Peter Lucas
The sluggish progress of near-field communication in payments has TSMs looking to extend their services to cloud-based wallets and beyond.
Consider the plight of the trusted service manager.
Its fate is closely tied to mobile payments that use a form of short-range, interactive radio-wave exchange called near-field communication (NFC). But NFC is mired in industry bickering over a host of issues, leaving TSMs to ponder their next step.
“The future role of the TSM, which is closely tied to NFC, is a question mark,” says Mary Monahan, research director for mobile at Pleasanton, Calif.-based Javelin Strategy & Research.
It’s remarkable how fast TSMs got into this fix. After all, only a few years ago, as NFC emerged as a hot new technology for mobile payments, the future looked bright, and scores of companies jumped into the business. Now TSMs are looking at a range of alternatives, including cloud-based wallets and person-to-person payments.
Hassle And Liability
To parse what’s happened, it helps to take a look at who TSMs are and what they do. It’s a little-understood, much under-rated, unglamorous business, but one that is essential if mobile payments are to develop based on the NFC standard.
Start with consumers. They don’t think twice about what goes on behind the scenes to turn their phone into a digital wallet, they just expect to seamlessly and securely download any payment and loyalty card over the air, regardless of their mobile device or mobile carrier.
But providing consumers with the flexibility to add cards and delete them at will in the NFC world is no easy task. Technical connections between the mobile network operator (MNO), which typically controls the chip, or secure element, in the mobile phone where the digital wallet resides, and the service provider, or payment and loyalty card issuer, need to be in place to download a wallet to the secure element.
Beyond a handful of the largest banks, most financial institutions don’t have the wherewithal to undertake building such an infrastructure. As a result, the envisioned ubiquity of wallets among carriers and mobile devices has been slow to materialize.
On the other side of the coin, while MNOs are happy to rent out space on the secure element to service providers, they don’t necessarily want the hassle or liability of managing and encrypting sensitive card data or setting up the business relationships with the many service providers in the market, all of which have varied needs.
Enter the trusted service manager, a neutral third party that knows the data-formatting requirements and encryption keys for securely loading, or provisioning, the consumer’s account and personal information onto the secure element, regardless of the card brand or MNO.
In essence, TSMs build a bridge between MNOs and service providers, making it possible for them to greatly expand the reach of NFC wallets to consumers.
“TSMs provide interconnectivity, which prevents consumers from being locked into a specific wallet application and mobile carrier,” says Amol Deshmukh, vice president, mobile financial services, North America for Arlington, Va.-based Gemalto Inc.
In many ways TSMs provide the same kinds of services as fulfillment houses that contract with debit and credit card issuers to provision account and personal data onto a card’s magnetic stripe and emboss the cardholder’s name, card account number, and expiration date on the front of the card.
The big difference, of course, is that TSMs provision account and loyalty card data onto the mobile phone’s secure element over the air using the MNO’s network.
Since TSMs handle all the data formatting and security issues for payment and loyalty cards, MNOs and service providers do not need to set up dedicated connections to one another.
In addition, TSMs also provide lifecycle-management services to service providers, such as deleting cards from phones that have been lost or stolen or that the consumer no longer wants in the wallet, managing call centers, application testing, billing, reporting, and in some cases a wallet application for banks that have not developed one.
‘Neutral Entity’
Many of the giants of the card-fulfillment world double as TSMs. In addition to Gemalto, Atlanta-based First Data Corp., Munich-based Giesecke & Devrient, and France-based Oberthur Technologies are among the most recognizable names.
Other smaller players, such as Redwood City, Calif.-based Sequent Software Inc. and Alpharetta, Ga.-based SK C&C USA, service either service providers or MNOs, working in conjunction with their TSM counterpart to provision digital wallets and their content to the secure element.
“Some TSMs have software around the wallet itself or the secure element and some like First Data and Gemalto already do card provisioning and are simply taking those services to the next payment ecosystem,” says Javelin’s Monahan.
Because TSMs that serve as card-fulfillment houses already have their foot in the door for card provisioning, their cost to set up a dedicated TSM is much less than if they were to start up the business from scratch. The same goes for TSMs that have applications for NFC-based payments.
“Companies like Gemalto already have huge sunk costs in their provisioning business, so they are just leveraging their basic infrastructure for that business to start a TSM,” says Cherian Abraham, a senior business consultant with Costa Mesa, Calif.-based Experian’s global consulting practice.
TSMs typically focus on servicing either secure elements or service providers, which means two TSMs are almost always involved in provisioning the wallet to the phone.
When working with a service provider, for example, First Data provides the connection to carriers’ TSMs to ensure its clients get access to as many secure elements as possible. When First Data is the secure-element TSM, it sets up security domains on the chip and makes them available to service-provider TSMs. Additionally, it will rotate encryption keys and manage the chip’s memory for the MNO.
“Card issuers want access to as many MNOs as possible through a single third-party and vice versa, and as a neutral entity we can facilitate that,” says Christopher Cox, vice president, product development for First Data.
In some cases, however, TSMs are set up to service both the MNO and the service provider. Some MNOs and service providers find this arrangement more appealing because they can use a common TSM, which means one less third party handling sensitive card data and having access to the secure element.
Says Chuck Fillinger, a senior associate for Omaha-based consultancy The Strawhecker Group: “Every new party that enters the NFC-wallet ecosystem is one more player that has to be carefully managed by the bank and the MNO.”
