Your Smartphone is Your Credit Card – A Humble Consumer’s Musings on The A Possible Future of (a Subset of) Payments

NOTE: I’m but a humble consumer and complete non-expert in the payments field (so anyone with knowledge in the field – might be best you look away), musing about the digital credit card concept in very broad strokes.


“Background” (note the quotes)

There’s nothing new about envisioning your ultrapocketable mobile device (currently, the “smartphone”) as your primary method of payment. The dream of the digital wallet is highly unoriginal – all kinds of companies have been experimenting with ways to “go mobile” (“post-plastic”, anyway) for years. And obviously, the digital wallet faces myriad challenges, dozens of which I’ll probably “blithely overlook” in this post.

Yet, with NFC reportedly due for a boost from Apple, and with the general proliferation of increased user security (e.g. biometrics), 64-bitness and/or secure elements in the smartphone space soon to follow (by Apple and other chipmakers/smartphone OEMs), it seems the dream is more alive than ever.

Digital wallets are unlikely to supplant the good ‘ol magnetic strip anytime soon (with a chip and PIN requirement outside of the US), but digital credit cards, provided the myriad challenges can be addressed, just might be better.

Don’t digital credit cards already exist? Sort of, in a way. By way of top-of-mind/quick Web search mention (not like I have any endorsement powers anyway :P):

Coin consolidates credit cards into one device, which only works by way of the ol’ swipe-to-pay in present form. But while it’s digital, it’s also inextricably tangible (by design), so it’s really more accurate to call it an “all-in-one/user-selectable credit card”. You’ve got the soon-to-be-named Softcard in the US, a joint venture between AT&T, T-Mobile, Verizon, AmEx, Chase and Wells Fargo. As far as a few major card issuers, AmEx has ExpressPay, MasterCard has PayPass, Visa has payWave. There’s Union Pay in China, “Osaifu-Keitai” (Wallet Mobile) by NTT DoCoMo, PayMate in India, Google Wallet of course.

Of course, those credit cards don’t upload themselves. As far as I know, they all need to be registered, after which they’re “uploaded” to the smartphone, via host card emulation (HCE) in the case of Google Wallet, or via secure element (SE), such as a special SIM card, SD card or other hardware built into the smartphone yet isolated from the smartphone OS.

Could this year or next year be the start of a new approach?


The Digital Credit Card as Primary Payment Method, With Plastic as the Tangible Backup

It can’t happen right away. Implementation will be a huge challenge across the board. Systems will need all kinds of changes. It’ll surely be the stuff of pilot programs, trial and error, maybe even a highly publicized security snafu or two (or dozens). As with broadband internet, that “last mile” of consumer uptake may take forever to cross, whether it be security/fraud concerns or use cases which will always be more difficult for short-distance contactless payment applications. You’ll probably still have to face an initial or periodic setup or renewal feature, at least to start.

And yes, I’m just a humble consumer wanting a “better” bank card product enabled by emerging technologies.

But stay with me here, if you like.

Card Issuance and Maintenance

Imagine your credit card being sent to you not by mail, but by secure connection (as in, not public Wi-Fi) directly to your smartphone’s wallet app. Sure, you might have to take special steps like having your identity verified at the issuing bank branch – otherwise, you get your card as usual and follow those digital wallet setup steps online. From then on, renewals are never an issue – annual fee notices are pushed to you, and as long as you stay current and in good standing, your credit card – logo and all – refreshes via trusted Wi-Fi or celco connection.

Since you’ve consented to keep your credit card primarily digital, issuers automatically get to save on trees and mailing costs and send you all communications from privacy policies to statements in electronic form – ideally, all handled within the same app or at least the issuer’s app, versus e-mail. Heck, if you’ve got questions, maybe you can send free secure messages to the issuer in addition to calling, which gives the card issuer more options to respond to you more efficiently.

Want to cancel your card? It’s like Passbook – digitally shredded. Maybe a phone call is required first, maybe you need to punch in a cancellation code, but all the phone numbers you need are already on the card, just as if it was plastic – tap to call.

