What does ‘open’ Apple Pay NFC really mean?

Intro
The Apple Pay monopoly debate is a long complex saga with recent developments. The EU finally issued an official complaint regarding Apple’s so called ‘closed’ NFC, with PayPal playing a role in that complaint. This post is a summary collection of scattered posts on the subject that I’ll be adding to as the saga evolves.


2019-11-17
The German law to force Apple to open it’s “NFC chip” is a confusing one. Why does an EU country with one of the lowest cashless usage rates single out one company’s NFC product in a last minute rider to an anti-money laundering bill? That’s not banking policy, it is politics. Details are few but let’s take a look at what it could mean because when it comes to NFC technology, details are everything.

Background stuff
The so called Apple ‘NFC chip’ is not a chip at all but a hardware/software sandwich. The Apple Pay ecosystem as described in iOS Security (now updated for iOS 15 and changed from previous versions) is a collection of tightly integrated and polished pieces: Secure Element, Secure Enclave, NFC Controller, Wallet and Apple Pay Servers. All this wrapped wrapped into a slick, easy to use UI with the final security wall of ‘secure intent’.

On one end is the NFC chip controller front end that handles NFC A-B-F communication but does not process transactions, on the other end there is the Secure Enclave that oversees things by authorizing transactions. The fun stuff happens in the Secure Element middle where the EMV/FeliCa/MIFARE/PBOC transaction technologies perform their magic with Java Card applets.

The Apple Silicone Secure Enclave and Secure Element are the black box areas of Apple Pay. Apple’s custom implementation of Mobile FeliCa and the ability of Apple to update their Secure Element to support new services like MIFARE in iOS 12, strongly suggests a GlobalPlatform licensed embedded secure element built into Apple Silicon, but it is anybody’s guess. Apple would like to keep it that way.

So what does ‘open NFC’ really mean?
It’s helpful to look at the issue from the 3 NFC modes: Card Emulation, Read/Write, Peer to Peer.

Peer to Peer
Apple has never used NFC Peer to Peer and I don’t think this is a consideration in the ‘open NFC’ debate.

Read/Write
This was a limitation up until iOS 12, but everything changed when iOS 13 Core NFC gained Read/Write support for NDEF, FeliCa, MIFARE, ISO 7816 and ISO 15693. Developers can do all the NFC Read/Write operations they want to in their apps, I don’t think this is a consideration in the ‘open NFC’ debate.

Card Emulation and the secure element
Apple limits NFC Card Emulation to Apple Pay Wallet with NDA PASSKit NFC Certificates (now called secure element passes). Any developer can apply for an NFC certificate but Apple is the gatekeeper. This is what the ‘open NFC’ debate is all about.

The German banks and other players want to bypass the PASSKit NFC Certificate controlled Apple Pay ecosystem and load their own applets into the iPhone Secure Element. They want open access to the parts they want, like Secure Element, NFC Controller, Secure Enclave, and ignore the parts they don’t want like Wallet and Apple Pay Servers. They want the right to pick and choose, and use the Secure Element without paying Apple or the payment technology partners Apple licenses from (EMV, FeliCa Networks, etc.)

The success of Apple Pay has been founded on the ease of use and high level of integration from a massive investment in the A/S Series Secure Enclave and other in-house implementations such as global FeliCa, etc. Outside players forcing Apple to open up the Apple Pay ecosystem represent not only a security risk to Apple but also a reduced return on investment. Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

The NDA PASSKit NFC Certificate gate entrance rubs bank players the wrong way as they are used to dictating terms, not accepting them. The Swiss TWINT banking and payment app for example is a QR Code based Wallet replacement that wanted the ability to switch NFC off, and got it.

It’s certainly in Apple’s best interest to make it as easy as possible for 3rd party developers to add reward cards, passes, ID cards, transit cards, etc. to Wallet. However given that the EU is hardly a level playing field, the fact that bank players and politics go hand in hand in every nation, and the fact we don’t know the technical details of what the German law is asking Apple to do, all we can do is guess. In general, I think Europe will be a long rough ride for Apple Pay. At least until EU bank players get deals, and branding, they are happy with.


The Apple Pay EU antitrust investigation

2020-06-18
The EU antitrust investigation of Apple Pay boils down to this: does Apple have the right to be the gatekeeper of its Embedded Secure Element (eSE) in Apple Silicon, does Apple ‘own’ it? As of iOS 13 any Apple Pay eSE transaction that involves payments, transit, identity cards and contactless passes requires a PassKit NFC Certificate.

