You are currently browsing the archives for the NFC category


Cloud vs Payment

With the introduction of Apple Pay -and HCE before that, we started hearing about cloud payments. My initial reaction to cloud payment was “what kind of payment isn’t already in the cloud?”

In generic terms, cloud refers to data and applications that are not stored locally, but over the internet which people can access from any device, anywhere, any time just by having an internet connection.

When it comes to payment, everything was already in the cloud for like ages. The access devices to cloud was plastic cards and payment terminals. Everything was happening through online systems which was simply cloud.

So what is cloud payment in this context?

Cloud payment refers to the tokenization of current payment forms (plastic cards and their numbers) into the cloud. The device (generally a mobile phone) storing the card number has only the token of the real card number. What is token? Token is a replacement of the actual number that is usable only for a certain period of time. So that if someone steals your account information (card number), it will simply be not usable.

Almost anywhere in the world, except the US, having the card number and the expire date or the magstripe data -which is readable by off the shelf readers- isn’t enough for making a payment transaction. Thanks to EMV and 3D Secure/SecureCode, you need more than than card data, you need password and cryptographic keys. Rest of the world has been migrating to more secure payment era but the US is the weak link for a long time. Now with the cloud payment -and the EMV mandates for the US of course, US is getting on board as well.

Cloud payment is actually tokenization. Tokenization requires a smart device which can communicate with the tokenization server over internet and tokenize (change)  the sensitive card data. And of course the smart device is a smart phone. In today’s world, when we say smart phone, we mean Apple and Android. They are different ecosystems but have the same usability approach to smart phone owners.

Apple finally integrated the NFC chip into the iPhone 6. Apple worked on the payment experience a lot and have come up with something just as expected from Apple. A very convenient user experience and a very tightly controlled environment.

Android has been playing with NFC for a longer time but everyone else was waiting for Apple to get on board for mass adaptation. Android has almost same workflow with Apple, with one big exception; the payment application is software based while Apple took the more secure way -hardware. From the end user perspective, everything is mostly same.

So, what now? It is time to talk about contactless terminals. Apple and Android ecosystem is getting ready for the cloud payments, yet the biggest requirement is still the acceptance devices. Hopefully, Apple will be the main driver here. But for that to happen, Apple must move outside the US. Europe and Asia has had a contactless wave before but it didn’t hit the masses. With the cloud payment, I am hoping that it will be different this time.

We are waiting…

Host Card Emulation

You’ve probably heard a lot on HCE – Host Card Emulation. Mobile industry had a great welcome on HCE, since contactless will become a software layer and get rid of hardware dependency. Actually every stakeholder in the NFC ecosystem except the SIM card vendors was thrilled.

Google was third in the line for the NFC, -after Nokia and Blackberry, but they took the “Google way” and they are now the champions of the mobile NFC game.

So, what is HCE? HCE is an software abstract of contactless smart card. It is now specific to Android, but definitely portable to other mobile operating systems as well.

As the definition suggests, it is an emulation of a contactless smart card. What is the capability of a contactless smart card? Mainly payment, identification and transportation. What happens when one of these cards, say your id card, which you use for entering your office building is just an app on your mobile phone? Or your contactless credit/debit card? Sounds intriguing.

Before HCE, contactless smart card was being emulated by a hardware chip and software (mobile app) was needed for the hardware to be activated. Hardware component was either a chip embedded on the phone or the SIM card. Either way, a few more parties other than the owner of the handset itself was involved in the game and it was quite complicated to activate and use the NFC app. Now with the HCE, smart card is still being emulated but this time it is software rather than the hardware.

In the hardware mode, contactless (NFC) reader was working with the secure element.

Secure Element

Now with the HCE, hardware component -SE or the embedded chip is not needed. Android itself emulates the hardware. Apps will use the interface provided by the operating system again but this time there is no hardware below the API.

HCE mode

When it comes to payments,  software only solution comes with a price; security issues. The answer to EMVCo is tokenisation. The actual card data that is stored in the software layer in the app is required to be a token only, which will enable the backward compatibility with the contactless readers. But the actual payment transaction will occur in the cloud. Quite similar to Google Wallet. HCE is an evolutionary next step of Google’s approach in the latest wallet implementation, which I covered in a previous post.

HCE will open a new set of possibilities in the NFC ecosystem from contactless to remote payments. It will enable more projects, let’s see how will it contribute?

