How a new NFC spec could break QR's grip on mobile payments
It may take several more months of testing before it is deployed in a payments application, but a new money transfer specification the NFC Forum has developed carries the organization's promise of becoming an alternative to QR-code technology.
In releasing its Near Field Communication-based Money Transfer Candidate Specification, the NFC standards organization is pushing the new coding as a way for banks, merchants and wallet providers to promote a faster and more secure option for mobile payments than using a QR code, which is a popular practice in many regions of the world — including the U.S., where QR is the standard for the likes of Walmart Pay and Chase Pay.
The NFC Forum announcement also rekindles an old debate about whether the contactless payment capabilities brought on through NFC are more effective than other point-of-sale technology and options. Years ago, NFC was part of a sometimes contentious discussion about its role in mobile, with the complementary secure element on a smartphone and who had access to that hardware.
But now, the organization — which has promoted mobile payments for the past eight years and focuses on NFC's various use cases for developers, vendors and payments providers — says it is simply moving forward a new specification its members want. This specification can transport the same information a QR code does now, but through an NFC data exchange format, or NDEF code, on a phone or tag.
Once on the open market, it would be up to developers, banks and merchants to decide whether and how to use, deploy and market this new specification.
"Several companies (in the NFC Forum) saw a lot of use of QR codes in the marketplace, specifically in some Asia markets and in China, and other places as well," said Paula Hunter, executive director of the NFC Forum. "QR codes are a simple mechanism for transferring information, but the experience can be a little clunky at times for consumers and there are some potential security issues."
As a result, members of the forum began questioning why an NFC technology spec could not be developed to enable similar information to be moved between an NFC enabled phone and a point-of-sale terminal.
"From a merchant standpoint, it gives them another option and accelerates the transaction because most merchants are cognizant of the time spent in the checkout line, and this is one way to reduce the user intervention required to scan that QR code," Hunter said. "It is a great opportunity for improvement, it gives more options for a way to pay, so that the merchant is not tied to one wallet or one payment option."
For wallet providers, the key to the new specification lies in stronger security, Hunter said. Some merchants who have recently taken on EMV chip card technology at the point of sale to avoid fraud liability may have also included NFC at their terminals.
A question of security
Because fraud liability in a QR code case falls to the merchant and is treated like a card-not-present transaction, the idea of a safer option carries some weight. But that has generally been the case with NFC all along. The new spec says it can do anything QR code can do, but better.
"NFC is without question more secure than QR codes," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "NFC leverages much of the same technology that makes EMV so much more secure than magstripe cards in that it transmits a unique and dynamically generated code for every transaction."
Using that analogy, Conroy said QR codes are "really just glorified magstripes from a security perspective, in that they are static and subject to malicious manipulation."
In an example of QR code vulnerability, a vendor at a security conference put a QR code on a sign and encouraged people to follow the QR code for their chance to win $25,000, Conroy said. "When they got to the QR code destination, the message was 'You're lucky we're the good guys, otherwise you'd now have malware on your device," she added.
Hundreds of millions of Chinese citizens use QR codes for the popular Alipay and WeChat Pay mobile payment platforms. In the U.S., both Walmart Pay and Chase Pay ride on QR code technology. Target, a major retailer along with Walmart, long held back on accepting NFC transactions but recently changed its stance in finally accepting various NFC wallets.
Because a bank or wallet provider could choose to implement a new NFC spec in the future, it will be interesting to see what Chase or Walmart decide to do. In some cases, a new NFC capability would not necessarily have to override a QR code option; it would just be offered as an extra option.
The NFC Forum envisions that by incorporating the new spec, a merchant or issuing bank could convert all of the QR code processes into a more secure NFC setting, or could educate consumers to download a new app and explain the benefits of doing so.
From concept to reality
There are clear obstacles to the NFC Forum's plan.
"I totally agree that NFC is faster and more consistently reliable," said Tim Sloane, director of emerging technologies advisory services for Boston-based Mercator Advisory Group. "And even though NFC is common in mobile devices, when you look at the installed base, you still may have a problem with how many people have NFC in their phones."
The NFC payments implementations that have come out of the NFC Forum have "typically been well-secured" and users can expect the same out of new specification, Sloane said. "Otherwise, security is all a matter of implementation, so it can be almost as insecure as QR code if it is poorly implemented."
It is too early to articulate what the value of the new NFC specification may bring, but it is apparent what has been driving QR codes, said Thad Peterson, senior analyst with Boston-based Aite Group.
"If a merchant or wallet provider is using QR code, it's probably because they want more ubiquity," Peterson said. "Nearly every device comes with a camera that works and an optical solution doesn't require anything beyond an existing scanner on the merchant POS platform to implement."
The timetable for the new money transfer specification to be available for coding in an app isn't set in stone. The NFC Forum compliance committee is writing test cases and working with test tool vendors to add the specification to their suites.
At the NFC Forum test labs, the specification would be tested on handsets and tags to validate that it will work as designed. It is not an application level test at that point. After the handsets and tags are certified as able to accept the new spec, the application layer testing burden moves on to the app developers.
"It is our standard policy to move the specs into an open market so that it is available to everyone," NFC Forum's Hunter said. "When we are working on it, we try to define as many use cases as possible so that those working on writing the specs can ensure that all of those scenarios are able to be implemented."
The major card networks get involved in the certification process only if they want to supply it directly as an offering to merchant acquirers and card issuers. The financial institutions, in turn, need to adhere to any policies in place with their networks in terms of working with merchants on payments technology.