A not-so-utopic NFC world in a not-so-far future

NFC World Congress took place on September 17-19 at the French Riviera. I was not able to attend but my below article was published in the official publication of the event. I tried to materialize the use cases of NFC beyond payment in a near future.

Here is my article:

NFC : Beyond payment

Overview

Over the last few years, we’ve seen NFC being discussed in all major platforms within the payments, mobile and transportation industry, even sometimes in mainstream media. Each player in the NFC ecosystem has its own version of the NFC story based on the perspective of its core business and market. I am a member of the bank frontier, but in this article, I will try to reflect my personal NFC perspective which is beyond payment.

First, a brief outline of the latest status on the NFC world. Payment system schemes like Visa and MasterCard have already ported their contactless payment applications into the UICC platforms. Banks are trying to drive the mobile payment infrastructure based on these secure payment applications. MNOs have fought hard to win the battle to host the secure element on their UICC, yet this battle seems to be won. However, almost all the latest NFC handsets,which are still not many, now come with both embedded and UICC secure element type designs. The transportation industry played with NFC for a long time, some implementations appeared but no success story has been written yet. In the GSM world, major MNOs now has their own mobile wallets running on different mobile platforms using the cards installed on UICC running mobile payment application instances of Visa and MasterCard. These cards are personalized by banks over the air via TSMs through various working conditions. Google, and recently Microsoft announced their own mobile wallets with a similar approach and similar intentions with MNOs. Google also recently announced its first tablet Nexus 7 with NFC support. With all the patents on NFC, Apple is still being expected to join the game but the latest iPhone 4/S did not had the NFC chip.

With all these in mind, the NFC ecosystem is yet, still in its toddler years. All those major companies have put their efforts into a new game but one component that matters most has still not joined the arena; the user!

NFC was initially designed as internet of things; a device level communication standard that will enable consumer electronic devices like refrigerator, mobile phone, TV, camera,  locks -you name it, to transmit data over the existing contactless standards. This is supposed to enable easy and convenient use cases, bringing on a new era in where devices act differently than what they were originally designed for.

From the banking perspective, one of the main barriers preventing NFC from reaching critical mass is exactly this, the nonexistence of use cases for NFC other than payment. Otherwise for mobile payments, as TechCrunch correctly pointed out recently, we are getting into a position to solve a problem which does not yet exist.

So as of today, what should be the next step for NFC world to reach critical mass? The answer is simple; definitely more and more use cases for NFC. Banks or MNOs will not be the the main drivers here, but the rest of the ecosystem, especially consumer electronics segment will be in charge of this task. Of course the mobile phone – the single most important device in the consumer’s daily life – still remains the core of the  NFC ecosystem but the transacting devices against the handset are even more important than the phone. It is still a chicken and egg problem since there are no enough NFC handsets, but let’s hope that all those shining predictions become reality and growth rate in devices and transactions become real in the near future.

In the rest of my article, I am going to exaggerate the use cases of NFC in daily life assuming that most of the devices have NFC chips. I, as an average person will have all the required devices, hardware, software, services and apps ready to use NFC. I will dream that all the components have been implemented and are being used by ordinary people -like me.

A not-so-utopic NFC world in a not-so-far future

When I return home, I run the Key application on my phone. I enter the PIN and the application tells me to wave my phone to lock of the door which has an integrated contactless reader instead of a key lock. My door authenticates my identity over RSA signature which was generated randomly based on date and time. It takes less than 300 milliseconds after I wave my phone to open the door.

I get in the house. My notification bar in my phone tells me that I need to go shopping. My food stock is running low. I go to the fridge and wave my phone against the touch screen user interface of the fridge. My fridge is a smart one, each time I put or get something, I wave the product to the contactless reader inside the fridge, which manages my food stock. I define the thresholds of my own taste, for example; I always must have at least 5 bottles of beer, 3 ice creams, 10 bottles of diet coke, etc. I tap the touchscreen interface of my fridge and it tells me to wave my phone to download the shopping list to my phone. I wave it and it transmits the shopping list to my shopping list app on my phone.

I get to my car, again I open my Key application and enter my PIN on the car tab. Same thing with the house lock happens and I am now in my car. I place my phone in its holder and it asks me if I would like to go to supermarket -since a new shopping list have been downloaded. When I confirm this, it automatically transmits the route to my favorite supermarket to the GPS navigation on my car. (My favorite supermarket option on my phone was set by the loyalty app of the supermarket!) I begin driving in an old fashioned way; by myself!

