Nov. 12, 2013
By Cherian Abraham
Mobile Payments Adviser, Experian Global Consulting
When I wrote about host card emulation back in March, it provoked much debate around whether this capability will die on the cutting floor or be meaningfully integrated in to a future Android iteration. And now that it has, this piece is an attempt to look forward, even though much of it is speculative.
But I will provide some perspective from a number of recent conversations I had with networks, issuers, TSMs, merchants, platform owners and EMV practitioners, and provide some insight in to perceptions, impacts and the road ahead for NFC. And I will provide some context about why HCE matters to each of these players.
First, if you haven't read my previous post on HCE, this would be a good time to do so. Media have unfortunately focused yet again on the controversy in light of the KitKat HCE announcement, emphasizing the end run around carriers rather than the upside this brings to those who have been disincentivized previously to consider NFC.
What the pundits seem to have missed is that HCE allows for the following: It reduces the gap between merchants and card issuance, brings the topic of closed-loop and contactless in focus, and — more tactically — allows for an easy deployment scenario that does not require them to change the software inside the terminal.
I hope those three things do not get lost in translation.
Google: Being a platform owner for once
The Android team deserves much credit for enabling support for host card emulation in KitKat. Beyond the case for platform support — something BlackBerry already had — there were both altruistic and selfish reasons for going this route.
The altruistic motive has to do with throwing open another door to inviting third-party developers to build on an open NFC stack while firmly shutting out others (read criticism from Ars Technica that Android is quickly becoming a closed source, partly through its Play services approach).
It was time Google acted like a platform owner. And being one entailed democratizing access to tap-and-pay.
And selfish, because only a fraction of the more than 200 million Android devices that shipped with NFC support are tap-and-pay worthy. It had become absurd that one must inquire upon carrier, platform, issuer and device support before installing an NFC payment app, much less use it. Talk about fragmentation.
This was a problem only Google could begin to fix, by removing the absurd limitations put in place in the name of security. In truth it existed because of profit, control and convenience.
Google's role hardly ends here. Today, host card emulation — by definition alone — is reserved as a technical topic. Out of the gate, much needs to be done to educate issuers and merchants about why this matters. For retailers who are used to much cynicism in matters relating to NFC, host card emulation offers an opportunity to develop and deploy a closed-loop contactless scheme using retailers' preferred payment sources: private label, debit and credit, in that order.
HCE to merchants: friend or foe?
Merchants, in my opinion, stand to benefit most from HCE, which is another reason why Google really embraced this concept. Despite having certain benefits for issuers to provision cards without having to pay the piper, Google had its eyes set on expanding the offline footprint for GoogleWallet, and to successfully do so, it needed to focus on the merchant value prop while dialing back on what retailers once called the "data donation agreement."
Where merchants primarily struggle today in mobile is not in replicating the plastic model, it is in creating a brand new loyalty platform where the customer sets a payment source and forgets it. Preferably that's one preferred by the merchant — for example a private label card or debit. But no open loop wallets had actually been centered around this premise so far. Google Wallet launched with Citi, then reverted to a negative margin strategy by charging the merchant card-present rates while paying the issuers card-not-present rates. It wasn't ideal, as merchants did not want Google anywhere near the transaction value chain.
Meanwhile, it gave Google quite the heartburn to see Apple having success with Passbook and requiring merchants to give nothing back in return for leveraging it to deliver geo-targeted offers and loyalty. This silent takedown must have forced Google's hands in getting serious about building a complete offer, loyalty and payment scheme that is collaborative (HCE support was a collaborative effort introduced by Simply Tapp) and merchant friendly.
I believe HCE support now represents a serious effort to help merchants commercialize a closed-loop advantage in contactless without requiring software changes inside the terminal. Contactless was out of bounds for merchants till now. Not anymore.
Having fielded a number of calls from retailers as to what this means, I will distill retailer reactions down to this: measured optimism, casual pessimism and "network" cynicism. Retailers have always looked at EMV and terminalization as a head-fake for NFC — to further lay down the tracks for another three decades of control around pricing and what they see as anti-competitive behavior. Though HCE is in no way tethered to NFC (it's agnostic of a communication method), due to its current close association with NFC, merchants see the conversation as a non-starter until there is a constructive dialogue with networks.
