Check out this blog from ScotlandIS member, PACE, discussing Apple’s changes to access for third parties to Near Field Communications for mobile payments.
On the 14th of August, Apple announced that it was opening up Near Field Communications (NFC) and the Secure Element (SE) on iPhones to third parties. This was the news that the payments industry and many others had been waiting for. But is this as revolutionary as it initially seems?
I’ve been involved in mobile payments since 2010. Even in those early days of technology demonstrators and pilots, the big question was iOS. Many banks I spoke to were interested in developing their own wallet, but only “once iPhone is possible.”
It wasn’t just payments. I was lucky enough to be part of one of the first hotel mobile room key pilots. As the NFC antenna on iPhones was reserved for Apple Pay, the whole project moved to using Bluetooth for phone to door lock communication. It’s now the standard in hotels, but back then the room locks were NFC-only resulting in a massive infrastructure upgrade.
So, on the face of it, Apple opening the NFC and SE is an exciting development.
Two different announcements
Beyond the initial announcements, details from Apple are limited. A lot of the coverage to date has assumed that the openness Apple will provide will be similar to how Google opened the NFC on Android in 2013. I don’t read the announcements that way. From what we know, I think Apple has a different approach in mind.
What’s the Android model? Google provides Android apps access to a device’s NFC antenna through an interface called Host Card Emulation (HCE). This allows the rich OS application (a standard Android app) to send and receive commands over the NFC antenna in the format a payment terminal will understand (a protocol called ISO7816-4).
This is a very flexible model that makes it easy to scale wallet applications in the market. All the end user has to do is install an app from the app store.
There is no security built into this deployment model. The app is just an Android app. That means the software developer needs to use technologies like strong code protection and white-box cryptography to meet the payment industry’s security requirements.
Unable to insert the picture
In July, when Apple reached an agreement with the European Union, the approach they agreed on mirrored Android’s HCE model. This is only available within the European Economic Area (EEA). The approach Apple is proposing for other geographies is different.
Secure Elements and Trusted Services Managers
From what I can tell from Apple’s press release and public developer information, Apple is not planning on giving rich OS apps (i.e. normal iOS applications) additional access to the NFC antenna. Apple’s proposal is to allow third parties to develop applets which Apple will install and provision to the iPhone’s SE on-behalf of the third parties.
Applet’s are small computer programs designed to run within the Javacard environment of a SE. The SE is very similar to the chip in your credit cards, and keeps the program and its data safe from prying eyes.
The installation and provisioning of the applets will be performed by Apple’s Trusted Services Manager (TSM). In this way, Apple maintains the security of SE as Apple keeps full control over it and the software it’s running.
This means any third parties wishing to use the iPhone’s NFC interface for contactless transactions will need to develop an applet, give the applet to Apple, and then develop a companion iOS app that communicates with their applet. Apple will install and provision the applet to a user’s phone when the companion app requests it.
Beyond the technology
And that’s just the technology stack. There’s also geographic restrictions, security lab audit requirements and Apple’s fees for accessing the SE. Nevermind that third parties will need to convince users to move away from the excellent user experience that Apple Wallet offers.
So why would a third party consider developing a solution? Firstly, Apple has now provided a way to implement new use cases, ones that aren’t supported through Apple Wallet, so for some third parties, this may be the only way to provide their services on iPhone. Secondly, by building their own solution, third parties have a product that they control and can manage the user interaction. That means the customer engagement is wholly within their interfaces and they can build differentiation and innovation into their product to separate themselves from competitors.
Will history repeat?
Information is limited at the moment, but Apple’s plan sounds similar to the embedded SE announcements from phone manufacturers in the early 2010s. These were quickly forgotten in the excitement of HCE.
Outside the EEA, this is a more complex ecosystem for third party developers than is available on Android. Interestingly, inside the EEA due to regulatory pressure, developers will be able to choose between the two models.
No-one knows what the future holds, but one thing is certain: PACE has customers and partners who are excited about the opportunity more open access to the iPhone’s NFC brings. Let’s hope it truly does turn out to be revolutionary.