When I park my car in the parking lot, I wave my phone to the parking spot’s sign and download the exact location of my car to my phone. Then I walk to the entrance and take a shopping cart. I start the touch interface on the cart and tap my phone for downloading the shopping list to the cart. My supermarket’s loyalty card details are also retrieved by the cart’s interface and I get some personalized recommendations on the screen. Then I start browsing the aisles. Each time I place a product in the cart, I wave it to reader of the cart and it updates my shopping list. I can also view the status of my list from the screen. When I am done, I go to the check-out. The touch screen interface tells me the amount I must pay for the items in my shopping list. I open my mobile wallet on my phone, enter my card PIN and wave it to the screen. My bank authorizes my transaction. Of course the loyalty program of the super market also downloaded my bonus points that I earned during this shopping trip to the loyalty app on my phone.

I walk  to my car, and if I cannot remember where I parked my car, I just wave my phone to a sign and it shows me the way to my car on my phone.

On the way home, I stop by at the mall to visit my favorite coffee shop for a latte. I get inside the store and touch my phone to the check in tag near the door. I see that a friend on my list was here 10 minutes ago and he must be still in the mall. Maybe I call him, let’s see. I open the coffee shop app and order my latte inside my app. I wave my phone to the ordering terminal and the cashier confirms my order. She asks me if I want use my bonus points for payment, which she can view from the terminal that was sent from my app when I waved my phone. I skip it and pay with my credit card through my wallet on the phone. At the same time, I receive a text message from the coffee shop that I earned a free movie with my purchase which is available now on my set top box. I tap my phone to the terminal and download my ticket to my phone.

I return back home and put everything in the fridge. It automatically updates my food stock in my fridge. I am done with shopping until next time I get a notification on my phone.

I sit back and open my smart TV. I bump into a commercial of the supermarket which tells me that I can get %20 percent off next week on select products if I spend a certain amount of money this week -which luckily I just did!  It tells me to touch my phone to the set top box through which I am receiving the broadcast over satellite. It checks my transaction amount and downloads the %20 off to my loyalty card app on my phone. It will be available next time I go shopping. Good. I will buy the expensive Belgian beer with the %20 off I have.

Then I remember that I am entitled for a new movie that I earned from the coffee shop loyalty card. I wave my phone to the set top box and I see the message on the TV that I can view it whenever I want to.

I am now in the mood for the movie and I choose to watch it immediately. While watching it, I see a lovely watch in the movie which will be a perfect gift for my wedding anniversary. I pause the movie, open the merchandising menu. I find the watch among many other items appeared in the movie and place an order. I choose the remote payment option and type my phone number from the remote. I immediately receive a notification on my phone that the broadcasting company is requesting me to enter my PIN for the transaction. I tap on it and my mobile wallet runs for me to choose my credit card and key in the PIN. I see on the transaction screen that I have the option to pay it in 3 installments, I go for it. I receive confirmation on my TV and my phone that the payment was successfully processed and I will receive the watch in two days. Great!

Final words

How does this 2 hours of my imaginary future life sound to you? Science fiction or likely to happen? I am up for the second!

NFC promises huge opportunities for a more connected world. We already have the connectivity on 3G/4G mobile networks; NFC provides a new layer that brings the convenience over interactivity and transactions for physical coexistence between people and devices. Devices are limited only to sky when it comes to work with NFC.

I am hoping for an NFC world driven by the ecosystem as a whole which includes many players yet do not exist in the game yet.

Google Wallet, the American way of NFC

Google has been working on Google Wallet for a long time. We’ve seen the first NFC payment experience via Google Wallet when it was released with a Citi prepaid card on Nexus. The first version came with a pre-installed Citi prepaid account and a 10 dollars. It was a big step for NFC world. Google made a huge step for popularizing the mobile payments. There was a minor setback when it was hacked but Google immediately fixed it.

Now Google Wallet 2.0 has been released and this time there is really an innovation that you’d expect from Google. Google is a cloud company, every Google service gets you to cloud, so why wouldn’t its wallet do the same thing? There is a great idea behind the new wallet, it keeps your card data on the cloud and uses a prepaid card on phone, which works as a frontend processor, or let’s say a contactless/NFC interface to your credit card in the cloud. This way, you can use any of your cards without actually enrolling it on your NFC phone – Nexus, in our case. What a brilliant idea, just as clear as I’d expect from any new Google service.

