About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« All mobile, all the time | Main | Cross-bored »

Not quite a thousand flowers

By Dave Birch posted Aug 18 2009 at 8:21 PM

[Dave Birch] Central to the deployment of mobile proximity payments in the mass market is the well-understood problem of the connection between (and control over) applications and service providers. How does a bank's payment application get into a consumer's phone, to put it simply. Well, the GSM Assocation set out a "standard" architecture that has a box called a Trusted Service Manager (TSM) to take care of that problem. The service provider tells the TSM to send a bank card to your phone and the TSM makes it happen. It's actually fairly straightforward to do this.

DnB NOR and Telenor have been working together on NFC since April 2008 when they formed TSM Nordic, a joint venture charged with creating a trusted service manager to handle the introduction of NFC in the Nordic region.

[From DnB NOR and Telenor begin NFC field trial in Oslo • Near Field Communications World]

Now, the bank or the operator could load the application themselves, so why would they introduce the extra box? Well, we all understand the basic problem, as clearly stated here by Jonathan Gould.

As additional service providers join the ecosystem – such as loyalty operators, ticket issuers and pre-paid cards providers (e.g. transit) – then the possible number of TSMs explodes, increasing the level of complexity accordingly.

[From Asia Pacific Smart Card Association - smart,contactless and NFC business & technology]

Actually, I think the problem may be a little more complex still. But let's look back at the simple case first. A single bank (let's say Citi) does a deal with a single operator (let's say M1 in Singapore) and they need a "TSM" to get applications to the phones. In that case, what has turned into almost a default option is that the personalisation service provider connects their system to the operator OTA:

Gemalto is entrusted with the management and preparation of sensitive user information from Citibank and to perform secure Visa personalization services on the phones enabling subscribers to gain access to the Visa payWave service on Singapore M1's mobile network.

[From Finextra: Citi selects Gemalto personalisation services for Singapore m-payments trial]

Outside the case of banking, where mass personalisation supply chains, certified to a high level o fsecurity, already exist, the emerging supply chain may well be different: it doesn't have to follow the bank model, where multiple banks outsource to bureaus and some banks have their own systems in house. This is because different kinds of services require different kinds of TSMs. The TSM capable of delivering military ID applications into USB tokens may have very different security, reliability and flexibility requirements than a TSM capable of delivery a sports ticketing application or a corporate login application. If you are a transit operator, you may find that sharing a TSM with other transit operators makes sense, whereas sharing a TSM with banks doesn't. Therefore, we're unlikely to end up with a single TSM per country, or per region, or per MNO, but we may end up with one TSM per sector outside banking and one TSM per bank/operator service inside banking, which isn't what many people imagined when the TSM model became current. A single TSM just doesn't look right.

There's a pressure in the opposite direction, which serves to stop us from having a thousand TSMs. As has been discussed before (by Consult Hyperion and others), there is a substantial economic advantage to sharing infrastructure and interoperability means significant growth in services. Therefore, in a market such as the UK, one might expect to find four or five TSMs in time. That seems reasonable, so let's move on to another question. Who will run them?

I argue that the MNO should take over the role of the TSM. The MNO already has a Call Center which can be used for the new service support. With the Secure Element (SE) on the MNO SIMs, ( which looks like the most viable option to deploy NFC), the operator already carries out essential activities such as provisioning, SIM blocking, etc.

[From ForumOxford: NFC Trusted Services Manager]

There's a logic to this, although I have to say that many MNOs seem unenthusiastic about the opportunity. They don't personalise the SIMs themselves, so to build this kind of facility would cost them a lot of money and they'd have to comply with all sorts of security requirements. If an MNO outsources to the same (for example) G&D centre as its bank partner does, then G&D will become the TSM in practice. As the always thoughtful Dean Bubley notes in the ForumOxford piece, the business model for the operator depends substantially on reduced churn, but banks (and their customers) won't want to be locked into to a particular operator unless the operator pays heavily for the privilege.

It's different in the markets that we look at as being the most advanced mobile transaction (eg, payments, ticketing, loyalty, coupons) markets, Japan and Korea. In these markets, there is no concept of a TSM because everything goes through the operator. While there may be arguments about the long term efficiency, innovation and operation associated with this architecture, there's no denying it's an effective way to get markets off of the ground. In the Japanese market (where DoCoMo recently announced their target of moving from around 9 million to around 11 million DCMX customers this year), the delivery of (for example) train tickets to the contactless interface in the handset is routine

Our experiences have been very varied indeed. Having studied the problem and potential solutions for both public and private sector organisations, and having implemented live payment applications -- both open (that is, Visa/MC/Amex) and closed-loop -- in a variety of pilots, and having helped customers on multiple continents to develop architectures for mass-market services, I'm pretty sure that the real world of TSMs and "TSM equivalents" (ie, collections of system components that deliver the same functionality as a TSM) is more complicated that the original GSMA model. The most likely architecture will combine sector-specific TSMs (eg, in transport) with a small number of operator-centric TSM + OTA operations and perhaps a larger number of service-provider specific Application Management + TSM operations.

We've studied a few of these models and the different pressures around them for different customers. Some examples are well-studied: France is a case in point with the payment-oriented Pegasus, transit-oriented Ulysses and retailer-oriented Ergosum multi-operator, multi-provider projects showing how national organisations might infuence technical architecture. I think another interesting, if embryonic, case study is Spain, where there is a bank-oriented pilot led by the processor (SERMEPA) co-ordinating the banks "TSMs" (by which I mean existing bureaus plus OTA interfaces).

Mobile operator Telefónica Espana has launched a "comprehensive pilot project" to test out the use of NFC to deliver payment services through mobile phones. For the pilot it has teamed up with Sermepa, the technical arm of ServiRed, the transaction processing service owned by 102 Spanish card issuers who, between them, have nearly 40 million cards in circulation and operate over 32,000 ATMs.

[From Telefónica and Sermepa launch NFC pilot in Spain • Near Field Communications World]

I understand there there is to be another transit-oriented pilot where the transport companies will co-operated on a single shared TSM that connects to MNO OTAs. There has already been a single company pilot running in Malaga using Orange handsets. It will be instructional to see how these different models evolve.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef0120a5019ba2970b

Listed below are links to weblogs that reference Not quite a thousand flowers:

Comments

Not the typical collection of ideas rewritten a thousand times. You guys were really great and helpful.

Jason Zenteno

The comments to this entry are closed.