If you frequent this blog, you already know we are generally bearish on the NFC’s near-term prospects as a m.payment and m.commerce enabler. While the technology certainly has some great features and benefits, NFC faces too many challenges—several of which are highly complex and/or expensive to address—for it to reach mass adoption at a global level for the headline applications with which it is associated, at least for the next several years. Among the thorniest issues associated with NFC-enabled secure applications (i.e., use-cases that require transmission of sensitive and/or personal information, including payment, ticketing, loyalty, etc.) are those related to the secure element (SE), the part of a smartphone where this information is kept:
- Where does the SE reside on a smartphone? (SIM, MicroSD, embedded, elsewhere?)
- What entity owns/controls the SE? (MNO, device manufacturer, card issuer, multiple entities?)
These questions are of material importance to the above-mentioned stakeholders (and others), especially in the context of m.payment, ticketing and other contactless applications where funds are transferred between parties (e.g., customer-to-merchant, person-to-person). Just as credit/debit card companies generate billions in fees annually from processing “plastic” payments, so too could NFC SE owners generate handsome interchange revenues (as well as “rental” fees if a third party entity requires use of a SE for its own app) for NFC-enabled contactless payment. As a result of the high stakes and multiple, self-interested entities jockeying for position, no clear, broadly-accepted determination has been reached on either of these SE-related issues—nor do we expect one to emerge anytime soon.
In the meantime, NFC market players ARM (a smartphone chip vendor), Gemalto (a TSM provider) and Giesecke & Devrient (a payment security solution provider) have launched a joint venture called Trustonic to create a semi-secure alternative to NFC SEs called Trusted Execution Environments (TEE). Essentially, the TEE resides in the main processor of a smartphone, which positions it to execute transactions and other processes more expediently relative to a standalone SE. However, since a TEE is not entirely isolated from the rest of the device, this increased speed comes at the expense of security—meaning that it is unlikely credit/debit card providers and other credential issuers with high security requirements are unlikely to grant approval to TEEs like Trustonic.
While it is promising to see the emergence of new and innovative solutions to address some of the challenges hindering NFC adoption, we do not expect the emergence of Trustonic or other SE alternatives to have a material near-term impact on the NFC ecosystem. VDC views NFC’s great potential as an enabler of B2C applications as being a “package deal,” where payment, loyalty, couponing and other functions are united by one contactless application. Unfortunately, in maneuvering around the sticky SE issues, Trustonic also has diminished the SE’s value as a vault-like safeguard for the most sensitive credential types, meaning the TEE only can support semi-secure NFC apps. In our opinion—one we suspect is shared by many B2C merchants—this approach limits NFC’s value proposition and Trustonic’s potential to drive broader adoption of the technology.