‘A Big Opportunity’
That’s what TSMs have been doing so far, but now the painfully slow adoption of NFC wallets—which consumers tend to view as a new form factor rather than a revolutionary technology—is prompting many TSMs to hedge their bets. They’re positioning themselves to provide over-the-air provisioning for digital wallets stored not in the phone but on a secure server, i.e. the cloud, and accessed from an app on a mobile phone.
“Mobile payments and digital wallets are starting to converge in the cloud and someone has to manage the provisioning of those wallets,” says Monahan. “Look at Google Wallet; it has started to move away from NFC with the introduction of a cloud-based component to its wallet.”
Indeed, despite more handset makers introducing models equipped with NFC chips, the double whammy of consumers’ indifference and Apple Inc.’s persistent reluctance to include NFC chips on its iconic iPhone leaves the future of NFC wallets shrouded in a fog. Making matters worse is that banks are not lining up to contract with MNOs to support their digital wallets. Instead, the parties are bickering over who owns the customer.
All of this puts TSMs in an undesirable position, because their business model is directly tied to supporting NFC technology. Without wide-scale consumer adoption, which could take years or may never happen, their revenue streams are severely crimped, as they make the bulk of their money from recurring service fees. Giesecke & Devrient, for example, receives monthly fees for managing the security of the wallet on the secure element.
“Lifecycle management and other add-on services is where TSMs earn a good portion of their revenues,” explains Lauri Pesonen, group vice president, global head of business line for NFC at Giesecke & Devrient.
While companies such as Giesecke & Devrient, First Data, and Gemalto have dedicated TSM units to service NFC wallet providers and mobile networks, they are setting up divisions within their companies to gain a toehold in other emerging segments of mobile payments that require provisioning, such as person-to-person payments and money transfers.
Gemalto, for instance, has partnered with Western Union to certify servers that initiate a money transfer from one consumer to another via a mobile device. The service has not yet been introduced in the U.S.
The company is also nudging into cloud-based wallets and is the TSM for the Merchant Customer Exchange (MCX), a joint venture by leading U.S. retailers to create a new mobile-payments platform. MCX is rumored to be developing a cloud-based wallet that creates single-use QR codes that can be scanned from a consumer’s phone at the point of sale. The QR code is generated using a stored copy of a consumer’s credit card on a secure server.
“As a technologically agnostic company, we can enable NFC and cloud-based wallets and help companies bridge the gap between the two worlds,” says Gemalto’s Deshmukh. “Our platform also allows us to personalize and secure card data for P2P payments. We see a big opportunity for this service in Mexico, North and South America, and Asia.”
With TSMs lessening their reliance on NFC, payment experts are debating whether they are staying true to their mission of securely downloading and managing data on an NFC chip.
“The definition of a TSM may be changing, but whether it is securing cards for a mobile wallet, P2P, or some other type of mobile payment, TSMs are essentially filling the same role as they do with NFC wallets,” says The Strawhecker Group’s Fillinger. “TSMs do not have to be totally reliant on NFC for growth.”
And MNOs and service providers looking to adopt NFC still need trusted, neutral third parties to bridge the gap between their two worlds so they can expand their service to consumers.
Indeed, until the business case for NFC wallets collapses, TSMs will be there to link MNOs and service providers—just don’t expect them to exclusively focus their business on NFC.
Could Visa and MasterCard Become TSMs?
The changing role of the trusted service manager has led to speculation about whether Visa Inc. and MasterCard Inc. might enter the fray. The giant card networks, after all, provide many of the same core services as TSMs, such as virtual card management, global interconnectivity to banks, data security and encryption.
Further, both networks have card-provisioning units. Visa’s over-the-air provisioning service for smart phones for use with its payWave mobile-payments system launched in 2012 and was co-developed by Oberthur. MasterCard launched its mobile over-the-air provisioning service, MoTaps, in 2011. MasterCard did not respond to interview requests.
The benefit to card issuers is that, as TSMs, Visa and MasterCard could offer small banks a more affordable solution through the sheer scale they could bring to the business.
“Nevertheless, the question around Visa and MasterCard becoming TSMs is whether they would remain neutral or have an agenda they want to push,” says Mary Monahan, research director for mobile at Pleasanton, Calif.-based Javelin Strategy & Research.
The question of Visa’s neutrality was raised earlier this year when it announced its deal with handset maker Samsung to pre-load its payWave applet on embedded secure elements in select Samsung devices. The deal could open the door for banks to offer NFC payments without any involvement from mobile network operators.
Whether or not cutting MNOs out of provisioning digital wallets is Visa’s intention is unclear, as Visa executives were unavailable for comment. Despite the yellow flags seen by some payments experts arising from the deal, Cherian Abraham, a senior business consultant with Costa Mesa, Calif.-based Experian’s global consulting practice, argues that potential for a conflict of interests between Visa and MNOs does not exist.
“The Visa-Samsung deal is around the embedded SE [secure element], not the SIM-based SE, which the MNO owns. Therefore, MNOs do not and are not expected to play a role in limiting the extent of Visa’s solution,” says Abraham. “Are MNOs happy that Visa has its own solution, no, but Samsung is the only OEM that has the scale and the clout to pull something off like this in the Android ecosystem. Now with Google’s acquisition of [handset maker] Motorola Mobility, we should see embedded SEs popping up on Moto devices too.”
While having an agenda has not stopped Visa from competing with banks and technology partners in the past—Visa did have an acquiring unit at one time and provides fraud-detection services through its CyberSource unit—the bottom line is growth prospects for TSMs serving only the NFC market are not robust enough to draw the networks’ attention to the business.
“Without real growth, there is no reason for either Visa or MasterCard to jump into this market,” says Abraham.