Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Payments
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

An article relating to this blog post on Finextra:

Google Wallet moves to the cloud to support all credit and debit cards

Google is bidding to breathe new life into its stuttering mobile wallet platform by launching a cloud-based version of the app that can be linked to Visa, American Express and Discover cards.

See article

Now is not the time to go soft

Online computing represents probably the first new platform in thirty years.  Not since the PC have we seen a whole new hardware-software-solution-product environment emerge.  It's understandable that there's a mad land grab for app-driven market share.  But you'd think that the rush to market would be moderated by a realisation that we ought to be building security into the platform from the start and not repeating the awful misadventures that continue to plague PCs. I don't need to turn this post into a lecture, for it's widely known that general purpose PCs and Internet protocol for that matter were never engineered to be properly secure, and yet we pile them high with payments applications that totally evade the standards and regulations that keep POS, ATMs, interbank settlements and so on safe. 

Now, the mobile platform has all the right attributes to make safe the next generation of consumer payments.  In particular, NFC devices come with "Secure Elements": certifiably secure tamper resistant chips in which the crypto-magic happens, and where the mission critical apps run. The Secure Element is a god send.  And it is supported in the NFC architecture by Trusted Service Managers (TSMs) operated by telcos and which securely transfer critical data and apps from verified partipants (like banks) into the consumers' devices.  The TSM is a lot like the GSM personalisation infrastructure that governs SIMs worldwide, to secure mobile phone billing. 

So NFC is so much more than the radio link that allows your device to 'send money' to a cash register. So much more. 

The first NFC mobile phone wallets used the Secure Element as the fit and proper place to hold your account details.  But now Google wants to shove credit card numbers up into the cloud.  It seems that loading CCNs one by one into the Secure Element of the phone is all too hard for them. This move looks to me like a cynical and hasty security concession for the sake of convenience.  And why?  It beats me why thoughtful implementation of a TSM wouldn't allow new CCNs to be provisioned to the Secure Element of any participating NFC wallet as easily as new phone number are set up in a SIM. There's nothing in the tech that stops sensitive data being provisioned almost instantly, over the air into NFC phones.

Of course, there are other reasons for Google to prefer the cloud to silicon. They might for example seek to disintermediate the TSMs.  Even more strategically, they generally prefer as much user information to be on their servers as possible, where they reserve the right to mine it.  After all, it is said that information about how people use money is more valuable these days than the money itself. 

It's astonishing that we wouldn't use Secure Elements for Card Not Present m-commerce transactions.  We have literally a once in a generation opportunity to forge a really safe cyber payments environment.  Let's not blow it.

 

5257

Channels

Security Payments
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 August, 2012, 15:04Be the first to give this comment the thumbs up 0 likes

It's not as though Google began with this architecture. Whatever Secure Element gives by way of security, it seems to take away by slowing down adoption. Re. "there's nothing in the tech that stops sensitive data being provisioned a(l)most instantly, over the air into NFC phones", any idea if multiple credit card details can be stored concurrently on the Secure Element of a single smartphone?

Report abuse
Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 06 August, 2012, 22:12Be the first to give this comment the thumbs up 0 likes

Secure Elements come in a variety of form factors and memory capacities. They're just chips, like smartcards, and as such can be as large as we like, subject to the normal design tradeoffs. With their influence, big players like Google and banks could drive device manufacturers to make SEs as big as they like for their needs.  Today, typical SEs have storage of around 100KB, more than enought to store half a dozen CCNs and still meet all the other demands on SE memory.

I'd like to see some analysis of why using the Sercure Element is thought to impede take up.  It's not like the SE and Trusted Service Manager (TSM) are innately visible to consumers. 

PS. thanks for picking up my typo! I'll fix it.

Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 August, 2012, 13:30Be the first to give this comment the thumbs up 0 likes

@Stephen W:

TY for clarifying that a typical Storage Element has a capacity of 100KB, which can store a half dozen credit cards. This is certainly adequate for most users, especially if this capacity is expandable.

However, against that backdrop, I'm unable to understand why Google Wallet was able to support only one CCN until it announced its recent expansion into the cloud? Whereas, from day one, competitors like Pay with Square, PayPal Here, LevelUp and other mobile wallets that don't use SE / NFC have been permitting users to upload any credit card to their mobile wallets. Maybe this stark difference in end-user perceptible functionality between the SE and non-SE camps has resulted in people - me included - jumping to the conclusion that, in the case of SE / NFC, they have no choice of which CC they can use, which can only be decided by the combination of PSP, MNO and Handset Manufacturer. As long as people have this perception, it's not surprising that SE / NFC has slowed down adoption because very few users would sign up for a CC just because it's the only one supported by Google Wallet.  

On futher thought, this perception seems to be very real because, if it was possible for Google Wallet to permit the user to upload any credit card to the SE / NFC, why did it announce cloud support now, and specifically link support for multiple CCNs to the cloud?

Report abuse
Join the discussion
Stephen Wilson

Stephen Wilson

Managing Director

Lockstep Consulting

Member since

24 Apr 2008

Location

Sydney

Blog posts

34

Comments

183

More from Stephen

Blog post

Now is not the time to go soft

Blog post

How much worse can CNP fraud get?

Blog post

Credit card numbers are like nitroglycerine

Blog post

Banks really know their customers

Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more