This is a kind of implementation you’d never see in Europe. Here in Europe, we are using EMV for NFC and it works in a more complex way. Of course it is possible with EMV but it would be far more complex than charging a transaction to a card stored in the cloud via an EMV transaction flow -and with current implementations of NFC in the MNO dominated ecosystem.

It seems we will be in wallet wars for some time more and let’s keep our thumbs up for Google for the smart move. Another big step for the NFC World.

Take a look at Google Wallet in action below:

BKM Express, a new approach to wallet world

BKM is the national switch, clearing and settlement processor and the regulating body for the card payments space in Turkey. BKM was founded by the Turkish banks in 1990 and since then, BKM played a huge role in the development of card payment systems in Turkey.

I have personally involved many part of the story and yet I am again part of another innovative project of BKM. It’s called BKM Express and it sure will play an express role in card payments of Turkey. Online payments in Turkey is on the rise and BKM is playing an invaluable part in this game. The online payments ecosystem, banks, customers, merchants, service providers, solution providers will utilize this product eventually and all players will win.

Basically it is an online wallet where people can store credit and debit cards securely for making payments on online merchant without the need of entering card details each time. This prevents sharing the card numbers with merchants which still many people are not comfortable with. Enrollment is also very user friendly, authentication is processed via text message via the issuer bank which is the very same user experience with the online banking logon. (mandatory for online banking)

From the merchants’ perspective it means integrating once and avoiding all the hassle of technical problems with each bank’s online POS software services. BKM Express also supports the trademark Turkish concept “installment payments” with credit cards. Not just installments, but loyalty program of each bank is supported during checkouts. There is even the option of submitting delivery and invoice addresses to merchant without the need of keying in each time by the customer. Turkish card holders are already familiar with the 3D Secure context and now this is the perfect complimentary for the online payments.

Sure it seems quite similar to Paypal, but this is the first national online wallet initiative in the world -as fas as I know. There are some enhancements over Paypal; it is a product of banks’ platform and it supports installments of each merchant’s offering (includes more than one in most cases) You can add both credit and debit cards, but you will be forced to use a 3D Secure payment which is the national regulation for debit cards.

Currently 9 banks have been certified but this covers almost %80 of the total card market. Pretty good start! It is now under presentation phase with limited number of merchants but BKM is working hard to integrate with more merchants everyday.

Of course mobile application will be coming and it will be a complete solution for the Turkish card holders for an online payment experience.

Contactless & NFC Ecosystem in Turkey

On 20-21st of June, I attended an event from SMi Group in London on contactless and NFC. I presented the Turkish market and Yapi Kredi’s products and services. It was a great opportunity to keep updated about the contactless & NFC space throughout Europe. I met colleagues from the industry and discussed hot topics on contactless & NFC.

You can view my presentation below.

 

OSPT Alliance

For long years, Mifare has been the king of public transportation as the ticketing platform. As I already mentioned few times, Mifare has been insanely successful, yet it was proved to be not secure any more. However it still works for may transit operators and NXP made its move to secure it with more products.

Competition against Mifare has been with mainly by Calypso and Felica and now yet there’s another player in the game.

To combat with Mifare, Gisecke&Devrient, Infineon, Inside Secure and Oberthur formed the Open Standart for Public Transport Alliance. (OSPT) What OPST is providing is basically a standards based, cost effective and secure chip platform called CIPURSE for contactless ticketing. Mifare is proprietary, you need to license it from NXP. OSPT suggests that being open and standards based is more secure and cost effective. Unlike Mifare’s cracked proprietary security algorithm, the security layer of the OSPT is AES 128 bit, which is the ultimate security you can get for now.

OSPT has been around for some time and now the SDK has been released. That means ticketing implementations can now officially be started for a new platform. Of course it is not an easy job to start a new platform from scratch but the companies in the alliance already have many customers and connections in the ticketing space and I am sure we will hear an announcement soon with the CIPURSE.

Paypal’s new president comes from Mobile space

Paypal announced its new president as David Marcus, the VP of mobile payments at Paypal. Apart from his highly successful carrier path, this assignment definitely points me to the fact that mobile space is the way to go. The world’s leading e-commerce company has chosen the path through mobile payments.

I think we will be seeing more Paypal penetration into the mobile payments space. You can follow him on twitter via @davidmarcus

Google Wallet Hack – a possible lead to EMV in the US

Last week, we’ve seen in the breaking news that the Google Wallet was hacked. The PIN that is required to unlock the wallet is displayed within seconds by using a separate application, Wallet Cracked.

