Community

Join the Community

21,997
Expert opinions
44,168
Total members
415
New members (last 30 days)
152
New opinions (last 30 days)
28,672
Total comments
Join Sign in

Now is not the time to go soft

  0 2 comments
Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Location
Sydney
Followers
6
Opinions
34
Unfollow

Online computing represents probably the first new platform in thirty years.  Not since the PC have we seen a whole new hardware-software-solution-product environment emerge.  It's understandable that there's a mad land grab for app-driven market share.  But you'd think that the rush to market would be moderated by a realisation that we ought to be building security into the platform from the start and not repeating the awful misadventures that continue to plague PCs. I don't need to turn this post into a lecture, for it's widely known that general purpose PCs and Internet protocol for that matter were never engineered to be properly secure, and yet we pile them high with payments applications that totally evade the standards and regulations that keep POS, ATMs, interbank settlements and so on safe. 

Now, the mobile platform has all the right attributes to make safe the next generation of consumer payments.  In particular, NFC devices come with "Secure Elements": certifiably secure tamper resistant chips in which the crypto-magic happens, and where the mission critical apps run. The Secure Element is a god send.  And it is supported in the NFC architecture by Trusted Service Managers (TSMs) operated by telcos and which securely transfer critical data and apps from verified partipants (like banks) into the consumers' devices.  The TSM is a lot like the GSM personalisation infrastructure that governs SIMs worldwide, to secure mobile phone billing. 

So NFC is so much more than the radio link that allows your device to 'send money' to a cash register. So much more. 

The first NFC mobile phone wallets used the Secure Element as the fit and proper place to hold your account details.  But now Google wants to shove credit card numbers up into the cloud.  It seems that loading CCNs one by one into the Secure Element of the phone is all too hard for them. This move looks to me like a cynical and hasty security concession for the sake of convenience.  And why?  It beats me why thoughtful implementation of a TSM wouldn't allow new CCNs to be provisioned to the Secure Element of any participating NFC wallet as easily as new phone number are set up in a SIM. There's nothing in the tech that stops sensitive data being provisioned almost instantly, over the air into NFC phones.

Of course, there are other reasons for Google to prefer the cloud to silicon. They might for example seek to disintermediate the TSMs.  Even more strategically, they generally prefer as much user information to be on their servers as possible, where they reserve the right to mine it.  After all, it is said that information about how people use money is more valuable these days than the money itself. 

It's astonishing that we wouldn't use Secure Elements for Card Not Present m-commerce transactions.  We have literally a once in a generation opportunity to forge a really safe cyber payments environment.  Let's not blow it.

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5371
 

Share

 
 
 
 
 

Channels

/security /payments

Comments: (3)

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

It's not as though Google began with this architecture. Whatever Secure Element gives by way of security, it seems to take away by slowing down adoption. Re. "there's nothing in the tech that stops sensitive data being provisioned a(l)most instantly, over the air into NFC phones", any idea if multiple credit card details can be stored concurrently on the Secure Element of a single smartphone?

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

Author

Secure Elements come in a variety of form factors and memory capacities. They're just chips, like smartcards, and as such can be as large as we like, subject to the normal design tradeoffs. With their influence, big players like Google and banks could drive device manufacturers to make SEs as big as they like for their needs.  Today, typical SEs have storage of around 100KB, more than enought to store half a dozen CCNs and still meet all the other demands on SE memory.

I'd like to see some analysis of why using the Sercure Element is thought to impede take up.  It's not like the SE and Trusted Service Manager (TSM) are innately visible to consumers. 

PS. thanks for picking up my typo! I'll fix it.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@Stephen W:

TY for clarifying that a typical Storage Element has a capacity of 100KB, which can store a half dozen credit cards. This is certainly adequate for most users, especially if this capacity is expandable.

However, against that backdrop, I'm unable to understand why Google Wallet was able to support only one CCN until it announced its recent expansion into the cloud? Whereas, from day one, competitors like Pay with Square, PayPal Here, LevelUp and other mobile wallets that don't use SE / NFC have been permitting users to upload any credit card to their mobile wallets. Maybe this stark difference in end-user perceptible functionality between the SE and non-SE camps has resulted in people - me included - jumping to the conclusion that, in the case of SE / NFC, they have no choice of which CC they can use, which can only be decided by the combination of PSP, MNO and Handset Manufacturer. As long as people have this perception, it's not surprising that SE / NFC has slowed down adoption because very few users would sign up for a CC just because it's the only one supported by Google Wallet.  

On futher thought, this perception seems to be very real because, if it was possible for Google Wallet to permit the user to upload any credit card to the SE / NFC, why did it announce cloud support now, and specifically link support for multiple CCNs to the cloud?

Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Member since
24 Apr 2008
Location
Sydney
Followers
6
Following
2
Opinions
34
Unfollow

How much worse can CNP fraud get?

Credit card numbers are like nitroglycerine

Banks really know their customers

Taking full advantage of Chip

Do digital wallets leave 3D Secure behind?

See all Opinions from Stephen

More expert opinions

Konstantin Rabin

Konstantin Rabin Head of Marketing at Kontomatik

Why Cronos, Polkadot, and Avalanche Are Q4's Hidden Gems

Nicole Pienkos

Nicole Pienkos Head of Regional Banking at FIS

Managing Risk in Turbulent Times

Ruoyu Xie

Ruoyu Xie Marketing Manager at Grand Compliance

Governance, Risk and Compliance: How AI will Make Fintech Comply?

Ben Goldin

Ben Goldin Founder and CEO at Plumery

From Routine to Results: Five steps to RFP Modernisation

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,997
Expert opinions
44,168
Total members
415
New members (last 30 days)
152
New opinions (last 30 days)
28,672
Total comments
Join Sign in

Trending

Kyrylo Reitor

Kyrylo Reitor Chief Marketing Officer at International Fintech Business

Forex Market Regulation on the African Continent

Francesco Fulcoli

Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone

National Payments Vision 2024: The UK's Vision for a World-Leading Ecosystem

Nkahiseng Ralepeli

Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.

The Stablecoin Surge: How a Chainalysis study reveals Africa’s payments revolution

Jamel Derdour

Jamel Derdour CMO at Transact365 / Nucleus365

Digital Dominance: The Growth of Digital Payments in South Korea

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept