Because Google Inc. stubbed its public relations toe earlier this year when a security firm “hacker” was able to gain access to the Google Wallet’s secure element in a smartphone and steal or wipe out PINs, it was no surprise the company made the leap to store card data in the cloud.
Even though Google Wallet’s secure element, or tamper-resistant platform, remains imbedded in the mobile phone, the Internet technology provider essentially made a switch to put card data in a remote Google server to offer better security. Google says it also makes the process of placing cards in a Google Wallet easier for issuers and consumers. As such, the company says it has enjoyed twice as much consumer use of the mobile wallet since making the change.
Using the cloud to store card data in a remote site rather than “locally” on the consumer’s smartphone, is a viable approach for mobile payments technology, says David Kaminsky, analyst for emerging payments with Mercator Advisory Group.
Plus, it doesn’t hurt when a big-name corporation illustrates it can be a positive move. “Google is the leader in this field and if they do it, others will follow,” Kaminsky says.
It didn’t take long for other technology providers to inform issuers, merchants and contactless payment developers they are offering cloud-based services that take an important next step.
A few weeks after Google announced its change, Austin, Texas-based startup SimplyTapp claimed to be taking that step by developing an alternative that would eliminate the need for a secure element on a Near Field Communication-enabled phone.
A week later, French security technology provider, Inside Secure, revealed a similar technology that turns NFC phones into “secured antennas” that can pull down sensitive data stored in the cloud and present it to an NFC-enabled point-of-sale terminal.
By keeping a secure element in the smartphone, Google has solved only half of the security problem, says SimplyTapp co-founder Doug Yeager.
Google’s new approach secures card data and reconciliation of payment in the cloud, but the secure element in the phone remains the hardware communicating with the point-of-sale terminal to initiate a transaction, Yeager says.
“They removed the need to have a business relationship with a bank and have allowed anyone to enter their card data to be used as payment, and that is a huge step,” Yeager says.
But SimplyTapp and Inside Secure store data in a true “remote secure element” in the cloud, with the card data being pulled down from the cloud to pass through the phone and to the point-of-sale terminal.
NFC security standards for card emulation, or when a phone is being used in place of a plastic card at a point of sale, call for use of a secure element for sensitive data within a mobile phone. SimplyTapp’s mobile app uses a Host Card Emulation patch for Android phones to allow a contactless point-of-sale terminal to interrogate an application that runs within a host operating system on a mobile device, rather a secure element.
Neither Google nor Inside Secure responded to inquiries about their systems.
The ability to store card data in the cloud when using a smartphone will increase momentum for mobile payments acceptance by merchants and consumers, Yeager says.
“It removes the pain point of developing a relationship with a hardware vendor or telecommunications manager for issuing cards,” Yeager says.
In addition, the new technology increases interoperability between handsets because all hardware with an Internet connection and NFC antennas can communicate with it, as opposed to current technology that relies on the various forms of local secure elements with the phones, such as SIM, microSD, embedded and others, Yeager adds.
The development of technology to conduct NFC payments without a secure element on a phone is likely to provide an overall boost for NFC technology as a preferred mobile payment method, Yeager says.
“To those of us in the industry, NFC has taken so long to evolve that it appears ‘old’ before it is new,” Yeager says. Still, for the majority of the merchant and consumer population, NFC is still viewed as “very new,” he adds.
“I love the look on the cashier’s face when I use the SimplyTapp app to pay for things,” Yeager says. “It is clear they are amazed, and for the most part upbeat about the mobile pay movement.”
Kaminsky chooses a bit of a play on words to warn that much remains unknown about cloud-based services.
“A lot remains up in the air as far as security in the cloud,” Kaminsky says. As such, it is difficult to predict if Google will expand upon its venture with the secure element and keep it as a permanent feature of its service.
In the meantime, companies like SimplyTapp are definitely helping carriers and issuers bridge the gap between secure elements in the phone to one on a virtual server, Kaminsky adds.