At the same time, merchants are cautiously optimistic about the future of HCE — provided that there is a standards body that provides them equal footing with platform owners, issuers and networks — to dictate its scope and future. As the platform owner, Google should work with the merchant body, networks, issuers and other stakeholders to see this through. It was no surprise that those I talked to all agreed about one thing: Carriers really should have no role to play in this framework.
TSM's/SE Providers: Where to from here?
The nine-party model is dead or will be very soon, as the SE rental model has been previously shown to be unsustainable and, now with HCE , simply wasteful. TSMs had been focused outside of the U.S. for the last several years, as the lack of meaningful commercial launches meant the U.S. market will simply not bring scale for many years. And with Google shifting away from using a secure element in its flagship Nexus models, the writing was already on the wall. TSMs will look to extend their capabilities into non-traditional partnerships (Gemalto/MCX) and non-hardware scenarios (competing with Cloud SE providers like SimplyTapp in the HCE model). Bell-ID is such an example, and quite likely the only example right now.
Networks: certify or not?
What does host card emulation mean to Visa, MasterCard and American Express? It is no secret that the networks had more than toyed with the idea of software card emulation these last couple of years, as they saw the rapidly shrinking runway for NFC. Focus for networks should be now to certify the new approach, as a legitimate way to store and transfer credentials.
It's interesting to hear how our neighbors to the north have reacted to this news. There is still ambiguity among Canadian issuers and networks as to what this means — including debates as to whether an onboard SE is still required for secure storage. That ambiguity will not dissipate till V/MA step in and do their part.
I must quote an EMV payments consultant from the north who wrote to me this week:
"My boss calls the TSM model 'traditional,' and I remind him in NFC payments there is no tradition. ... I think for some people the Global Platform standards with the TSM smack in the middle are like a comfort food – you know what you are getting and it feels secure (with thousands of pages of documentation, how could they not be!)"
That should give GP and TSMs some comfort.
Device support for HCE: What does that look like?
Google does not report sales figures on Nexus 4, Nexus 5 or Google Play editions of Samsung Galaxy S4 and HTC One, which are the four devices slated to receive KitKat over the next few weeks (apart from the Nexus tablets). So venturing a guess, I would say about 20 million devices in total have NFC capability that will support host card emulation soon. That may not seem like much, but it's a strong base.
There is also a possibility that post-Galaxy Nexus devices from Samsung may leapfrog 4.3 and go directly to KitKat. If that happens, based on reported sales volumes for Galaxy S3 and S4, that would be a total of 100 million devices with NFC support.
What that means for Samsung's revenue model around SE — the company has an embedded SE from Oberthur in the S3 & S4 devices, for which it hopes to charge rent to Visa and others — is unclear at this point.
Issuers: ISIS alternative or more?
For those issuers who passed on Isis, or those who were scorned by Isis, this enables them to outfit their current mobile assets with a payment feature. I wrote about the absurdity in a contactless transaction where the consumer has to close his or her merchant or banking app and switch to Isis to tap-and-pay, instead of equipping merchant/bank apps with a tap-and-pay feature.
HCE means a lot more for private label issuers — who have a very inspired base of merchants looking to bridge the gap between private label cards and mobile — and now there is an alternative to clumsy, costly and complex orchestrations for provisioning cards. They can be replaced with an easy integration and cheaper deployment.
More about that later.
Finally, carriers and Isis: Fight or flight?
As the Mobile Commerce and Payments Lead at Experian Global Consulting, Cherian Abraham serves Experian's clients in banking, retail, consumer credit and payments on strategy, innovation and emerging business models around mobile. He is an adviser to payments startups, including ModoPayments, and an affiliate analyst with Yankee Group. Prior to Experian, he founded DROP Labs, a mobile marketing and commerce advisory. Opinions expressed here are strictly his own, not that of Experian. His Twitter handle is https://twitter.com/cherian_abraham.
Learn more about contactless/NFC.