My starting point for this is the evolution of the Android SmartPos and in particular the version at the lowest common denominator also known as SoftPos, which allows most Android phones to become NFC payment terminals. This is the domain of the Android operating system because Google has allowed unrestricted access to NFC since the days of GooglePay (2015ish), hence it doesn't surprise that when we talk about the SmartPOS, we really talk about the Android operating system with custom hardware and software.
Now, we have known for some time that Apple will be entering this space (and has in fact in some markets) with the iPhone given the acquisition of Mobeewave. What is different to the Android ecosystem, however, is that Apple is again controlling every aspect surrounding the user experience. Let me try to reach a bit further and just to be clear: I’m not an expert when it comes to Terminal hardware and PCI security. Further I have not signed an NDA with Apple, so a lot of this is from my own investigations and extrapolations and I could of course be wrong. I reference PCI and EMV, however, I will not go into the details of these organisations and their frameworks because it will make this post unnecessarily long. But PCI and EMV are standards and requirements to ensure the security, hardware requirements, software requirements and protocols to make payment acceptance work end to end, globally.
Which brings me to the point that SoftPos or the payment acceptance on Android phones, is very much governed by PCI and EMV, the same way it is a reality for any other Terminal-OEM and merchant acquirer. And this is in fact what we see on the Android side but it’s not really what we see on the Apple side. Apple decided that it would take the full responsibility of the PCI scope – in other words, it controls every aspect of the security from the hardware to the payment kernel and all relevant encryption. Because of that, it can only provide limited acceptance functionality, essentially only the global, traditional schemes, such as Visa, Mastercard, American Express, etc. are supported (for now at least). Apple’s secret sauce is leveraging tokenisation which in many ways is the same functionality that is used in ApplePay except in reverse. I tried to illustrate the difference in the _very_ simplified diagram below.
Apple is supposedly taking the complete PCI scope, this is typically the domain of acceptance providers, acquirers and impacts the underlying protocols used to communicate. While Apple owns the token or the tokenised PAN, it doesn’t know anything about the transaction, and that is on purpose because Apple doesn’t really want to enter the space of merchant acquirer, it simply wants to provide the necessary tooling for it because it’s ambitions are of course to sell more iDevices and given the existing ecosystem that does seem to make sense. In addition, it would seem it could have a rather dramatic impact for acquirers, if they no longer have to be concerned with PCI for these devices.
There is one more thing to consider: Apple may just release its own Terminal-like iPad. A new tabletop iDevice with a robotic limb is supposedly in the works, as reported by Bloomberg. This is of course pure speculation but an iPad (as does the iPhone) already makes for a pretty good POS device given that large ecosystem of POS software and frontends to enterprise software, add the ability to accept NFC and you might just have an interesting proposition. Further, because Apple would control the PCI scope, it would leave room for third-party providers to add local payment schemes that may not be part of PCI or simply decide that they can manage security on their own or differently altogether. In other words, this could also have the potential to segment or fragment the combination of EMV+PCI+protocols. It would then also change how we currently deploy these devices or do firmware updates because it would either be an update by Apple or by any locally run payment scheme. If other Terminal OEMs follow a similar principle, it could dramatically alter the payment landscape and shift focus (again) more to the acceptance side and Terminal OEMs - in other words, the software ecosystem on these iOS or Android devices could be fully explored, and maybe some of the added-value on the acquiring side could move forward to be served through acceptance providers. This doesn't mean we won't need acquiring, and likewise it doesn't mean acceptance providers wouldn't need an e-money licence, but through the use of modern and modular operating systems, I could envision more agility and much better customisation. The key question to me is if the powers that be allow PCI ownership to move entirely to the vendor OEMs - be that Apple, or any Android Smart POS vendor.
Now, we have known for some time that Apple will be entering this space (and has in fact in some markets) with the iPhone given the acquisition of Mobeewave. What is different to the Android ecosystem, however, is that Apple is again controlling every aspect surrounding the user experience. Let me try to reach a bit further and just to be clear: I’m not an expert when it comes to Terminal hardware and PCI security. Further I have not signed an NDA with Apple, so a lot of this is from my own investigations and extrapolations and I could of course be wrong. I reference PCI and EMV, however, I will not go into the details of these organisations and their frameworks because it will make this post unnecessarily long. But PCI and EMV are standards and requirements to ensure the security, hardware requirements, software requirements and protocols to make payment acceptance work end to end, globally.
Which brings me to the point that SoftPos or the payment acceptance on Android phones, is very much governed by PCI and EMV, the same way it is a reality for any other Terminal-OEM and merchant acquirer. And this is in fact what we see on the Android side but it’s not really what we see on the Apple side. Apple decided that it would take the full responsibility of the PCI scope – in other words, it controls every aspect of the security from the hardware to the payment kernel and all relevant encryption. Because of that, it can only provide limited acceptance functionality, essentially only the global, traditional schemes, such as Visa, Mastercard, American Express, etc. are supported (for now at least). Apple’s secret sauce is leveraging tokenisation which in many ways is the same functionality that is used in ApplePay except in reverse. I tried to illustrate the difference in the _very_ simplified diagram below.
Apple is supposedly taking the complete PCI scope, this is typically the domain of acceptance providers, acquirers and impacts the underlying protocols used to communicate. While Apple owns the token or the tokenised PAN, it doesn’t know anything about the transaction, and that is on purpose because Apple doesn’t really want to enter the space of merchant acquirer, it simply wants to provide the necessary tooling for it because it’s ambitions are of course to sell more iDevices and given the existing ecosystem that does seem to make sense. In addition, it would seem it could have a rather dramatic impact for acquirers, if they no longer have to be concerned with PCI for these devices.
There is one more thing to consider: Apple may just release its own Terminal-like iPad. A new tabletop iDevice with a robotic limb is supposedly in the works, as reported by Bloomberg. This is of course pure speculation but an iPad (as does the iPhone) already makes for a pretty good POS device given that large ecosystem of POS software and frontends to enterprise software, add the ability to accept NFC and you might just have an interesting proposition. Further, because Apple would control the PCI scope, it would leave room for third-party providers to add local payment schemes that may not be part of PCI or simply decide that they can manage security on their own or differently altogether. In other words, this could also have the potential to segment or fragment the combination of EMV+PCI+protocols. It would then also change how we currently deploy these devices or do firmware updates because it would either be an update by Apple or by any locally run payment scheme. If other Terminal OEMs follow a similar principle, it could dramatically alter the payment landscape and shift focus (again) more to the acceptance side and Terminal OEMs - in other words, the software ecosystem on these iOS or Android devices could be fully explored, and maybe some of the added-value on the acquiring side could move forward to be served through acceptance providers. This doesn't mean we won't need acquiring, and likewise it doesn't mean acceptance providers wouldn't need an e-money licence, but through the use of modern and modular operating systems, I could envision more agility and much better customisation. The key question to me is if the powers that be allow PCI ownership to move entirely to the vendor OEMs - be that Apple, or any Android Smart POS vendor.
Let's see what happens.
Comments
Post a Comment