Authentication & Security

Tokens And Traditionalists

Two recent comments led to this post. One is by David Marcus of Paypal who long held fast to his belief that NFC based payments had high barriers to entry – cost, complexity while offering very little upside. Paypal’s position on NFC (Not For Commerce) had always been a bit zealous – understandable as in a world of Secure Elements – Paypal (and many others) could not meaningfully participate. But Marcus’s recent post is an attempt to view NFC/HCE as one of the three trends that could transform the retail payment experience – is a pragmatic view to a complex and heterogeneous retail environment. Marcus speaks on how Paypal has come to adopt a cautiously optimistic view of NFC/HCE, now that there are no gatekeepers extracting a toll and because HCE (thanks to SimplyTapp) finally offers a level playing field in the Android ecosystem.

Further Paypal’s significant shift in its approach to NFC seems rather progressive compared to how backward MCX and its merchants comes across in their view of the same. Merchants seems unable to decouple the radio (NFC) from a rather deep mistrust of contactless technology. Instead of looking to take advantage of what combination of NFC and HCE offers to issuers – which include merchants who currently issue Prepaid and Private Label – they seem content to create new incentives to change customer behavior at the point of sale – away from credit in to debit, ACH and Private Label. Again – Paypal could teach them a thing or two here in how hard it is to change customer behavior when it comes to checkout – as it resort to unnecessary friction when slyly re-ordering funding sources at customer checkout. But as my father used to tell me when I was much younger – we all must make mistakes before we learn from them.

I subscribe to Marcus’s point of view on NFC – and I have written about NFC/HCE before, and its significance in democratizing access to both the credential and the radio in a payments transaction. However with HCE I would go beyond NFC – as finally there is a way to decouple the credential from the radio – and look beyond where the credential is stored, and even how it is presented – including other legitimate use-cases such as QR and BLE alongside of NFC. Further, we can now visualize a tokenized payment – and solve the problem of PAN leakage, as today the PAN is stored or seen at every hop along the payments transaction flow – and is subject to capture. Card breaches are plentiful today, and any existing or new payments modality must solve for stronger authentication and stricter fraud controls to achieve parity, legitimacy and ultimately favorable economics around interchange.

I know of a few antiquated merchant CRM systems that will go haywire when tokenization descends upon them and as PAN’s are proved unreliable and transient. Yikes!

And yet – (strange as it may seem coming from me) – there is an unfortunate coupling between NFC and HCE today – unfortunate because HCE enables credentials to be agnostic of location, and provides a pathway for it to be presented to the terminal. Today that pathway can connect multiple locations (Cloud, TEE, OS) with a radio (NFC). Nothing stops it from connecting to multiple radios or combinations of more than one – or even optical readers. Any existing limitations will fall away as business objectives align, and they shall align soon. Anyone who believes that traditional mindsets around Card Present and Card Not Present, and related economics will stand the test of what is happening in digital commerce right now – is living a pipe dream.

“If the customer has to authorize each transaction, there’s no need for NFC.”

The second comment that precipitated this post was in a Host Card Emulation discussion in one of the LinkedIn groups, debating the benefits of NFC/HCE payments where credentials no longer need to be anchored to a Secure Element. Further, credentials can now be your Primary PAN or a single use or multi-use token in a tokenized payment flow. This allows for additional transaction security where a token can be restricted to be used with a specific channel or retailer. In parts where there is bound to be spotty wireless connectivity, it is likely that a token can be provisioned ahead of time – and its longevity determined by the token issuer based on customer usage behaviors and measured risk.

The comment, while debating the function of NFC when used with tokens instead of Bank issued PAN’s went to the core of why NFC traditionalists fail to understand where mobile driven payments is headed: “If the customer has to authorize each transaction, there’s no need for NFC.” This refers to how – with a Secure Element driven NFC payment – one mostly only has to tap and pay with no requirement of entering a PIN during the payment. With HCE, the network specifications as they have been written (specifically MasterCard) has alluded to requiring a PIN every time – which is then used to create the cryptogram used to validate the authenticity of the transaction. This, as I had said before, is unnecessary, and instead of mandating a specific risk mitigation approach – the better alternative would have been to state those requirements and leave it to the issuer or the digital wallet to implement the best approach at runtime.

I suspect that with time, issuers will bring both specs together and rough edges will get smoothened out. And clearly – HCE points to a future where tokens instead of PAN’s themselves will occupy the wallet. The EMVCo tokenization specification calls out several approaches for token presentment, to which NFC/SE is but one of the allowed presentment scenarios. But the above comment speaks to a misunderstanding among who I refer to as “NFC traditionalists” who have have a tough time grappling with NFC’s future utility.

In the traditional point of view – NFC was the only alternative to mag-stripe which qualified for a Card Present rate – becoming the bonafide route to mobile enablement of payment credentials. This required one to funnel a bank issued PAN from the Secure Element to the terminal. There was never any talk of keeping an alternate (a token) in the Secure Element – especially when provisioning comes with a cost. Space in the Secure Element is a rare commodity and access is tightly controlled as well – and when credentials are tokenized – access and space while both are priorities are not the only two that matters. In fact, circumstances around the initial issuance of the token, along with any ID verification steps that may have been performed, or the confidence levels attributed to those processes all matter more in the broader scheme of things – if we are dealing with tokens. Such nuanced approach towards issuance and provisioning is missing in the traditional view – where NFC is not simply a radio – and its combination with the Secure Element and the legitimacy it appropriated – was afforded to no other method.

As that view is challenged, the question becomes – Are we able to reconcile these traditional views that may have necessitated a tight coupling of the radio and the credential, with needs of commerce today? Can we start using any and all available radios and capabilities on the device to reduce fraud risk and payments friction, and meanwhile..can we stop hating on a radio?

Cherian Abraham

Cherian Abraham is a Payments, Banking & Retail expert based out of Richmond, Virginia Area. He has 16+ years of international technology and strategic consulting experience, to organizations. He has a blog called and is also an advisor to Startups and Asset management firms focusing on mobile commerce. He is a contributing author to Lets Talk Payments.

Apply to Become a Contributor