 

Current state of contactless & NFC payments

It was back in 2007-2008, when everyone in the payments space was quite sure that NFC based mobile payments will be rocketing in the next couple of years. Countless graphics/info graphics showed us how the mobile payments would boom next year.

Unfortunately, we did not see any of the upcoming figures took place in the actual stats. Today, almost all Android phones have NFC chips embedded and almost all MNOs have a mobile wallet installed or the mobile wallet project is in the pipeline. Some of them even closed down the services and kept on trying at different levels.

Well, there are solid reasons agains this booming to happen. Here are the main ones:

  1. Contactless card based payment is still not a daily requirement for the average consumer; a different way to put this: contact payment is still very convenient for all.
  2. Contactless terminal penetration is still quite low -worldwide.
  3. The NFC based mobile payment experience is not user friendly -both the enrollment and actual payment parts.
  4. MNO offerings are vague and banks have not been successful to develop a successful NFC based payment product up to now.
  5. NFC is still not a requirement for people when buying their next phone, there is no cool use case for NFC for the average people. Even bluetooth is still at its baby steps. Existing apps and services work fine over 3G/LTE/Wifi connections, people do not need any other interface for connectivity.

So, what now? NFC projects may be still at baby steps, but innovative mobile payment solutions appear frequently. Host Card Emulation (HCE) presents a great future both for contactless based or remote based payment solutions. Not only payment, but it is especially great for apps that do not require high security level that SIM card provides.

Contact card payment is still the king and we need some more time, or a disruptive approach based on mobile for NFC/contactless payments to boom.

NFC Symposium 2014

On 23-24th of January, NFC Symposium 2014 took place at Sheraton Hotel, Stockholm, Sweden. I was one of the attendants, along with mostly Scandinavian colleagues.

The speakers have been selected from a wide variety of NFC ecosystem, ranging from vendors, to airlines, TSMs to universities.

It was interesting for me to see what kind of NFC projects that the Nordic countries have been working on. Briefly; I must say, it was exactly what I was expecting to see.

NFC ecosystem’s biggest chicken & egg problem has partly been resolved on the device level, but the services on top of the hardware level is still at its early ages. Smartphone penetration is almost complete in Sweden. It was interesting for me to see that even a country like Sweden -where you can pay almost anything with a plastic cards- still does not have a variety of MNO/Bank based mobile wallets. This mostly comes out of the problem that contactless payment is still not an average consumer requirement, so nobody desires a payment card on the mobile phone.

An interesting project came from Mid Sweden University. Dr Johan Sidén presented all kinds of NFC chips embedded with moisture/temperature detection sensors, etc. It was particularly interesting to see the use case of NFC for senior citizen home care projects.

Screen Shot 2014-02-03 at 19.36.23

Valyou was also interesting to see, it is almost exactly like what’s been going on with the MNOs in Turkey, but the main driver of the product is the TSM, not single MNOs or banks. MNO wallets have been in production phase in Turkey almost 3 years now and exactly same workflow (of enrollment and transacting) is being piloted in Norway nowadays.

Valyou

 

Sweden is a great country in all aspect that you can think of -including card payments, however NFC payment is still at early ages and they will a need some time before the mobile payments with NFC to emerge on the mass level.

NFC portal from NXP

NXP, being the co-founder of Near Field Communications Forum and one of the master minds of NFC and one of the largest suppliers of NFC tags, chips and controllers has started a portal on NFC. It is a good start for any developer or company interested in NFC and its ecosystem. Worth to add the RSS feed to keep in touch.

NFC&ContactlessXL@Amsterdam

We are living in the ecosystem and API age. It would be almost impossible for Apple to have this success for its mobile devices if they didn’t provide the APIs to access the capabilities of their hardware components through their SDK. This API environment created the ecosystem that developed all those applications that people are crazy about. Who would use an iPhone on which you could just make phone calls, send text and e-mails only?

It is the ecosystem that boomed around Apple created its huge success. And it is not just for Apple. Google, Blackberry, Facebook, Twitter, Foursquare, you name it. The surrounding ecosystem is the key for the success.

NFC and contactless ecosystem is formed by contactless chips, contactless reader chips, SoCs, mobile operating systems, Windows, Linux, Mac operating systems, embedded terminal environments, etc. Companies developing NFC and contactless applications/solutions are connecting those APIs and services together for a broader use case or a product/services.

NFC and contactless ecosystem is still in its early years. Yet, I’ve bumped into this great mentoring program for startup companies focused on NFC and contactless, which I believe is a great step forward for the ecosystem.

It is program of the Startupbootcamp organisation which provides early seed funding and mentoring to the startups. It is a great organisation for creative and talented people to boot up their companies and projects. Now they are on their way to support NFC and contactless projects.

NFC_ContactlessXL

If you have a project or a product on NFC or contactless space, this program is a great opportunity for you. Use this link to explore the NFC&ContactlessXL program which will take place in Amsterdam starting on October 14th, 2013.

I salute the people who have put efforts on this program, good job! I will try to catch up any companies or products that will emerge by the help of it.

My article on E-Finance & Payments Law & Policy Journal

I wrote an article for E-Finance & Payments Law & Policy, a monthly journal published in the UK, about Turkey’s payment industry and the mobile payment trends. It was published on the October 2012 issue.

I tried to give an outline of the payments space in Turkey and headed over to mobile payments. Here it is:

Turkey’s payments industry and the inhibitions to m-payments

Turkey is one of the forerunners of innovative payments technology and openly intends to be a ‘cashless society’ by 2023. One of the most advanced countries in Europe in terms of countactless mobile payments, Burak Ilgicioglu, a Card & Payment Systems, Business Analysis Manager at Yapi Kredi Bank, Turkey, discusses Turkey’s successes so far in regards to mobile payments and the factors hindering widespread adoption.

Turkish banks have a very good history of developing successful card based payment products. All banks have installment products which work mostly as a personal finance product. When people are shopping for a high definition TV, they usually check the campaigns from banks to choose the electronics retailer from installment numbers. There is no finance charges or fees for installment transactions when the customer pays on the due date. All the banks have loyalty programs where customers earn bonus points, just like the frequent flyers programs in the US/UK. This even helps the government fight the shadow economy. Card payments are encouraged by the regulating bodies of the economy. The motto of BKM (the interbank card centre founded by Turkish banks) for 2023 is to reach a ‘cashless society’ on the 100th anniversary of the republic. Today, 30% of Turkey’s total GDP is processed by banking cards. Turkish banks started the card payment business back in the 80s.

BKM was founded in 1990 as the national switch, clearing and settlement processor. Turkey started issuing EMV cards in 1999 and by the end of 2011, the migration was complete. All the ATM and POS terminals now support EMV. All credit cards are EMV with the exception of debit cards; almost all the debit cards are still magnetic stripe. Thanks to Chip&PIN migration, which started in 2007, all credit cards are used with offline PIN.

Contactless

Turkey is one of the most advanced countries in Europe in terms of contactless and mobile payments. By the end of Q2 2012, 14 out of 27 banks in the card issuing business have reported that they are issuing contactless cards. More than 6 million contactless cards have already been issued. Turkey is a credit card country, most of these contactless cards are credit cards. There are, a limited number of debit and prepaid contactless cards, the majority are credit cards.

Contactless projects started to emerge in Turkey in 2006, when the Chip&PIN migration was still underway. Unlike the US market, Visa and MasterCard forced banks to use EMV for contactless in Europe. This practically means both offline and online transactions are possible due to the contactless interface. This also led to the fast development of NFC products as the natural extension of contactless cards. Contactless has been gaining momentum in Turkey for the last few years. But just like other countries issuing contactless cards, there are some drawbacks blocking the boom. The main reason is the acceptance infrastructure. There are more than 2 million POS terminals in Turkey and only 60,000 of them have contactless readers installed. It is much lower, when we compare the percentage of contactless cards with the total number of cards, which is 6 million and 51 million respectively. Another obstacle for contactless penetration is that there is not much benefit for both customers and retailers when it comes to contactless. Although some merchants – like Starbucks – are already forwarding customers to the contactless interface to speed up the transaction – there is still a long way to go.

