Apple’s Lagging Adoption of Token-Protected NFC Mistaken For “Innovation”

A new report from Bank Innovation suggests that Apple, Inc. (AAPL) will secure the NFC payment system in iOS 8 using its patented implementations of tokenization technology.
I. Apple + VeriFone = iOS NFC?
Apple is the last major smartphone platform provider to add NFC support.  But as interesting details leak out, some are mistaking its long-overdue bid at secure mobile payments for “innovation”, when in reality they closely emulate features that rivals have carried for up to a half decade or more by now.
Bank Innovation writes:

This seems like a logical move for Apple for a payments initiative that is certainly a long-term play. Current and former executives from competing technology companies involved in payments— who all requested anonymity — agreed that it is extremely plausible for Apple to rely on banks for the token technology, especially since Apple has already been engaged in extensive negotiations with banks on other fronts.. “It’s very Apple-like to use some new combination of these existing technologies,” a source said.

Apple’s interest in the use of NFC technology and tokenization — and using the combination both – has broad, long-term potential with valuable use cases. Apple can potentially use tokenization technology and apply it to “real-life applications, as well as like transit, building access, and hotel keys,” said James Wester, global head of payments at IDC Research.
Apple’s tokenization patent — “Secure communication between trusted parties”, U.S. Patent No. 8,468,580 — was filed in Aug. 2009 and granted in June 2013.  The patent indeed references the features which could eventually be incorporated into the iPhone 6.

It states:
As discussed with respect to the generalized electronic device of FIG. 1, the handheld device 30 may allow a user to connect to and communicate through the Internet or through other networks, such as local or wide area networks or cellular networks. For example, the handheld device 30 may allow a user to communicate using e-mail, text messaging, instant messaging, or other forms of electronic communication.

The handheld electronic device 30, may also communicate with other devices using short-range connections, such as Bluetooth and near field communication. By way of example, the handheld device 30 may be a model of an iPod™ or iPhone™, or a derivative thereof, available from Apple Inc. of Cupertino, Calif. 
The report also indicates that Apple may be pairing with VeriFone Systems Inc. (PAY) to implement the NFC equipped payment platform for iOS.  Other reports Apple has signed with Visa Inc. (V), American Express Comp. (AXP), and MasterCard Inc. (MA) (in addition to possibly VeriFone) to help with its payments.

VeriFone’s NFC-equipped MX 915 point-of-sale (PoS) terminal has been reportedly spotted in Apple Stores.
The report claims to have spotted dormant NFC payment features at Apple stores.  These capabilities were offered via VeriFone MX 915 systems.

II. New and Innovative?  Reality Distortion at its Finest

While full of interesting details, the article has one major flaw, in giving the false impression that banking tokenization is a new development when it comes to NFC.  

The safety and consulting company UL (Underwriters Laboratory), summed up these kinds of misunderstandings, writing in a recent article:
The concept of tokenization in payments is absolutely nothing new. However, in the last months it is gradually becoming the new buzz word in the industry. And as it goes, the conceptual meaning of tokens start to multiply, creating mixed-up semantics depending on where you are standing in the market.

The reason is that tokens are being perceived as a technical driver to a more profound change in the way we do payments, and is considered to be the enabler of other (equally fashionable) industry wishes, such as ubiquity, authentication and omni-channel payments. But what do we really mean by “tokens”?

To simplify, and to categorize, we recognize that the payment industry usually refers to two different forms of tokens, namely, (1) Token as an authentication mechanism and (2) Token as an object that can be mapped to your card or bank account.
Japan has been using a combination of tokenization and encryption to secure its mobile wireless “wallets” for over half a decade now.  Such devices launched around the same time as the original iPhone (2007).

In the U.S. Google Inc. (GOOG) was the first major platform provider to get onboard with token-protected digital payments.  Its NFC Wallet app debuted in Oct. 2011 with the public launch of Android 4.0 “Ice Cream Sandwich”.

The UL article notes the use of tokens in Google Wallet’s NFC payment system, writing:
One very nice example that combines all concepts above is the HCE (host card emulation) version of the Google Wallet, which is already operational within the US in Android 4.4 KitKat. The Google Wallet can be used for NFC payments at physical POS. Google, via its partner bank, keeps full control of the payment authorization via

  1. Token for authentication: Although the payment is a standard NFC transaction, the authentication cryptogram is not generated by a chip within the mobile phone (i.e. a secure element). Authentication tokens are generated in the “cloud” and pushed to the handset. For every transaction, a different token is used. Although the security of such HCE, cloud-based architecture has been criticized, it definitely opens the door to a whole new realm of implementation options.
  2. Token for mapping an account: Within Google Wallet you can chose to use several different payment cards. However, when a payment is done at the POS, a dummy-account number is used. Your card numbers are not known by the handset; instead, an account token is used. When the transaction goes online, the account token is mapped back to the card of your preference (in the cloud!). This is a very simple form of account tokenization, but still, by doing data Google is in complete control of the cardholder data. The bank that issues the payment card that you’ve added to your Google Wallet has no visibility whatsoever of where you’ve been shopping. Here, account tokens are used both for security and control.

A year after the launch of Google Wallet, the NFC entrant was joined by another competitor — Windows Phone.  Microsoft Corp. (MSFT) introduced tokenization as a means of securing its transactions both on the account indentification and authentication fronts, starting with Windows Phone 8 in 2012, which includes a Wallet app, which works similarly to Google’s.

A white paper [PDF] describes the FreedomPay platform which supports the Wallet app, writing:
Secure, point-to-point encrypted and tokenized card payment integration with commerce partners and existing POS hardware.   Microsoft’s implementation is driven by partner FreedomPay, a startup founded in 2000 that provides secured payment platform services to a variety of companies.
In the third-party solutions space, Visa and other large financial firms have also been developing and filing patents on token-secured NFC payment solutions.  The Bank Innovation piece quotes Visa’s vice president of digital solutions, Brad Greene, as saying:
[Tokenization] certainly addresses security and fraud…there’s another part of the story — tokens provide innovators with flexible, purposed, and driven credentials in their customers’ experiences instead of actual data.  If tokens are intercepted by an attacker… [they] would be worthless or greatly diminish.
A Wall Street Journal report offers slightly more interesting news — that the upcoming iWatch may carry NFC payment support.  But then again this isn’t exactly new. A number of Android and non-Android smartwatches have already featured token-protected NFC payment solutions.  One example is the Sony Corp.’s (TYO:6758) NFC-equipped SmartWatch 2 which launched last October, priced at $199 USD.
    The misrepresentation of Apple using this proven solution as a new “innovation” may be unintentional.  As the UL piece notes, many appear confused about “token” and “tokenization” which have become buzzwords.  Still, it’s important to offer a bit of proper history and perspective to avoid the appearance of reality distortion.

Recent Posts

AMD Dual-Core Optimization Utility Available

AMD Dual-Core Optimization Utility Available

Improving dual-core compatibility for gaming

5.7″ ZTE ZMAX “Phablet” Coming to T-Mobile Sept 24 for $252

ZMAX will come with a Snapdragon 400 processor and 720p display

100 Northern California Households to Receive Plug-in Priuses

UC Davis dares to go where Toyota won't with the Prius

Apple on Microsoft Ads: PCs Are “No Bargain”, Macs Are “Cool”

An Apple spokesperson fires back over Microsoft's latest commercials

Update: 13.3″ Dell XPS m1330 Notebook Details Leaked

Engadget gets the scoop on Dell's latest "ultra-portable" notebook