As the global banking community wakes up to NFC technology for enabling mobile payments, what are the key differences in deployment technologies that banks can choose to bring contactless payment services to market?

When Apple brings out its latest innovation it tends to reset consumers’ expectations of what is possible. With the launch of Apple Pay in the US in 2014, it meant that near field communication (NFC) technology was put on the radar for a wider audience. The technology, which enables people to pay with a
payment card or mobile phone by waving their device against a terminal, has been developed by the payments industry over a number of years, but Apple has now put it on the map for the general population.

“Apple Pay was good news for the NFC ecosystem,” says Hervé Pierre, Chairman of the Board of SIMalliance. “Before the iPhone 6 nobody knew what NFC was, and now, after the launch, everybody knows what NFC can deliver.”

A Larger Trend

NFC-enabled contactless cards or smartphones enable consumers to pay for a newspaper or a coffee, for example, with a quick wave, rather than fumbling around for change or entering a PIN into the retailer’s card reader. But NFC is not just about the removal of small change from the economy. It is part of a much larger trend, says Mr Pierre, from physical to electronic transactions.

This migration of payment transactions into the digital world is significant because of all the other things that are possible. Mr Pierre makes the comparison with the move from writing a physical letter to sending an email. To the sender and the receiver it doesn’t make a huge amount of difference whether the letter is written by hand or typed on a
computer, he says. “It is the same whether you pay with a bank card, or pay with a mobile, it makes no real difference to the payment, since that takes place regardless,” says Mr Pierre. The main difference, however, comes in the other applications that can accompany the transaction.

With emails it is possible to retrieve and forward the message, insert contacts from an address book, or send attachments, for example. Moving to NFC technology on a smartphone is the same, says Mr Pierre, as numerous applications can be linked to the payment, such as e-receipts, ebanking services, loyalty applications, expense notes and budget planners. It is no longer just about the transaction itself, but rather all the other things that are possible, especially as consumers move to a mobile world within which they use their smartphones as a remote control for their lives on the move.

NFC technologies

Security considerations 

When introducing a NFC payments programme, there are choices to be made about the type of deployment technology to be used. For example, Apple Pay indirectly followed the recommendation of SIMalliance by introducing a hardware based secure element. While Apple did not choose a SIM controlled by a mobile network operator, it did choose to deploy an embedded secure element, over which it retains full control.

Which type of secure element to use is only one of many possible decisions that need to be made when deploying NFC payments; perhaps a more topical question is whether to launch NFC services using a secure element (SE) or with host card emulation (HCE).

Mr Pierre explains the basic differences between the two technologies: “A secure element is, in fact, a combination of software and dedicated tamper resistant hardware. It’s an extremely secure component which is located in the device being used to access and perform transactions. It provides the most secure environment possible for payment applications to be stored,  executed and managed,” he says.

“HCE offers a very different approach, because it’s a pure software solution option. Instead of having a secure component within the device to host your payment application, you are instead using the open operating system of the device which is vulnerable to malware. So, firstly, it’s based on software, and secondly, it’s open. In summary, there is no security mechanism in HCE. That’s a key difference. Nevertheless, there is the possibility to secure HCE using additional mechanisms, either in the cloud, or locally, for example using a secure element in a hybrid solution.”

Another difference between the SE and HCE is the maturity of the technologies. The SIM and embedded secure elements have been around for a long time and they have robust certification frameworks in place. In contrast, HCE is just starting out and has a long way to go before it can establish a certification scheme that is comprehensive enough to win the confidence of both banks and their customers. 

When HCE was introduced, it received a lot of attention in the industry. Does Mr Pierre think that the benefits of HCE
were exaggerated?

 “Yes and no. First, I would say no because HCE definitely simplifies the development and deployment of NFC applications. In other words, it’s very good news; you can be independent and launch your application independently from the issuer of the secure element. Yet this is only really the case when we’re talking about applications which do not require any level of security,” he says. 

Mr Pierre explains why the benefits were exaggerated to a certain degree: “As soon as you need a security mechanism for your application, you will have to put in place a more complicated infrastructure. At some point, you will have to face some constraints, you will have to face some costs, and I believe that it could be a more complex process than that represented by the secure element infrastructure,” says Mr Pierre.

In making the choice between HCE or SE technologies, there are different use cases for each. For example, HCE could be the most appropriate option for low value transactions.

“HCE could be a very good option for replacing a low value transaction or application, but as soon as you are looking at higher value transactions, then a secure element is mandatory,” says Mr Pierre.

Mr Pierre notes that since security is one of the key differences between SE and HCE, it is one of the considerations for banks when deciding which to adopt in their NFC programme.

NFC technologies II

Avoid deployment pitfalls 

Another key issue for banks is their approach towards deployment: “The question for banks to ask is: Will we do it [deployment and application management services] ourselves, or will we buy it from another player? For instance, if you choose to deploy a NFC application yourself, then you will have to have some mechanism in place to distribute the application, to manage the transaction, and also to manage the life cycle of the application. Clearly, this has a cost. The question at this point then becomes will I share this cost with someone else?”

There are pitfalls of working with a partner – a mobile network operator or device manufacturer for example. For banks choosing this route, Mr Pierre suggests they need to “find a solution that is well-balanced”. There are recognised technical and business model challenges throughout the development and deployment stages, but if these can be overcome, banks can take advantage of the security and usability benefits offered by the SE. 

There are also pitfalls if banks choose to go it alone with the HCE model. “You will have to reinvent everything that has been done before and you will have to reinvent the infrastructure to be put in place. You will have to go through new certification processes and interoperability issues,” says Mr Pierre. He recommends that banks and financial institutions in this situation look again at using the secure element. “Even if this secure element is controlled and managed by someone else it’s simpler, the infrastructure is already in place, you just have to use it,” says
Mr Pierre.

The NFC ecosystem relies on a number of parties and a number of factors are critical for the ecosystem to develop in a way that is secure and efficient.

One issue for the industry, notes Mr Pierre, is to find ways to defragment the market with its numerous players. “We have to have a more collaborative and flexible approach,” he says. He also thinks it’s important for the industry to look at best practices across the world, which can spur more successful initiatives. He gives the example of EnStream in Canada: “EnStream is a group of banks and MNOs [mobile network operators] that gives access to 95% of Canadian mobile phone users and 85% of Canadian retail bank customers.” This sort of project, he says, is the kind that needs to be replicated all over the world in order to build a sustainable and successful NFC ecosystem.

In terms of how the NFC ecosystem will evolve, Mr Pierre says, “I believe that there is a place for all existing technology: HCE, secure elements and hybrid solutions. NFC will continue to grow, but in order for it to be sustainable all players will have to find their role and everybody will have to get a piece of the cake. So, again, this has to be well balanced, and this has to be a win-win situation.”

When asked to predict how long it will be before paying with NFC becomes mainstream, Mr Pierre says: “It’s very difficult to predict because the answer is not in the hands of the consumers or in the hands of an association like us. The answer is definitely in the hands of the ecosystem.”

This is a Masterclass Series article, sponsored by SIMalliance.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter