HCE: We are not in Kansas anymore

LeavingKansas

Both Visa and MasterCard announced their support for HCE and their intent to release HCE specifications soon. I have been talking about HCE from late 2012 (partly due to my involvement with SimplyTapp) and you could read as to why HCE matter and what Android KitKat-HCE announcement meant for payments. But in light of the network certification announcements yesterday, this post is an attempt to provide some perspective on what the V/MA moves mean, how do their approaches differ in certifying payments using cloud hosted credentials, what should issuers expect from a device and terminal support perspective, why retailers should take note of the debate around HCE and ultimately – the role I expect Google to continue to play around HCE. All good stuff.

First, what does V/MA announcements mean?

It means that it’s time for banks and other issuers to stop looking for directions. The network announcements around HCE specifications provide the clarity required by issuers to meaningfully invest in mobile contactless provisioning and payment. Further, it removes some of the unfavorable economics inherited from a secure element-centric model, who were forced to default to credit cards with higher interchange in the wallet. Renting space on the secure element cost a pretty penny and that is without taking operational costs in to consideration, and as an issuer if you are starting in the red out of the gate, you were not about to put a Durbin controlled debit card in the wallet. But those compulsions go with the wind now, as you are no longer weighed down by these costs and complexities on day one. And further, the door is open for retailers with private label programs or gift cards to also look at this route with a lot more interest. And they are. MasterCard mentioned bank pilots around HCE in its press release, but MCX is hardly the only retailer payment initiative in town. Let me leave it at that.

How does the MA/Visa specs differ?

From the press releases, some of those differences are evident – but I believe they will coalesce at some distant point in the future. Master Card’s approach speaks to mobile contact-less as the only payment modality, whereas Visa refers to augmenting the PayWave standard with QR and in-app payments in the future. Both approaches refer to payment tokens (single or multi-use) and one can expect them to work together with cloud provisioned card profiles, to secure the payment transaction and verify transactional integrity. To MasterCard’s benefit – it has given much thought to ensuring that these steps – provisioning the card profile, issuing payment tokens et al – are invisible to the consumer and therefore refrains from adding undue friction. I am a purist at heart – and I go back to the first iteration of Google Wallet – where all I had to do to pay was turn on the screen and place the device on the till. That is the simplicity to beat for any issuer or retailer payment experiences when using contactless. Otherwise, they are better off ripping out the point-of-sale altogether.

MasterCard’s details also makes a reference to a PIN. The PIN will not be verified offline as it would have been if a Secure Element would have been present in the device, rather – it would be verified online which tells me that an incorrect PIN if input would be used to create an “incorrect cryptogram” which would be rejected upstream. Now I am conflicted using a PIN at the point of sale for anything – to me it is but a band-aid, it reflects the inability to reduce fraud without introducing friction.

Visa so far seems to be intentionally light on details around mandating a PIN, and I believe not forcing one would be the correct approach – as you wouldn’t want to constrain issuers to entering a PIN as means to do authentication, and instead should have laid down the requirements but left it to the market to decide what would suffice – PIN, biometrics et al. Again – I hope these specs will continue to evolve and move towards a more amenable view towards customer authentication.

Where do we stand with device and terminal support?

All of this is mute if there are not enough devices that support NFC and specifically – Android KitKat. But if you consider Samsung devices by themselves (which is all one should consider for Android) they control over 30% of the NA market – 44.1 million devices sold in 2013 alone. Lion share of those devices support NFC out of the box – including Galaxy Note II and 3, Galaxy S3 and S4 – and their variants mini, Active, Xoom et al. And still, the disparity in their approach to secure elements, continuing lack of availability in standards and Android support – Tap and Pay was largely a dream.

What was also worrisome is that 3 months after the launch of Android KitKat – it still struggles under 2% in device distribution.

Android Distribution

That being said, things are expected to get markedly better for Samsung devices at least. Samsung has noted that 14 of its newer devices will receive KitKat. These devices include all the NFC phones I have listed above. Carriers must follow through quickly (tongue firmly in cheek) to deliver on this promise before customers with old S3 devices see their contracts expire and move to a competitor (iPhone 6?). Though there was always speculation as to whether an MNO will reject HCE as part of the Android distribution, I see that as highly unlikely. Even Carriers know a dead horse when they see one, and Isis’s current model is anything but one. Maybe Isis will move to embrace HCE.

And then there is the issue of merchant terminals.

When a large bloc of merchants are invested in upending the role of networks in the payment value chain – that intent ripples far and wide in the payments ecosystem. Though it’s a given that merchants of all sizes can expect to re-terminalize in the next couple of years to chip & pin (with contactless under the hood) – it is still the prerogative of the merchant as to whether the contactless capability is left turned on or off. And if merchants toe BestBuy’s strategy in how it opted to turn it off store-wide, then that limits the utility of an NFC wallet. And why wouldn’t they? Merchants have always viewed “Accept all cards” to also mean “Accept all cards despite the form factor” and believes that contactless could come to occupy a higher interchange tier in the future – as questions around fraud risk are sufficiently answered by the device in real-time. This fear is though largely unsubstantiated, as networks have not indicated that they could come to view mobile contact-less as being a “Card Present Plus” category that charges more. But in the absence of any real assurances, fear, uncertainty and doubt runs rampant.

