[avatar user=”sirpa” size=”original” align=”left” link=”https://mobeyforum.org/dt_team/sirpa-nordlund/” target=”_blank”]
by Sirpa Nordlund
Executive Director at Mobey Forum
My heart goes out to mobile network operators (MNOs), having invested so heavily in near field communication (NFC). So much noise and so little music.
In what some may interpret as cruelty, the major payment schemes have chosen GSMA’s Mobile World Congress as their platform to publish plans for NFC payments. Cruel because, on both occasions, the news has been rather less than positive for MNOs. Last year Visa and Samsung together revealed ‘the comeback’ of the embedded secure element (SE). This year Visa and MasterCard announced their joint support for host card emulation (HCE). Both announcements are geared toward the development of NFC payment environments that enable service providers to by-pass the MNOs in the value chain (almost) completely.
Plot analysis – where did it go wrong for MNOs?
It would be wrong to suggest that GSMA has been sitting on its hands, waiting for NFC to happen. The association has put a huge amount of effort into driving NFC forward, demanding that the technology be adopted by its member MNOs. In fact, during my 15 years in the telecom industry, I haven’t seen any other single feature or technology pushed with such force.
The problem is that this force encouraged MNOs to ‘go solo’. Each operator specified its own method of deploying the technology, making service implementation programmes long, complex, costly and heinously frustrating for service providers hoping to get to market before their competitors.
“The problem is that the NFC push encouraged MNOs to ‘go solo’” [tweet this]
The 5 stages of mobile SEs
1. In 2004, Nokia released the first NFC phone featuring an embedded SE. Operators objected to the approach almost immediately; they did not see a need for more than one smart card in any one handset, and feared that the SIM could even be by-passed for traditional voice network and SMS-based mobile network services.
2. In 2005, GSMA started to take matters into its own hands. Its desire to implement SIM-based SEs delayed industry progress by at least three years, due to an interesting but lengthy ETSI standardisation process.
3. Between 2007 and 2012, uptake of single wire protocol (SWP) and SIM SEs was very slow as operators could not see a clear business model and GSMA did not include SWP in their list of requirements for handset manufacturers. The payment schemes had joined GSMA and were working to build the brave new world of SIM-based NFC. But the worst was still to come – there was no demand. The finance sector resisted delegation of payments to MNOs and the involvement of a third-party trusted service manager (TSM) to manage the life cycle processes. Even with so many chefs baking what should have been a fabulous cake, the end result resembled a pancake.
4. At the 2013 Mobile World Congress, it became evident that the pancake was inedible. Samsung and Visa re-introduced the embedded SE and Bankinter announced work on the cloud SE, raising the hopes of banks planning to introduce mobile NFC payments.
5. The 2014 Mobile World Congress saw Visa and MasterCard announce their support for the host card emulation (HCE) approach and witnessed more banks hopping on the HCE bandwagon.
Is there a preferred NFC form factor?
Many behind-the-scenes security experts (adamant that they must remain anonymous) state that the one and only truly secure approach would be the embedded SE, with root keys managed by a device manufacturer. Security is always at its best when it is a combination of hardware and software. The hardware-only approach is like an eggshell: once it is cracked, it can never be fixed. But when hardware and software are combined, it is possible to build extremely strong security. Embedded SEs would meet all of these requirements as various levels of security would be managed by independent parties. This model still requires cooperation between players, however, as MNOs could theoretically deny access to the embedded SE.
“Security is always at its best when it is a combination of hardware and software” [tweet this]
HCE plot-twist – immature potential
The payment schemes’ support for HCE was a shock to MNOs. This announcement came while the troubled (pan)cake was still baking and, because the use of any other secure element form factor than the SIM is so difficult for MNOs, the industry has now turned its attention to a software-only security solution.
While we cannot discuss the security HCE down the line, it is fair to say it is still immature and has a lot of unclear issues. The industry is in a state of flux currently and it will be interesting to see how this all plays out.
The final chapter in our tragicomedy might be the wait for standardization, security solutions and handset support. Currently, HCE is only supported by selected Android (KitKat) and BlackBerry phones. Additionally, the NFC controller is only open to two form factors of SE (SIM and embedded) due to standards created in the early days of SIM SE support. The support for software SEs is there, but it needs an open API and the industry to support a standardised way of utilising the technology. After standardization is agreed, it will still require integration by the handset vendors so there is much work still to be done.
We have waited nine years for NFC to take off and have been told many times that it will be there “next year”.
Rest assured NFC HCE will come.
Also published on Paybefore