The Google Wallet continues to dominate the emerging field of mobile payments with its strong lineup of financial industry and merchant partners including Citi, MasterCard, Visa and First Data. We caught up with Rob von Behren, co-founding engineer for Google Wallet, this week to find out what's on the drawing board for this product in the coming year, as well as the company's overall technology philosophy vis a vis mobile payments.
In 2012, Google will expand out its APIs to make it easier for third parties such as Groupon, merchants and banks to interact with the Google Wallet, von Behren says, noting that Google will not charge for the use of these APIs. "From Google's perspective, the wallet is an appliance for users," he says. "It should be able to hold whatever a user would want in it. It should work with all credit cards and coupons from third parties such as Groupon. The way that Google Wallet or any wallet will be successful is by being as open as possible and allowing as many different payments into the wallet."
The new APIs would allow banks to more easily interact with the wallet and with their customers. "If I'm looking at a credit card in the wallet, I'll be able to click a button or link and go out to my Citi application on the same handset and look at my mortgage value or whatnot," von Behren says. "We'll be working on other APIs that make it easier for banks to offer cards to their users. So if I'm in my Citi application, I might get asked if I want my credit card sent to my wallet. That would make that application process a smoother for users."
Although so far Citi is the only bank that lets its cards work with the Google Wallet, Google is in conversations with all the large banks, von Behren says, which are at various stages of interest. Some technical work is required on the part of banks and payment processors like First Data to move their cards onto the Google Wallet and this will take time, he acknowledges. "Many of the banks' host customer database systems are set up to do batch processing of credit accounts. To issue a new credit card, typically they gather all the credit accounts into a file that's sent to a personalization bureau that prints and mails out plastic cards," he says. "Most banks are not set up to do real-time issuance of a card out to a phone, but many are in the process of updating their back-end systems. We're discussing the technology with them, working with them to ease that technology transition, and also working with the industry at large to back standards around this." Standards would enable banks to make one technology upgrade and then let their cards work with any mobile wallet.
The company is also working on similar APIs to improve the experience for merchants. For instance, one would allow a customer perusing target.com to purchase a gift card and electronically send it over to a family member who has the Google wallet. Google is also working to extend its merchant network, but like banks, merchants have technology upgrades to make to accept the Google Wallet. For one thing, they need to make software changes to receive the dynamic CVV codes the wallet application issues. And they have to make sure their payment terminals can understand the protocols that are being used by the handset. "That's a big challenge for the industry in general and something that we spend a lot of time working on," von Behren says.
Google is also working with handset manufacturers to increase the number of devices that will work with Google Wallet; currently only the Samsung Nexus S phone is compatible. "We've had conversations with lots of OEMs, we get approached by OEMs all the time," he says. "We make sure they understand what's required for the phone to work with an NFC payment and be compatible with the security requirements of the Google Wallet," he says. "There's lots of interest in the industry in general, there's a lot of motion." von Behren could not comment on any developments in Google's purchase of Motorola Mobility, which Motorola Mobility shareholders approved on Friday; the acquisition still awaits approval from the Department of Justice. But if the merger goes through, that will give Google the opportunity to make its own Google Wallet-friendly phones.
On the telecom network provider side of the picture, while Sprint is the only provider on board with Google Wallet to date, Google also has an open call out to all carriers. "We're happy to work with all of them and have a lot of ongoing conversations with them," von Behren says. "It comes down to them figuring out what they want to do in this space. A lot of them are still researching their options. They've put together Isis as a joint venture and they're exploring what the options are there. Isis is doing field trials at the end of 2012, so it may be that the other carriers will wait around and see what happens with the Isis test."
Google's most recent engineering move, the merging of the mobile payment application with Google Checkout, an online payment processing service that the company launched in June 2006, was another step toward openness. "For the consumer, the best way to have a wallet product is to make it a natural and easy place to manage payments, like a physical wallet," von Behren says. "It makes a lot of sense for the user to say, I have my six credit cards, I should be able to put them in one place and use them online or offline."
Perhaps one key to the success Google has had in lining up partners is its anything-goes approach to mobile payment technology.
On the issue of who will control the "secure element" - in other words, the hardware portion of a mobile device that stores account information and the cryptographic keys used to generate a one-time version of the card verification value code - Google says it has no preferences. (This temporary CVV provides a big advantage in fighting fraud, von Behren notes, in that it enables the bank to verify the CVV it expects to see for a particular transaction. "If somebody put a card skimming device on the merchant terminal and tried to re-use card transaction information, the bank would be able to see that the transaction already took place and that this new iteration must be fraudulent," he says.)
The payment protocol works the same regardless of whether the secure element hardware is a SIM card, a microSD chip or embedded in the handset, von Behren says. "The only differences are in how the handset is connected to the secure element and how the antenna for the NFC interaction is done," he says. "Some of the microSD solutions include a microSD antenna that's really tiny one and the radio properties tend to be a bit weaker than if you have a larger antennae built into the handset. You can run into problems with a tiny antenna like that, too, if it happens to be next to the battery or some other large, metal piece of the phone; you get a lot of radio interference. There are other techniques that some of the microSD folks use that work a little better, but that technology is still in the development process. It's not quite ready for mainstream but it's very promising."
The telecom network carriers are gravitating toward SIM card-based secure elements. This has its pros and cons, von Behren says. "There are some SIMs, for example, that don't include the right tamper-proof hardware," he says. "Those would not cut muster. There are secure SIMs and those are fine. In the case of having credentials on a SIM card, you can easily take all your credit cards and pop them into a new phone. But on the flip side, if you're on a SIM-based phone and have your credentials on the SIM and you go on vacation to Europe or Australia and use a local SIM so you can actually make phone calls, all your credentials may be stuck in your luggage." However, Google is happy to work with both formats and will try to smooth the user experience for both.
The Nexus S phone with which the Google Wallet works has an embedded secure element (a computer chip) that can run programs and store data. It's separate from the Android phone's memory and only allows programs on the secure element itself to access the payment credentials stored therein.
When evaluating new devices, Google follows MasterCard's chip authentication protocol, which specifies security requirements for secure elements. Google also does its own internal evaluation of the overall security of the handset, the Android operating system and the wallet software to make sure there are no problems. "We also go through a number of reviews to make sure the physical and radio properties of the NFC in the device are sufficient, so there's a good user experience," says von Behren.
Not all NFC phones are created equal, depending on the design of the antenna, the layout of the board and other factors, von Behren points out. "You can have good behavior with one type of reader but bad behavior with a different kind of reader," he says. "We do a lot of compatibility tests to make sure the device will behave well for peer-to-peer NFC interactions for reading posters and for NFC payments," he says.