But what could a retailer do with HCE?

If re-terminalization is certain, then Retailers could do much to explore how to leverage it to close the gap with their customer. Private label credit, Closed loop are all viable alternatives that can be now carried over contactless – and if previously retailers were cut out of the equation due to heavy costs and complexity for provisioning cards to phones, they have none of those limitations now. A merchant could now fold in a closed loop product (like a gift card) in to their mobile app – and accept those payments over contact-less without resorting to clunky QR or barcode schemes. There is a lot of potential in the closed loop space with HCE, that Retailers are ignoring due to a “scorched earth” approach towards contactless. And smarter merchants are asking ‘how’.

Finally, what about Google?

Google deserves much praise for finally including HCE in Android and paving the way for brands to recognize the opportunity and certify the approach. That being said, Google has no unequal advantage with HCE. Infact, Google has little to do with HCE going forward, despite GoogleWallet utilization of HCE in the future. I would say – HCE has as much to do with Google going forward, as Amazon’s Kindle Fire has to do with Android. Banks and Retailers have to now decide what this means for them – and view HCE as separate to Google – and embrace it if they believe it has potential to incent their brands to remain top of wallet, and top of mind for the consumer. It is a level playing field, finally.

Where do you go next?

Indeed – there is a lot to take in – starting with HCE’s role, where it fit in to your payment strategy, impact and differences in V/MA approaches, weaving all of these in to your mobile assets while not compromising on customer experience. Clarity and context is key and we can help with both. Reach out to us for a conversation.

HCE is a means to an end – freeing you from the costs and complexities of leveraging contactless infrastructure to deliver an end-to-end mobile experience, but there is still the question of how your business should evolve to cater to the needs of your customers in the mobile channel. Payment is after all, just one piece of the puzzle.

Please leave your comments below.


You can connect with me on LinkedIn here.

I am the Mobile Commerce and Payments Lead at Experian Global Consulting and I serve Experian's clients in Banking, Retail, Consumer Credit and Payments on strategy, innovation and emerging business models around mobile. I am on the Advisory Board for SimplyTapp and ModoPayments. I am an Affiliate Analyst for Yankee Group focused on Mobile Marketing and Commerce Strategies. Previously I founded DROP Labs, a mobile payments/commerce strategy and advisory practice focused on banking & retail. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , , , , ,
  • http://twitter.com/mordyk Mordy Kaplinsky

    “Banks and Retailers have to now decide what this means for them – and view HCE as separate to Google – and embrace it if they believe it has potential to incent their brands to remain top of wallet, and top of mind for the consumer. It is a level playing field, finally.”

    Well said! Banks and retailers as well as everyone else needs to look at HCE simply as a capability that’s available similar to an API, but has zero relationships with Google, so no concerns about sharing the data, etc.

  • Alain Letzebuerg

    Hi Cherian,
    Thank you very much for your interesting point of view.
    I’m not a specialist concerning HCE but I ask myself a very partical question,

    Paypal for example has hundreds of millions credit cards in their databases, which it now uses to fund the payment transactions made by their customers.
    Paypal also has a mobile App used by millions of their customers.

    Can Paypal use these credit cards in combination with HCE in order to conquer the retailers by being NFC compatible ?
    Or in other words, is it technically possible for Paypal to “load” my credit card in “my” Paypal App which then allows me to pay at the local restaurant via NFC ?

    If that’s possible, then I think banks will get into serious trouble, imagine a Walmart App in which I loaded my Visa Card. Everytime I shop at Walmart, I pay with their App and they take the money form my Visa Card.

    I would be very very grateful if you could help me with my question.

    Many Thanks in advance

    Alain Letzebuerg

    • droplabs

      Alain – No they cannot. However they could do what Google once attempted to do – do a real-time debit from a funding source (ACH, debit) with a pre-paid debit on front. It would not probably lost because both Issuers (and networks) will hate that their brand is being wrapped. PayPal can issue their own credentials that resolve to a different funding source in the cloud. But they cannot use their card-on-file to provision a card profile to be used at a retail point-of-sale.

      But you bring up a good point. How would networks and issuers look to defuse the threat of millions of cards on file – that could be used by the likes of Amazon, Paypal and others? Or how do they enable these credentials to be used in an off-line scenario with out the “Card not present” rate baggage? This question must be explored.

      • Alain Letzebuerg

        Hi Cherian,
        Many many thanks for you answer. I really really appreciate that you took the time to reply to me.

      • Thomas Normann

        Haven’t SimplyTapp proven this could be possible? Or do they fetch other/more data when swiping/skimming the card?

        • droplabs

          Thomas – Alain is referring to a simple “Card on file” vs the information stripped from the magstripe during a swipe.

  • Kedar Deo

    Do the issuer need to be worried about device eligibility and certification for HCE just like in the SE world TSM performs the eligibility check function?