Sources: New Scientist
Point of View
The solution, DigiTally project from Cambridge University, utilises a chip to process and authenticate transaction without SMS or network access on electronics that “can be stuck over existing SIM cards and inserted into phones”. Often referred to as a ‘shim’, these thin films of electronics were sold in a number of markets as stop-gap solutions to be added to handsets for mobile contactless payments before the wider rollout of NFC handsets. The inconvenience to consumers of having to add a shim to their handsets means that the solution doesn’t scale very well.
So, while there’s a patchy history for shims as a useable technology, the ability to be able to address secure hardware on the handset is a desirable feature but remains a challenge for applications. The SIM would be a natural choice, if it were open for use, but is tied to a mobile network operator. Handset manufacturers are aiming to move away physical SIMs to an embedded SIM (e-SIM), which allows mobile network security credentials to be downloaded without the customer having to replace the physical SIM itself. This is particularly important for Internet of Things (IoT) devices, where access to the device may not be possible after it is sold, but is expected to be available is regular handsets in the near future.
On Apple handsets, mobile contactless payments addressed the issue by embedding a secure chip in the handset, but this just acts to move control of a closed environment from MNO to Apple. On Android, the work around has been to remove the need for secure hardware for contactless payments and just use Host Card Emulation (HCE) on the normal processor for applications but restrict the use of cryptographic payment keys to a single transaction and within a specific merchant domain through tokenisation. This allows industries other than payments to take advantage of the approach.
Both these examples, e-SIMs and HCE, demonstrate that flexibility from open platforms allow for innovation, which ultimately leads to more competitive services, and should be encouraged.
While the DigiTally project for no network P2P may be short lived (if the history of other examples is anything to go by), it highlights that the requirements for effective retail payments systems often have to include offline capabilities to allow for those exceptional payment situations where connectivity is not possible. As both mobile and payment cards start to evolve away from dedicate secure hardware to more flexible and cost effective (over time) solutions, for example by using limited use and domain specific credentials, delivering an equivalent user experience to a traditional plastic card can become more of a challenge. This may continue to allow specific solutions to gain traction for specific use cases or require special adaptations to existing products. A good example of this is the risk-based approach being used for open-loop card payments on transit systems.