Blog: The NFC Tragicomedy: Where the MNOs Went Wrong (March 2014)

By Sirpa Nordlund, Mobey Forum

My heart goes out to mobile network operators (MNOs), having invested so heavily NFC. So much noise; so little music.

In what some may interpret as deeply ironic, the major payments schemes have chosen GSMA’s Mobile World Congress—the mobile network association’s annual event—as their platform to publish plans for NFC payments. At the last two conferences, the news has been rather less than positive for MNOs. Last year Visa and Samsung together revealed “the comeback” of the embedded secure element (SE). This year, Visa and MasterCard announced their joint support for host card emulation (HCE). Both announcements are geared toward the development of NFC payment environments that enable service providers to bypass the MNOs in the value chain (almost) completely.¹

Plot Analysis: Where Did It Go Wrong for MNOs?

It would be wrong to suggest that GSMA has been sitting on its hands, waiting for NFC to happen. The association has put a huge amount of effort into driving NFC forward, demanding adoption of the technology by its member MNOs. In fact, during my 15 years in the telecom industry, I haven’t seen any other single feature or technology pushed with such force.

The problem is that this force encouraged MNOs to “go solo.” Each operator specified its own method of deploying the technology, making service implementation programs long, complex, costly and heinously frustrating for service providers hoping to get to market before their competitors.

The 5 Stages of Mobile SEs

1. In 2004, Nokia released the first NFC phone featuring an embedded SE. Operators objected to the approach almost immediately; they did not see a need for more than one smart card in any one handset and feared the SIM could even be bypassed for traditional voice network and SMS-based mobile network services.
2. In 2005, GSMA started to take matters into its own hands. Its desire to implement SIM-based SEs delayed industry progress by at least three years, due to an interesting, but lengthy, ETSI standardization process.
3. Between 2007 and 2012, uptake of single wire protocol (SWP) and SIM SEs was very slow, as operators could not see a clear business model and GSMA did not include SWP in its requirements for handset manufacturers. The payment schemes had joined GSMA and were working to build the brave new world of SIM-based NFC. But, the worst was still to come—there was no demand. The finance sector resisted delegation of payments to MNOs and the involvement of a third-party trusted service manager (TSM) to manage the life cycle processes. Even with so many chefs baking what should have been a fabulous cake, the end result resembled a pancake.
4. At the 2013 Mobile World Congress, it became evident that the pancake was inedible. Samsung and Visa reintroduced the embedded SE, and Bankinter announced work on the cloud SE, raising the hopes of banks planning to introduce mobile NFC payments.
5. The 2014 Mobile World Congress saw Visa and MasterCard announce their support for the host card emulation (HCE) approach and witnessed more banks hopping on the HCE bandwagon.

Is There a Preferred NFC Form Factor?

Many behind-the-scenes security experts (adamant that they must remain anonymous) say the one and only truly secure approach would be the embedded SE, with root keys managed by a device manufacturer. Security is always at its best when it is a combination of hardware and software. The hardware-only approach is like an eggshell: Once it is cracked, it can never be fixed. But when hardware and software are combined, it’s possible to build extremely strong security. Embedded SEs would meet all of these requirements as various levels of security would be managed by independent parties. This model still requires cooperation among players; however, as MNOs could theoretically deny access to the embedded SE.

HCE Plot-Twist: Immature Potential

The payments schemes’ support for HCE was a shock to MNOs. This announcement came while the troubled (pan)cake was still baking and, because use of any other secure element form factor than the SIM is so difficult for MNOs, the payments industry now has turned its attention to a software-only security solution.

While we cannot discuss the security of HCE down the line, it is fair to say it’s still immature and has a lot of unclear issues. The industry is in a state of flux currently and it will be interesting to see how this all plays out.

The final chapter in our tragicomedy might be the wait for standardization, security solutions and handset support. Currently, HCE is only supported by selected Android (KitKat) and BlackBerry phones. Additionally, the NFC controller is only open to two form factors of SE (SIM and embedded) due to standards created in the early days of SIM SE support. The support for software SEs is there, but it needs an open API and industry support for a standardized way of utilizing the technology. After standardization is agreed upon, it still will require integration by the handset vendors, so there is much work to be done.

We have waited nine years for NFC to take off and have been told many times that it will be there “next year.”

Rest assured NFC HCE will come.

Next year.

Sirpa Nordlund is executive director of Mobey Forum, a bank-led industry association devoted to driving mobile financial services. She spent 10 years at Nokia, where she held several management positions and was involved with the business development of NFC. Sirpa is based in Helsinki and can be reached at [email protected].