Stephen Wilson in Lockstep

A post relating to this item from Finextra:

02 August, 2012 Google Wallet moves to the cloud to support all credit and debit cards Google is bidding to breathe new life into its stuttering mobile wallet platform by launching a cloud-based version of the app that can be linked to Visa, American Express and Discover cards.

Now is not the time to go soft

03 Aug, 2012 08:57

Online computing represents probably the first new platform in thirty years. Not since the PC have we seen a whole new hardware-software-solution-product environment emerge. It's understandable that there's a mad land grab for app-driven market share. But you'd think that the rush to market would be moderated by a realisation that we ought to be building security into the platform from the start and not repeating the awful misadventures that continue to plague PCs. I don't need to turn this post into a lecture, for it's widely known that general purpose PCs and Internet protocol for that matter were never engineered to be properly secure, and yet we pile them high with payments applications that totally evade the standards and regulations that keep POS, ATMs, interbank settlements and so on safe.

Now, the mobile platform has all the right attributes to make safe the next generation of consumer payments. In particular, NFC devices come with "Secure Elements": certifiably secure tamper resistant chips in which the crypto-magic happens, and where the mission critical apps run. The Secure Element is a god send. And it is supported in the NFC architecture by Trusted Service Managers (TSMs) operated by telcos and which securely transfer critical data and apps from verified partipants (like banks) into the consumers' devices. The TSM is a lot like the GSM personalisation infrastructure that governs SIMs worldwide, to secure mobile phone billing.

So NFC is so much more than the radio link that allows your device to 'send money' to a cash register. So much more.

The first NFC mobile phone wallets used the Secure Element as the fit and proper place to hold your account details. But now Google wants to shove credit card numbers up into the cloud. It seems that loading CCNs one by one into the Secure Element of the phone is all too hard for them. This move looks to me like a cynical and hasty security concession for the sake of convenience. And why? It beats me why thoughtful implementation of a TSM wouldn't allow new CCNs to be provisioned to the Secure Element of any participating NFC wallet as easily as new phone number are set up in a SIM. There's nothing in the tech that stops sensitive data being provisioned almost instantly, over the air into NFC phones.

Of course, there are other reasons for Google to prefer the cloud to silicon. They might for example seek to disintermediate the TSMs. Even more strategically, they generally prefer as much user information to be on their servers as possible, where they reserve the right to mine it. After all, it is said that information about how people use money is more valuable these days than the money itself.

It's astonishing that we wouldn't use Secure Elements for Card Not Present m-commerce transactions. We have literally a once in a generation opportunity to forge a really safe cyber payments environment. Let's not blow it.

Comments

Added: 06 August, 2012 - 15:04 | Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune

It's not as though Google began with this architecture. Whatever Secure Element gives by way of security, it seems to take away by slowing down adoption. Re. "there's nothing in the tech that stops sensitive data being provisioned a(l)most instantly, over the air into NFC phones", any idea if multiple credit card details can be stored concurrently on the Secure Element of a single smartphone?

0 thumb ups! (Log in to thumb up)

Added: 06 August, 2012 - 22:12 | Stephen Wilson - Lockstep Group - Sydney

Secure Elements come in a variety of form factors and memory capacities. They're just chips, like smartcards, and as such can be as large as we like, subject to the normal design tradeoffs. With their influence, big players like Google and banks could drive device manufacturers to make SEs as big as they like for their needs. Today, typical SEs have storage of around 100KB, more than enought to store half a dozen CCNs and still meet all the other demands on SE memory.

I'd like to see some analysis of why using the Sercure Element is thought to impede take up. It's not like the SE and Trusted Service Manager (TSM) are innately visible to consumers.

PS. thanks for picking up my typo! I'll fix it.

0 thumb ups! (Log in to thumb up)

Added: 07 August, 2012 - 13:30 | Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune

@Stephen W:

TY for clarifying that a typical Storage Element has a capacity of 100KB, which can store a half dozen credit cards. This is certainly adequate for most users, especially if this capacity is expandable.

However, against that backdrop, I'm unable to understand why Google Wallet was able to support only one CCN until it announced its recent expansion into the cloud? Whereas, from day one, competitors like Pay with Square, PayPal Here, LevelUp and other mobile wallets that don't use SE / NFC have been permitting users to upload any credit card to their mobile wallets. Maybe this stark difference in end-user perceptible functionality between the SE and non-SE camps has resulted in people - me included - jumping to the conclusion that, in the case of SE / NFC, they have no choice of which CC they can use, which can only be decided by the combination of PSP, MNO and Handset Manufacturer. As long as people have this perception, it's not surprising that SE / NFC has slowed down adoption because very few users would sign up for a CC just because it's the only one supported by Google Wallet.

On futher thought, this perception seems to be very real because, if it was possible for Google Wallet to permit the user to upload any credit card to the SE / NFC, why did it announce cloud support now, and specifically link support for multiple CCNs to the cloud?