If you change smartphones/connected pocketables, as most do every couple of years? Yeah, that’s kind of a pain point from user all the way to card issuer. Maybe the relevant stakeholders can find a way to push the credit cards to the new device upon ID verification. Makes you wonder if there might someday be a small industry built around this particular application of in-person ID verification (if there isn’t already)?

Fraud Prevention

To blithely overlook an entirely different raft of issues, how about fraud prevention? If we eventually get to a future where contactless transactions gain critical mass, and digital credit cards become easy to track, the default state could be to have the cardholder’s spending ability strictly confined to the trusted device. Which requires PIN, biometric, or some other authentication before completing the transaction (my bet’s on fingerprint for now).

Did a bad guy somehow manage to get your credit card number? Well too bad, authentication servers know to expect incoming transactions from only one device right off the bat – all other transactions will, ideally, be flat-out rejected, and you’ll be notified of all “change events” the bad guy might attempt (like asking for a digital re-issue). Blithely overlooking still more issues, there’s no “type in the info online” issue, because when you buy online, you’re securely pushing your payment information to your computer anyway via the trusted device and its identifier. (Obviously, companies with an iOS/OS X “Continuity”-type approach/security model might have a lead in this respect, if they can get online payment solutions providers to cooperate.)

Did the bad guy somehow manage to steal your device? Well before you lock it down remotely, Bad Guy can’t do anything short of guessing your PIN or getting past the biometric authentication requirement.

Did the bad guy somehow manage to go full MacGyver and spoof the trusted device PLUS authentication elements somehow? If you still have your device (and it hasn’t been physically compromised without you knowing), it’ll be a “cloned transaction” since the bad guy has replicated your digital credit card, in which case the cardholder gets a push notification to the trusted device he or she still has, and can lock everything down soon afterward. And really, if Bad Guy has gone to the lengths of local access and messing with your smartphone, you’ve got bigger problems anyway, unfortunately.

Tangible Backup – the “Bridge/Spare Key”

What about the drive-thru (especially during snow, hail, driving rain and nighttime)? The gas station? Your favorite hole-in-the-wall restaurant that actually still made carbon copy impressions until just a few years ago? Or you just plain forgot to charge your device? Well, as long they have swipe-to-pay (is there anyone who doesn’t at this point?), that’s where your transitional “spare key” comes in – good old plastic.

Great, we’re right back to square one since some merchants have to accept the same credit card bad guys can clone or steal. Maybe not!

With a digital credit card as primary, you can set the rules for all secondary cards, including additional cards resident in trusted persons’ smartphones. Whistling past the “raft of issues” deal again 😀 , swipe-and-pay transactions will only identify a certain way. So, users can easily set up daily, weekly, monthly, “lifetime” spending limits on all secondary cards.

In other words, it’s a spare key that only activates when you tell it to, and only with certain conditions to limit liability issues. Traveling to a non-NFC-dominant vacation destination? Give yourself a travel budget beforehand, or reset it as you go. Leery of that gas station card reader that you have to use on that road trip? Back to planning ahead as best practices. But as long as you have a data connection, how about you activate your card on a one-time or time-limited basis just for that transaction? Heck, if technology advances enough, maybe you can have your trusted device confer one-time credit card account numbers to your smart-ish plastic card for swipe-to-pay transactions. And if you’re big on rewards optimization and don’t want to take all the rewards cards (“spare keys”) you’ll think you’ll need – well, maybe “all-in-one” physical cards have a bright future after all.


Future Imperfect, But Not So Far Away?

Yes, it’s essentially daydreaming. Yes, it assumes the mountain of challenges can be overcome, and the transition is bound to be a halting, daunting one. But the key elements – hundreds of millions of smartphones, the 64-bit transition, stronger security, and a likely market push towards NFC adoption (I just hope they improve the effective range) – are suddenly falling into place.

It’ll be interesting to see what the future of credit card/bank card payments holds, and I’m not just talking about Apple’s Flint Center event tomorrow.

Extra: Two PDFs I read as “background” (seemed informative and fairly neutral) but can’t vouch for.

http://www.chyp.com/assets/uploads/Documents/2014/06/HCE_and_SIM_Secure_Element.pdf

http://www.smartcardalliance.org/resources/webinars/Secure_Elements_101_FINAL3_032813.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s