As you are aware, we are expecting a guest from VISA Inc. on Monday. So what is he talking about? I did not ask for too many details because I don't like to impose too much structure on speakers - after all they are doing us a favour. But I know this has something to do with a "cloud-based payment" announcement by Visa in February 2014. MasterCard made a similar announcement in February.
So from what I gather this is about HCE (Host Card Emulation) which is an NFC (Near Field Communication - communication within 10 cm.) based system. Whenever you see words like emulation or virtualization - it's about software replacing (emulating) hardware. So just to be clear, this is not a Google invention although HCE is incorporated in Google's latest version of Android (V4.4 - KitKat) - so Google can use it in Google Wallet. The Blackberry could (and can still) do HCE, but the problem is its not all that popular anymore.
Since none of us are tech people - basically prior to the software solution, there was a hardware solution where the NFC card emulation used the SE (secure element) of a cell phone. This could be the SIM card or a separate chip on the hand set - but from a security perspective this had nothing to do with the OS (so it was difficult to hack relatively immune to malware). In essence, your card credentials can be stored on or in the SE. An example is ISIS. This is an NFC startup. The website states:
Sensitive payment information is stored on a special chip in your phone called the Secure Element. The Secure Element is designed to allow access only to authorized programs such as the Isis Mobile Wallet.
So who is using ISIS? American Express and a couple of banks in the U.S. including Wells Fargo and JP Morgan Chase.
So what's the problem with SE based NFC - well since the SE could be on the SIM card - you need to talk to MNO's (mobile network operators). HFC helps avoid that conversation. The problem however is that it is less secure because the HCE enabled app runs on the phone CPU (central processing unit), as do viruses, spyware and malware. So it's not a good idea to store your card credentials on the phone. VISA is proposing to store the card credentials in the cloud. I suspect HCE based payments (at least for now) are going to be treated as card-not-present transactions - so basically the phone is going to replace your VISA PayWave card and not your VISA card. But we will find out on Monday.
So what's exciting about this? We don't need to rely on MNO's to bring forth payment innovations - but there are other issues. The SE based payments can be conducted with a phone which is out of battery (so long as it does not require user input) - with HFC we need the battery charged and a good internet connection. For the time being I am going to stick to my VISA card - what if I am traveling and don't have a data connection? and what if my phone is out of charge ... it's happened a few times.
I still like the pay-with-my-hand solution - use hand vein biometrics - I don't need my card, and internet connection - nor my phone - the credentials can't be hacked because they are stored in my hand!
This would be a good place to stop - but I can't - I am not much of a Google fan and I don't own an Android device. So what about iOS types? Well we have to wait for Apple to release its iWallet which is supposed to be based on Bluetooth Low Energy or Bluetooth Smart technology. And guess who is snapping at the heels? PayPal. PayPal is supposed to release it's "Beacon BLE technology" so customers can use a PayPal app to pay. I don't like (or use) PayPal either!
PS: Here is a good white paper on security and HCE.