NFC

Despite contactless cards facing issues, which have stalled penetration, NFC products have been rolled out in the last two years. We have seen NFC products in different form factors, from Micro SD cards to antenna SIMs or dongles for iPhone. As for banks, unlike contactless, there is another player on the table, which claims an even bigger share of the customer base: the MNO (mobile network operator). By nature, NFC products work on mobile handsets, especially on SIM cards. As a result, banks and MNOs share the customer. Currently more than five banks already have commercial NFC products available on different phone and SIM cards. There are three MNOs in Turkey and all of them are actively involved in NFC projects. Current regulations in Turkey require all payment transactions to be processed exclusively through banks, so MNOs are working with many banks at the same time. Almost all the pilot or commercial NFC programs throughout the world feature a single bank and MNO, but in Turkey, all the MNOs have wallets involved with more than one bank at the same time. The physical wallet experience has almost become a reality in the Turkish mobile payment products. Each MNO has already invested in their own TSM (trusted service manager) infrastructure and mobile wallet products. Yet there is still no ISIS-like cooperative organization between the MNOs and it seems unlikely it will happen in the future. There are indeed many NFC products commercially available on the market, but the most important player in the game is still missing: the customer. The number of NFC products sold is very low, when compared with traditional card products; there are many reasons for this. We can count the current contactless issues as one. In addition, NFC products require users who have a clear understanding of the personalization process, which is mostly, performed by the customer themselves. Customers are supposed to apply for a card account, install an application to their mobile phone, then authenticate themselves to the payment application on the phone. If everything goes well, then they will surely struggle to find places where contactless cards are accepted. Customer experience has still not been worked out entirely.

Mobile payments

Although the current picture doesn’t seem to be very promising, there are a great deal of good signs that mobile payments will be the next big thing in Turkey. All MNOs have dedicated teams for mobile payment services. MNOs are considering mobile payments as part of the mobile wallet product in which people will be utilizing location based campaigns, transport ticketing, access control, loyalty card aggregators, couponing and smart posters. For MNOs, it is still more like a loyalty tool, rather than a revenue generator. Banks are experimenting with mobile payment products. Banks’ perception of mobile payment products is not just buying a cup of coffee with the mobile phone. Banks consider the mobile payment experience as a step into the mobile world where the future lays. P2P payments are increasing and banks are positioning themselves in the game. Location based campaigns are another big step for the Turkish banks which already run very successful campaigns for card payments. High value payments over mobile devices will enable banks to penetrate new business models. Money transfers between bank accounts and mobile phone numbers are already a reality in Turkey, yet it will gain another perspective when NFC meets the masses with more prepaid products. Turkey is definitely a big country for card payments. It will be bigger when the mobile payment experience is part of the daily life and NFC will be the enabler of this evolution.

 

A not-so-utopic NFC world in a not-so-far future

NFC World Congress took place on September 17-19 at the French Riviera. I was not able to attend but my below article was published in the official publication of the event. I tried to materialize the use cases of NFC beyond payment in a near future.

Here is my article:

NFC : Beyond payment

Overview

Over the last few years, we’ve seen NFC being discussed in all major platforms within the payments, mobile and transportation industry, even sometimes in mainstream media. Each player in the NFC ecosystem has its own version of the NFC story based on the perspective of its core business and market. I am a member of the bank frontier, but in this article, I will try to reflect my personal NFC perspective which is beyond payment.

First, a brief outline of the latest status on the NFC world. Payment system schemes like Visa and MasterCard have already ported their contactless payment applications into the UICC platforms. Banks are trying to drive the mobile payment infrastructure based on these secure payment applications. MNOs have fought hard to win the battle to host the secure element on their UICC, yet this battle seems to be won. However, almost all the latest NFC handsets,which are still not many, now come with both embedded and UICC secure element type designs. The transportation industry played with NFC for a long time, some implementations appeared but no success story has been written yet. In the GSM world, major MNOs now has their own mobile wallets running on different mobile platforms using the cards installed on UICC running mobile payment application instances of Visa and MasterCard. These cards are personalized by banks over the air via TSMs through various working conditions. Google, and recently Microsoft announced their own mobile wallets with a similar approach and similar intentions with MNOs. Google also recently announced its first tablet Nexus 7 with NFC support. With all the patents on NFC, Apple is still being expected to join the game but the latest iPhone 4/S did not had the NFC chip.

With all these in mind, the NFC ecosystem is yet, still in its toddler years. All those major companies have put their efforts into a new game but one component that matters most has still not joined the arena; the user!

NFC was initially designed as internet of things; a device level communication standard that will enable consumer electronic devices like refrigerator, mobile phone, TV, camera,  locks -you name it, to transmit data over the existing contactless standards. This is supposed to enable easy and convenient use cases, bringing on a new era in where devices act differently than what they were originally designed for.

