Banks are finally figuring out that they need to serve the customer when it comes to mobile payments. But is it enough?
Yesterday, I used my smartphone to pay for a pizza slice. Big deal, right?
But it was a big deal. See, the phone I used, the Galaxy S7 edge, isn't publicly available (yet another reason I love this job), and the SIM card is just your run-of-the-mill variety.
I bank with TD Canada Trust, Canada's second-largest bank by customers (and market cap). Until last week, having an unreleased phone or a SIM card without a Secure Element would have prevented me from using TD's app to make mobile payments. But slowly, the Canadian financial sector is waking up to the reality that customers come first, and convenience, not closed systems, is what is going to advance the industry as a whole.
Last week, TD updated its Android app to support a technology called Host Card Emulation, or HCE, which was co-developed between Google and two payment companies, Visa and MasterCard. HCE takes the highly sensitive (and secret) credit card information, which has traditionally been stored on an NFC-compatible SIM card with a Secure Element, and moves it safely to the cloud.
That minor change is important for a number of reasons. Traditionally, banks had to work with carriers and manufacturers to certify specific devices for use with their mobile payment solutions, an untenable workflow in a vibrant mobile ecosystem like Canada's. A Bell customer, for example, could discover that her Sony Xperia Z5 was incompatible with her CIBC banking app because the three players in the chain — Bell, CIBC, and Sony — didn't follow through on their obligations to consumers.
Under this system, it also meant that new devices — even popular ones, like the latest Galaxy smartphones — would take months to be certified, preventing early adopters, often the ones most excited about the prospect of transitioning to mobile payments, from using the service.
With HCE, that all changes. While only TD Canada Trust and RBC Royal Bank currently support Host Card Emulation in their apps, the only prerequisite is an Android device running version 4.4 KitKat or newer; even Nexus devices, which were previously locked out of the certification process, are supported.
To the average consumer, all this tech talk is noise; they just want to know if their smartphone will be able to make payments at touchless payment terminals around the country. Increasingly, that answer is yes, which is a good thing. Unfortunately, there are still serious issues throughout the ecosystem.
For one thing, unlike Samsung Pay, Android Pay and Apple Pay, banks are still relying on good ol' PIN codes for authentication, which misses the added security and convenience of the myriad devices shipping with fingerprint sensors, dating all the way back to the Samsung Galaxy S5. Sure, while only devices running Marshmallow and above technically support Google's Imprint API, implementation of Host Card Emulation without biometric authentication is like eating a piece of pie and being told you have to chase it with raw broccoli.
TD and RBC together make up some 30% of Canada's consumer banking market, but the other big banks, namely Scotiabank, CIBC, BMO, Desjardins, National and a few others, either offer no mobile payment solution, or still rely on the aging, device-specific infrastructure that debuted back in 2013. Quick to adapt these institutions are not.
Furthermore, despite improvements to the apps themselves, they are still just that: apps. Android Pay and Samsung Pay integrate directly into the operating system, removing the friction between removing the phone and initializing the payment. Canadians are used to seamless card-based transactions — we've had both chip-and-PIN and touchless payments for years — so forcing customers to open a third-party app and enter a separate PIN feels clumsy.
At this point, though, given how tightly the banks are trying to control their respective mobile payment solutions across both Android and iOS (on the latter, by trying to negotiate higher interchange fees before approving Apple Pay), a Host Card Emulation-based solution is likely the best we can expect for the time being. Later this year, when Samsung Pay rolls out, we hope the banks are more amenable to negotiation. It would be a shame to see a repeat of what iOS users have been dealing with on the Apple Pay side.
Now, if you'll excuse me, I'll be making mobile payments with my unreleased Galaxy S7 edge.