The most brief explanation of the hack is that the encrypted file that the PIN is stored on the file system of the device is comprimised. It was identified that Google uses the most common database engine for mobile applications -the SQLite for storing the PIN. By any security means, this simply is not acceptable. But of course, there is a reason for that. The PIN must be authenticated offline so somehow it must be stored on the device. The options are not that much; either on the file system of the device or on the Secure Element. Secure Element can either be on the handset (embedded) or can be the SIM. If you go for the SIM, it means that the MNO holds the power. If embedded on the device, it is up to the configuration, whoever is subsidizing the phone will have the master keys to access it.

It seems Google went for the most easy way; the file system of the handset. But in the mobile world, accessing the file system of the handset is a piece of cake for anyone who wants to do it. Both Android and iOS devices come with the file systems locked, but jailbreaking (for iOS) or rooting (for Android) enables the user to access the file system without any limitations. That simply means you can browse, view, edit any file you like -including the file that stores the PIN for Google Wallet.

Well, I can say that this would never happen in the EMV world. Here in Europe -or Turkey, to be precise- the wallet itself is not the item to protect. The wallet that the MNO provides is mainly an interface to the mobile payment application running on the SIM. You need to authenticate yourself to the mobile payment application, but this happens within the SIM and there is no way to access it from the outside. The SIM is connected to the handset run time via the Single Wire Protocol (SWP) and this is not something developers can play with. Each mobile payment application has a PIN Try Counter and you can not verify the PIN without using the VERIFY PIN command over this interface. After 3 cocurrent unsuccessful PIN attempts, PIN is locked. There is no way to access the memory of the SIM, yet the mobile payment application is even not accessible by the MNO itself. It is accessed by the bank over a secure channel through a TSM. The role of the MNO is mainly the enabler of the payment application. Customer processes (installation, uninstallation, PIN unlock, etc) for the payment application is handled by the bank over the TSM, over the air.

Google immediately fixed the leak, but I think this incident will lead people to go deeper into the security of a payment application on a mobile device. The file system of the handset is not secure and you can not/must not store any sensitive data there. You need to do it on the secure element and the most mature payment solution to run on the secure element is the EMV path.

Both Visa and MasterCard released their plans for migrating the US to EMV and I hope this unfortunate event contributes to these plans -at least on the mobile platform.

iCarte : contactless payment for iPhone

There’s been a lot of rumors around iPhone’s new release, iPhone 4 that it would come with an NFC chip but unfortunately it didn’t. It’d be a huge step for the contactless space -could also be a huge step for a proprietary system fully controlled by Apple, now we will wait for iPhone 5.

But wait, if you really want to see iPhone in action for contactless payment, you are in luck. Wireless Dynamics has a great solution for that; iCarte.

Luckily, I am part of an iCarte project here in Turkey. Yapi Kredi Bank and Visa deployed this iCarte project. Wireless Dynamics is the hardware and software provider while G&D is the TSM for personalization. Inside the smartcard within the iCarte, Visa Mobile Payment Application is running. And Visa Mobile Gateway is used for life cycle scripting.

iCarte is basically an integrated smart card and antenna attached to iPhone. Both iPhone 3 and 4 are supported. On top of the hardware, of course there is the software. Wireless Dynamics has a great app that enables the payment.

First you need to personalize the smart card embedded in the iCarte. After that, you need to verify yoıurself to the smart card with your PIN (passcode in Visa’s terminology). If you are the person that Yapi Kredi has authorised (Yapi Kredi is the issuer in this case) you are good to go with your iPhone for contactless payments.

When you first start the app, hardware is checked and connection is established.

After a successful start-up, you need to activate the application. This practically means you must personalize the Visa Mobile Payment Application.

Now you are ready to go.

With the iCarte, you can also save personal details of the transaction. iCarte -like other mobile payment solutions- is more secure than other contactless payment media. You can choose to enter your PIN before processing a transaction. This is optional, you can do this once and let the application process the payment without and verification.

I think it is the most usable (and practically the only) solution for the moment for contactless payment with iPhone.

Visa and MasterCard in the mobile space

We are clearly in the smart cards era. From set top boxes to access control systems, passports to -of course- payment systems run on these little security tokens. There are thousands of smart cards applications running on smart cards worldwide ranging in these business fields.