From the banking perspective, one of the main barriers preventing NFC from reaching critical mass is exactly this, the nonexistence of use cases for NFC other than payment. Otherwise for mobile payments, as TechCrunch correctly pointed out recently, we are getting into a position to solve a problem which does not yet exist.

So as of today, what should be the next step for NFC world to reach critical mass? The answer is simple; definitely more and more use cases for NFC. Banks or MNOs will not be the the main drivers here, but the rest of the ecosystem, especially consumer electronics segment will be in charge of this task. Of course the mobile phone – the single most important device in the consumer’s daily life – still remains the core of the  NFC ecosystem but the transacting devices against the handset are even more important than the phone. It is still a chicken and egg problem since there are no enough NFC handsets, but let’s hope that all those shining predictions become reality and growth rate in devices and transactions become real in the near future.

In the rest of my article, I am going to exaggerate the use cases of NFC in daily life assuming that most of the devices have NFC chips. I, as an average person will have all the required devices, hardware, software, services and apps ready to use NFC. I will dream that all the components have been implemented and are being used by ordinary people -like me.

A not-so-utopic NFC world in a not-so-far future

When I return home, I run the Key application on my phone. I enter the PIN and the application tells me to wave my phone to lock of the door which has an integrated contactless reader instead of a key lock. My door authenticates my identity over RSA signature which was generated randomly based on date and time. It takes less than 300 milliseconds after I wave my phone to open the door.

I get in the house. My notification bar in my phone tells me that I need to go shopping. My food stock is running low. I go to the fridge and wave my phone against the touch screen user interface of the fridge. My fridge is a smart one, each time I put or get something, I wave the product to the contactless reader inside the fridge, which manages my food stock. I define the thresholds of my own taste, for example; I always must have at least 5 bottles of beer, 3 ice creams, 10 bottles of diet coke, etc. I tap the touchscreen interface of my fridge and it tells me to wave my phone to download the shopping list to my phone. I wave it and it transmits the shopping list to my shopping list app on my phone.

I get to my car, again I open my Key application and enter my PIN on the car tab. Same thing with the house lock happens and I am now in my car. I place my phone in its holder and it asks me if I would like to go to supermarket -since a new shopping list have been downloaded. When I confirm this, it automatically transmits the route to my favorite supermarket to the GPS navigation on my car. (My favorite supermarket option on my phone was set by the loyalty app of the supermarket!) I begin driving in an old fashioned way; by myself!

When I park my car in the parking lot, I wave my phone to the parking spot’s sign and download the exact location of my car to my phone. Then I walk to the entrance and take a shopping cart. I start the touch interface on the cart and tap my phone for downloading the shopping list to the cart. My supermarket’s loyalty card details are also retrieved by the cart’s interface and I get some personalized recommendations on the screen. Then I start browsing the aisles. Each time I place a product in the cart, I wave it to reader of the cart and it updates my shopping list. I can also view the status of my list from the screen. When I am done, I go to the check-out. The touch screen interface tells me the amount I must pay for the items in my shopping list. I open my mobile wallet on my phone, enter my card PIN and wave it to the screen. My bank authorizes my transaction. Of course the loyalty program of the super market also downloaded my bonus points that I earned during this shopping trip to the loyalty app on my phone.

I walk  to my car, and if I cannot remember where I parked my car, I just wave my phone to a sign and it shows me the way to my car on my phone.

On the way home, I stop by at the mall to visit my favorite coffee shop for a latte. I get inside the store and touch my phone to the check in tag near the door. I see that a friend on my list was here 10 minutes ago and he must be still in the mall. Maybe I call him, let’s see. I open the coffee shop app and order my latte inside my app. I wave my phone to the ordering terminal and the cashier confirms my order. She asks me if I want use my bonus points for payment, which she can view from the terminal that was sent from my app when I waved my phone. I skip it and pay with my credit card through my wallet on the phone. At the same time, I receive a text message from the coffee shop that I earned a free movie with my purchase which is available now on my set top box. I tap my phone to the terminal and download my ticket to my phone.

I return back home and put everything in the fridge. It automatically updates my food stock in my fridge. I am done with shopping until next time I get a notification on my phone.

I sit back and open my smart TV. I bump into a commercial of the supermarket which tells me that I can get %20 percent off next week on select products if I spend a certain amount of money this week -which luckily I just did!  It tells me to touch my phone to the set top box through which I am receiving the broadcast over satellite. It checks my transaction amount and downloads the %20 off to my loyalty card app on my phone. It will be available next time I go shopping. Good. I will buy the expensive Belgian beer with the %20 off I have.

