The world can’t get enough of mobile applications. Last year alone there were 102 billion application downloads according to the analyst firm Gartner. And Google research says 84% of shoppers are now using their mobile phone while they shop in the physical world. Banks would be smart to leverage this revolution. And they would be even smarter to enable existing applications instead of trying to compete with hundreds of other apps for a customer’s attention.
After all, leveraging existing consumer behavior is much easier than changing it. Issuers who are first to put their credentials into applications that consumers already use, have the best chance of achieving and maintaining “top of application” status in this new and potentially huge channel. Being early in this endeavor is dependent on making it easy for everyone involved: the issuer, the merchant partner, and customers.
Host Card Emulation (HCE) has greatly simplified the mobile payment ecosystem by allowing issuers to put credential directly into mobile applications for transactions in the physical world without third party wallets, secure elements, or TSMs. However Host Card Emulation by itself doesn’t:
• Make sure every application that wants to use the credentials is a trusted application.
• Authenticate users to download and use credentials from third party HCE applications.
• Provide for testing and certifying every HCE application that uses the credential.
This means that each time a bank issuer wishes to extend their credentials to new partner applications, it will take the same amount of overhead for each new application. The bank issuing the credential will need to make sure each application manages card lifecycle, application permissions, cardholder authentication, tokens, and trust. All this takes time and resources from the issuer and its merchant and other partners, making it difficult to scale and move at a speed necessary to be first and “top of application.”
Banks should have systems that automate and simplify the work of distributing credentials to applications. HCE does enable apps to communicate directly with the NFC controller, bypassing the secure element. But apps still need to handle sensitive tokenized card data to do payments. Banks cannot expect partner app developers to be knowledgeable about payments industry standards and compliance, Javacard security or obscure terms like “APDU commands.”
That means banks will need systems to vet and authenticate new partners and apps, platforms with easy APIs to distribute credentials to these apps securely and monitor usage of credentials by the third party apps. All of this is needed to make it easy for merchants and other partners to add bank credentials and HCE mobile payment functionality to their applications. The result is banks will reduce overhead to support and certify third party applications and customers can use credentials in applications they already use and love.
And the bank will achieve another metric that will soon become as important as “top of wallet” — being the “top of app”!