially, the impression of security risks.
With NFC app development now, theoretically, more open, HCE could be used maliciously, particularly to create a card-skimming-type device. This is only, as yet, a theoretical risk, but a false impression among consumers and merchants that the technology is less secure than it actually is creates enough doubt to limit overall uptake in the near term. Ovum’s Consumer Insights Survey of 15,000 consumers in 15 key global markets shows that security is ranked by as the top concern affecting their adoption of mobile payments.
HCE does little to solve Google’s biggest problem with its wallet service: consumer and merchant apathy to the technology. Although wider availability will help, its use at the point of sale is likely to remain niche in the near term. Outside of Japan and South Korea, NFC has had little success so far as a payment mechanism. For merchants, difficulties surrounding the sharing of transaction data will persist, and this remains critical to Google’s long-term model of pushing targeted location-based advertising to consumers through the handset. NFC is often called a solution in search of a problem, and HCE does little to change that.
Gilles Ubaghs is a Senior Analyst in Ovum's financial services technology team.