Furthermore, the accounts (or wallets) used to store consumer credentials are now have an integration of offline and online payments, enabling users to access them both for remote purchases and instore.
But there are significant regional variations in the mechanisms to make contactless mobile payments. In some countries mobile wallets win out, whereas elsewhere the NFC payment card wins. In addition Host card emulation (HCE) is on the rise, the software architecture that provides exact virtual representation of various electronic identity (access, transit and banking) cards using only software. Prior to the HCE architecture, NFC transactions were mainly carried out using secure elements, such as the chip on a card or other means.
HCE enables mobile applications running on supported operating systems to offer payment card and access card solutions independently of third parties while leveraging cryptographic processes traditionally used by hardware-based secure elements without the need for a physical secure element. This technology enables the merchants to offer payment cards solutions more easily through mobile closed-loop contactless payment solutions, offers real-time distribution of payment cards and, more tactically, allows for an easy deployment scenario that does not require changes to the software inside payment terminals.
When we compare the relative share of contactless cards and wallets in key markets outside the US (Europe, Canada and Australia), we see that, typically, cards account for well over 90% of transactions by value (rising to 98% in Spain and Canada). In the US, the positions are reversed, with mobile wallets accounting for 87% of the total.
While many markets focus on enabling instore mobile payments via NFC (which uses the same infrastructure and technology as contactless cards), a small number have embraced QR code-based instore payments. While precise mechanisms vary, typically the consumer is presented with a printed QR code, after which he/she launches the payment app and scans the code with the smartphone camera. This directs them to a payment page, where the transaction amount is entered and the transaction is made.
By far the most successful deployments of QR code-based payments have come in China, where these have already surpassed cash and cards in both instore transaction volume and values. Deployments elsewhere are sporadic, but the mechanism has been a mainstay of Scandinavian wallets for several years and is also gaining traction in India.
However, a study by researchers at the System Security Lab at the Chinese University of Hong Kong’s Department of Information found that it was possible to gain access to the phone’s camera to record an image of a QR code.
Furthermore, as QR codes can contain any kind of data (not just payment/transaction details), it is possibly to create codes containing links to malware or phishing sites.
As a result, the People’s Bank of China confirmed in December 2017 that it would be introducing plans to regulate payments by QR codes and other scannable codes. The new regulations, which come into effect in April 2018, will include a payments cap of RMB500 ($79) for basic payments, rising to RMB5,000 ($790) if additional security procedures are implemented, such as tokenisation, risk monitoring and anti-counterfeit measures.
Outside China, NFC has long been the proximity payment mechanism of choice by mobile wallet providers, although the initial model whereby the SE was based on the SIM has largely been jettisoned in favour of alternatives, where the SE is either embedded in the handset or else virtualised using HCE.
The evolution of offline payment in the US has lagged behind that in other developed markets, with EMV only mandated from October 2015. After that point, if merchants had not introduced processing systems to facilitate chip-based payments, then liability for fraud would pass from the card providers to those merchants.
Even with the onset of EMV, banks were reluctant to move to Chip & PIN, apparently concerned that their customers would be unable to remember a 4-digit PIN. Hence, US customers now use Chip & signature instead of the more secure alternative.
This means that Apple Pay and the wallets that followed in its wake, have the opportunity to establish themselves as the contactless mechanisms of choice.
The challenge facing Apple and its rivals is to ensure that the infrastructure is in place for consumers to make instore payments. According to Head of Apple Pay Jennifer Bailey, when Apple Pay first launched in September 2014, it was supported by just 3% of retailers, a figure that had risen only marginally by the end of that year. However, by the end of 2017, half of US retailers supported the mechanism, indicative of the progress that contactless has made in that market.
Nevertheless, although a majority of the remaining US retailers are now believed to own POS terminals capable of fulfilling contactless transactions, a significant number have not yet activated the technology. Furthermore, in some stores only a minority of terminals accept the technology: Juniper estimates that just under 30% of all POS terminals in the US were capable of processing contactless transactions by the end of 2017.
Purely from a payments and convenience perspective, it will be difficult for mobile wallet providers to gain market share from contactless cards. It is therefore incumbent upon them to deliver services through which the mobile wallet will become the default payment mechanism.
We would argue that there are at least 2 means by which this could potentially be achieved:
- Offering an integrated wallet which can be used on both offline and online environments;
- Offering services based around loyalty.
HCE threatens the central role of the network operator in NFC’s value chain, it strengthens that of the bank and makes handset-based contactless payment a more attractive proposition.
Banks have increasingly understood this. By the end of 2014, Juniper Research estimates that just 7 banks had introduced commercial services based on HCE. By mid January 2016, that number had increased to 55; by the end of 2017, Juniper Research estimates that well over 200 banks had introduced such services. Those launching in 2017 included Belfius (Belgium), Citi (US), Credit Agricole (France), Deutsche Bank (Germany), Rabobank (Netherlands) and SBI (India).
A number of banking collectives have also sought to implement HCE. In June 2016, the Danish banking collective, the BOKIS partnership, launched an HCE wallet utising a solution provided by Nordic digital payments specialist, Nets. The BOKIS partnership includes 62 banks that form the small to mid-sized banks segment of the Association of Local Banks, Savings Banks and Cooperative Banks in Denmark, together with 5 Danish regional banks: Jyske Bank, Sydbank, Spar Nord Bank, Arbejdernes Landsbank and Nykredit Bank. Meanwhile, In October 2016, 27 Spanish banks teamed up to launch a new mobile payment platform called Bizum whicih utilises HCE.
However, despite this plethora of bank launches, adoption has been relatively modest: many services have only a few tens of thousands of users, with none yet reporting that they have achieved more than a million. The scale of the challenge facing the banks is largely tied to that facing NFC in general: in Western Europe; banks’ own contactless services are up against both contactless cards and the OEM-Pays, making it extremely difficult to gain a foothold.