The latest innovations that enable and secure mobile payments are adding so much complexity to the deployment process that they may exceed the expertise of the companies putting them in place.
Technology companies such as Sequent and Arxan see a chance to gain share by helping companies implement mobile payments.
"It's very early on in the mobile payments space, and there is a ton of complications that often aren't understood by medium-sized institutions, so the opportunity is there," said Vince Arneja, vice president of product management for Arxan.
Sequent, which provides digital issuance and mobile wallet technology, is working with Arxan, which develops security programs for apps on mobile devices and other computers, to bundle their technology for financial institutions and other clients. Sequent specializes in using Host Card Emulation (HCE), a device-agnostic version of contactless mobile payments. Arxan uses a mix of application guarding technology and programs that protect the cryptographic keys that are used in encryption and tokenization.
The two vendors will help deploy and manage their mobile payment and security technology for institutional users.
"The question that I often get is 'why do I need tokenization, or why are you using this on-device security?'" said Hans Reisgies, a vice president at Sequent. "They want to know why the more intense coding is required."
Tokenization, which protects transactions by replacing account information with a substitute code, is considered a key protective measure. Since HCE payments do not rely on the phone's hardware for security, they need greater protection.
But because HCE payments do not require access to the phone's secure element, they can be enabled without concern that carriers will block the technology on security grounds; when Verizon originally blocked Google Wallet, it cited security concerns. Google was able to get its app on Verizon handsets by switching to HCE technology.
The card networks have supported tokenization and HCE as mobile payment options, individual companies are developing their own tokenization products, and Sequent has sought to add software-based protections for mobile devices to bolster tokenization and protect handsets from other security threats such as device cloning.
Arxan and Sequent are positioning the product for issuers or payment companies to use with their own mobile payment programs or as part of merchant acquisition. The deployment's terms are worked out with each user. Initial deployments are expected to be complete in the second half of 2015.
Other companies such as Stripe and Braintree have been successful by making in-app mobile commerce interfaces easy to deploy and update as the payments and technology markets change, suggesting there is a market for services that make mobile payments' underlying innovation easier to adopt and deploy.
"Lots of companies could benefit from these types of solutions as they can provide a one-to-many provisioning capability, or one provisioning effort by an issuer can support multiple apps, wallets and/or operating systems," said Rick Oglesby, head of research for Double Diamond Payments Research. "Dynamic tokenization is also a big advantage because tokens can expire and/or be provisioned more frequently, which increases security. So there is definite value here."