Then I remember that I am entitled for a new movie that I earned from the coffee shop loyalty card. I wave my phone to the set top box and I see the message on the TV that I can view it whenever I want to.

I am now in the mood for the movie and I choose to watch it immediately. While watching it, I see a lovely watch in the movie which will be a perfect gift for my wedding anniversary. I pause the movie, open the merchandising menu. I find the watch among many other items appeared in the movie and place an order. I choose the remote payment option and type my phone number from the remote. I immediately receive a notification on my phone that the broadcasting company is requesting me to enter my PIN for the transaction. I tap on it and my mobile wallet runs for me to choose my credit card and key in the PIN. I see on the transaction screen that I have the option to pay it in 3 installments, I go for it. I receive confirmation on my TV and my phone that the payment was successfully processed and I will receive the watch in two days. Great!

Final words

How does this 2 hours of my imaginary future life sound to you? Science fiction or likely to happen? I am up for the second!

NFC promises huge opportunities for a more connected world. We already have the connectivity on 3G/4G mobile networks; NFC provides a new layer that brings the convenience over interactivity and transactions for physical coexistence between people and devices. Devices are limited only to sky when it comes to work with NFC.

I am hoping for an NFC world driven by the ecosystem as a whole which includes many players yet do not exist in the game yet.

Contactless & NFC Ecosystem in Turkey

On 20-21st of June, I attended an event from SMi Group in London on contactless and NFC. I presented the Turkish market and Yapi Kredi’s products and services. It was a great opportunity to keep updated about the contactless & NFC space throughout Europe. I met colleagues from the industry and discussed hot topics on contactless & NFC.

You can view my presentation below.

 

Google Wallet Hack – a possible lead to EMV in the US

Last week, we’ve seen in the breaking news that the Google Wallet was hacked. The PIN that is required to unlock the wallet is displayed within seconds by using a separate application, Wallet Cracked.

The most brief explanation of the hack is that the encrypted file that the PIN is stored on the file system of the device is comprimised. It was identified that Google uses the most common database engine for mobile applications -the SQLite for storing the PIN. By any security means, this simply is not acceptable. But of course, there is a reason for that. The PIN must be authenticated offline so somehow it must be stored on the device. The options are not that much; either on the file system of the device or on the Secure Element. Secure Element can either be on the handset (embedded) or can be the SIM. If you go for the SIM, it means that the MNO holds the power. If embedded on the device, it is up to the configuration, whoever is subsidizing the phone will have the master keys to access it.

It seems Google went for the most easy way; the file system of the handset. But in the mobile world, accessing the file system of the handset is a piece of cake for anyone who wants to do it. Both Android and iOS devices come with the file systems locked, but jailbreaking (for iOS) or rooting (for Android) enables the user to access the file system without any limitations. That simply means you can browse, view, edit any file you like -including the file that stores the PIN for Google Wallet.

Well, I can say that this would never happen in the EMV world. Here in Europe -or Turkey, to be precise- the wallet itself is not the item to protect. The wallet that the MNO provides is mainly an interface to the mobile payment application running on the SIM. You need to authenticate yourself to the mobile payment application, but this happens within the SIM and there is no way to access it from the outside. The SIM is connected to the handset run time via the Single Wire Protocol (SWP) and this is not something developers can play with. Each mobile payment application has a PIN Try Counter and you can not verify the PIN without using the VERIFY PIN command over this interface. After 3 cocurrent unsuccessful PIN attempts, PIN is locked. There is no way to access the memory of the SIM, yet the mobile payment application is even not accessible by the MNO itself. It is accessed by the bank over a secure channel through a TSM. The role of the MNO is mainly the enabler of the payment application. Customer processes (installation, uninstallation, PIN unlock, etc) for the payment application is handled by the bank over the TSM, over the air.

Google immediately fixed the leak, but I think this incident will lead people to go deeper into the security of a payment application on a mobile device. The file system of the handset is not secure and you can not/must not store any sensitive data there. You need to do it on the secure element and the most mature payment solution to run on the secure element is the EMV path.

Both Visa and MasterCard released their plans for migrating the US to EMV and I hope this unfortunate event contributes to these plans -at least on the mobile platform.