A Finextra member 12 February, 2015, 13:31 0 likes

Good effort by Rabobank, although the embedded secure element model will limit the scalability of this offering to customers with other mobile devices. I hope they will make the switch to cloud-based mobile payments to enable the service on a large majority of Android devices.

Stephen Wilson - Lockstep Consulting - Sydney 12 February, 2015, 17:17 0 likes

I take a different view from Andre Stoorvogel. The convenience tradeoff with cloud based wallets is too great. With smart phone penetration around 70% and in two years time, Secure Elements and TEE expected to be at similar rates of availability, we should indeed be using local, user owned hardware security. Secure Elements do scale insofar as they are apporaching ubiquity. We don't put EMV cards or ATMs "in the cloud". All serious payments security rests on local hardware based cryptography (see http://lockstep.com.au/blog/2014/03/26/uniform-approach-cnp) and mobile payments should not be any different. 

See also 

A Finextra member 12 February, 2015, 18:23 0 likes

Stephen, the problem is not the availability of secure elements, it's about who owns the secure element and how to get access to it. This has been a struggle for years and one of the main reasons why mobile payments have not been taking off yet on a large scale. A secure element in the cloud solves that and I believe that in combination with EMV tokenization, it is a much more attractive alternative to the costly and complex model of an embedded secure element (atleast for Android).

Shane OHara - AXLPay Mobile Payments - London 12 February, 2015, 18:35 0 likes

Whilst I see the attractiveness of the SE model, I cannot agree with Stephen Wilson. The statement about putting EMV cards and ATMs in the cloud does not really hold much meaning ... EMV cards are in the cloud in the sense that in spite of local cardholder verification, the vast majority of transactions are online and authenticated as a complete transaction on the issuer side. The advantage of cloud based operations outweighs the SE model in that the Issuers ability to make an informed decision to approve/decline is enhanced by the cloud data passed to it (eg, token passed to phone at time hhmm, geographical location patterns as expected etc etc). Further the cloud allows card processors to enhance EMV through usage of cryptography of their own within discretionary components of the authorisation message. The cloud allows far better control when it comes to hosting your wallet on multiple devices.  All routes have their challenges - but its probably a given that we are heading towards ever greater connectivity, not isolated behaviour. 

A Finextra member 12 February, 2015, 19:29 0 likes

Seems that the major networks are already embracing the notion of cloud-based credential delivery systems, especially when the actual credentials are tokenized.  One thing learned from the Softcard activity in the States, avoid chokepoints controlled by others whenever possible.  Stephen may well be correct about the incremental security, but at what cost?

A Finextra member 12 February, 2015, 20:57 2 likes Two years ago Samsung was positioning it's embedded secure element in the S4 as a SIM SE replacement and pre loading the Visa and MasterCard apps. Two Australian banks CBA (MasterCard) and Westpac (Visa) launched solutions around a year ago. What happened next? Samsung dropped the embedded SE from the Galaxy S5 everywhere except Australia as Google confirmed HCE in Android 4.4. So if you're a Rabo customer and you've got an old Samsung device your're in luck. If you're looking for a service that will roll out on multiple devices you may prefer to look elsewhere. The impending launch of "SamsungPay" may deliver a new twist to the story but my guess is that this is either a very late project delivery, a strange strategic move to get something to market after the demise of six pack or some brilliant insight based on Samsung strategy that isn't yet public.

A Finextra member 13 February, 2015, 09:47 0 likes

As Martin and Douglas so clearly point out, the phone producers are a moving target for payment providers - who knows when they make a change that brings down the service or makes it insecure? I guess Rabobank would like to win some experience and show some commitment to phone producers. With regards to security the SE is probably good for secure storage but once there is a screen, keyboard and payment app involved,  malware can control anything that goes between the app and the secure element. This is why all payment apps must be able to defend themselves against malicious code injection.

A Finextra member 18 February, 2015, 12:22 0 likes

I suspect Martin, it's the result of one of your first two guesses. It's a pity that device features and characteristics vary from territory to territory then again by what the major operators want from them (e.g. dual SIM slot offerings for some areas but not others etc). The problem arises with any device centric solution or feature; it's only temporary and then quickly succeded it seems every six months with new device launches. Lifting the solution out of the device architecture dependencies and up to the platform instead (OS or cloud) offers much more device reach and user freedom, surely.

However, I'm always a keen advocate of experimentation and piloting and the operational and implementation learnings the business take away from this. Whichever way it works for Rabobank much will be learned and understood for the good.

Shane OHara - AXLPay Mobile Payments - London 18 February, 2015, 18:57 1 like

Agreed Marcus. Cloud contact with a device allows closer contact.. ie closer scrutiny by the issuing side and hence protection against fraud. With frequent token cycling and p2pe the bones of good longer term solutions are there. My biggest concern is that with the proliferation of solutions being put into play, whilst most will be robust, some will be, inevitably, weak and when exploited, public confidence will be rocked.