When it comes to payment systems, Visa and MasterCard are the strongest influencers and the rule setters. Visa and MasterCard started EMVCo in 1994 when smart cards were ready to run payment applications. EMVCo released first payment application standards in late 90’s which led Visa and MasterCard to develop their own payment applications based on EMV.

Visa’s application is called VSDC (Visa Smart Debit Credit) and MasterCard’s application is called M/Chip. They are quite similar but have many configuration differences in terms of bank’s parameter management on the application.

Naturally, it started with contact versions. It was primitive, when compared with the current versions, but far more advanced for their magstripe ages. Banks did not even use the offline PIN feature simply because the market was not ready at the time. UK was the first country to migrate to use the offline PIN -which they called Chip&PIN -after a critical mass has been reached. Turkey was the second national migration to PIN usage. (I was personally part of it)

What EMV provided is basically a security layer to existing infrastructure and offline capabilities like offline PIN verification, offline data authentication and offline payment. It came with many updates; cards have changed, terminals have changed and of course back office systems have changed.

Then hardware (chips) evolved into contactless space. Both Visa and MasterCard developed dual interface (or a.k.a contactless) versions of their applications. MasterCard was faster, they released a stable application years before Visa and named it PayPass. US was the first country to implement PayPass.

In the mean time, US never had left the old magnetic stripe cards. As a result, US had hybrid cards; a contactless only chip with magnetic stripe. US version of contactless applications work only online, while EMV versions can work both online and offline. US version has only one security enhancement over contact magstripe – a dynamic CVV code.

Visa released the application later under the name of payWave.

The basic difference between Visa and MasterCard’s contactless applications is that MasterCard uses the standard EMV flow while Visa uses a shortcut bypassing many EMV steps. It is arguable which one is better, but my personal taste is with MasterCard.

When it comes to mobile, MasterCard is still ahead of Visa. They have a working Mobile PayPass application for a while. That’s why current NFC pilot programmes run MasterCard. Visa is now ready to kickstart a mobile version of payWave -which is called Visa Mobile Payment Application, VMPA.

So, what is new in the mobile versions? First, now there is a user interface for the application from the mobile device on which the cardholder can activate the application, change PIN, view transactions, etc. Mobile versions have the capability to be managed over the mobile network operator’s (MNO) OTA (over the air) channel. OTA is also the personalization interface of the application. Banks are now able to communicate with the application anytime they need to. (Of course not that much easy as it sounds)

Since the applications run on SIM cards (or the secure elements, as per popular phrase) now banks have a mandatory partner on their customer; the MNOs. Personalization and the life cycle script management runs over the MNO’s OTA infrastructure. Also issuing a new card process is a brand new one. MNO is highly involved in any step during the life of a mobile payment application.

SIM is owned and controlled by the MNOs so banks are now forced to share the SIM with competing banks. MNOs create and rent the mobile wallet to banks and other service providers.

Also, application version control is now handled by MNOs. Visa and MasterCard now have another customer; the MNOs.

This is a brief history of Visa and MasterCard’s smart card applications from contact to mobile. We will see how this will evolve even more interesting. And I believe it will not take more time than it did before.

Isis becoming a TSM

Isis is a unique approach to contactless space formed by the three mobile network operators in the US; AT&T, T-Mobile and Verizon. It certainly is one of its kind, no other country has had a such organization to handle a new functionality on the mobile phones.It sounded quite exciting.

In the new era, banks and MNOs seem to confront each other -I do not agree, though. MNOs in the US got together to handle it. And they started it in the most US way possible; they announced that they were starting a new payment scheme. They must have thought that they had all the components needed to start a new payment scheme: a mobile network, customer data with constant interaction and distribution channels. However it didn’t take more than a few months for Isis to recognize that it is a far more complicated task to do with what they have. There are thousand other issues to consider and Isis was not prepared for that.

Then on May, Isis announced that they have cancelled the original plan and now they are ready to reconcile with existing payment schemes. And after all, it seems that Isis is turning into a giant TSM for US banks.

It is a reasonable point for me to see that Isis is now a gateway between the banks and the mobile wallet. Isis will develop a mobile wallet in which banks, transport authorities and any other service provider can co-exist with each other. And it is a huge step that all the carriers are in the game; banks and customers will be free to choose (and switch) Isis will play a central role to manage all the applications to reside on a mobile wallet. It is at least a successful step at the mobile wallet wars for the MNOs.

Although it did not start with the current targets, I think Isis is a revolutionary step for the NFC era. Isis will definitely help NFC to reach masses. I will be watching!