Apple has put massive effort and resources into making Apple Pay an easy seamless experience. Users don’t have to think about EMV, FeliCa, MIFARE, or NFC flavors. It just works. The price for using this is that 3rd party card and pass developers have to obtain a NDA PassKit NFC Certificate, reside in Wallet, and share a transaction cut with Apple. Apps are free to use iOS 13 Core NFC tag reading enhancements but NFC eSE transactions are not allowed, unless they have inner sanctum NFC Certificate access.

Australian banks fought Apple Pay in 2017 and complained to the Australian Competition and Consumer Commission (ACCC), demanding that direct NFC access for their apps is a ‘right’ but lost. The EU antitrust investigation will likely follow a similar path and attempt to force Apple to: 1) allow apps to access the eSE for payment transactions without using Apple Pay or Wallet, 2) lower fees for the 3rd party players who use Apple Pay.

We’ll see how it plays out. We’ll also see if Apple has any iOS 14 Apple Pay changes in store. I agree with Junya Suzuki’s spot take, who’s knowledge of the payments market, the players and the technology is second to none, that the EU would never demand the same thing of Samsung or Huawei that they are demanding from Apple. In other words, politics.


The Apple Pay monopoly debate: are we really comparing Apples with Apples?

2020-08-15
Ruimin Yang’s wonderfully detailed post, “Apple Pay monopoly, are we really comparing ‘Apples’ with ‘Apples?“outlines the entire Apple Pay system architecture, how it compares to other digital wallet platforms, (Google Pay, Samsung Pay) and what ‘open vs closed’ means in the whole ‘Apple Pay is a monopoly’ debate. I highly recommend it if you have any interest in digital wallet payments.

As Yang explains, ‘open’ is not easily defined and the options are not easily implemented, especially when it comes to Apple’s highly customized and constantly evolving Apple Pay platform built on the Apple Silicon Secure Enclave and Embedded Secure Element. Apple has spent a lot of time, money and effort in building the Apple Pay brand as the high benchmark standard for secure, private and easy to use digital wallet transactions and services. It is not your standard off the shelf NFC + Secure Element package.

It is telling that Germany, a country with one of lowest rates of credit card use and whose banks fought to keep Apple Pay out, is pushing for ‘open NFC’ the most. It sounds like a industry broad development but it’s really aimed at Apple Pay.

This is European business politics in the age of digital wallet wars: mobile payments and digital wallets have disrupted everything and the traditional players, banks and card companies i.e. the real gatekeepers, are doing everything they can to keep the upper hand by using the open NFC argument to force their own branding on Apple’s platform in place of Apple Pay.

In the European tradition, regulation is invariably the go to strategy for keeping the status quo. I still think Junya Suzuki has it right: the EU would never demand the same thing of Samsung or Huawei that they are demanding from Apple. In other words, politics.


My Cousin Apple Pay

2021-10-08
So the EU is going ahead with ‘open NFC’ antitrust charges against Apple. As posted back in August 2020, the whole open vs closed debate is not easy to define. It’s probably easier to look at it from the simplistic App Store debate of letting developers bypass Apple’s in-app payment mechanism to avoid paying the ‘Apple Tax’, because that’s the box most people will understand.

We’ve already seen banks and Apple chafing over transactions fees on multiple occasions, the latest being ‘Banks Pressuring Visa to Cut Back on Apple Pay Fees‘ because Apple dared release their own credit card under the Mastercard brand via Goldman Sachs. German banks and Australian banks in particular demand the right to use iPhone NFC in their own payment apps instead of Wallet so they can harvest the user data they can’t get via Apple Pay and drop Apple Pay support all together in favor of their own proprietary payment apps (our exclusive card comes with our exclusive app). But there’s an aspect of the ‘open’ argument that will not be discussed by EU regulators, the banks and credit card companies.

I’ve been watching ‘My Cousin Vinny’ a lot recently. I love the courtroom scenes with Joe Pesci’s Vinny character turning the prosecution arguments upside down. There’s a key scene early on when Vinny uses a pack of cards to convince Ralph Macchio’s character to give Vinny a chance to defend him: ‘the prosecutors are gonna show you bricks with solid straight sides and corners, but they’re going to show them in a very special way’ so that judge and jury see bricks instead of playing cards, which is what ‘open NFC’ arguments are: paper card illusions.

NFC is just hardware, it’s worthless without the software protocols that drive it. NFC also has different definitions. The bank industry defines NFC as NFC A-B ISO/IEC 14443. The NFC Forum defines NFC as NFC A-B-F for device certification. On the protocol side the bank industry defines NFC as EMV because this is their industry standard created and managed by EMVCo (Europay-Mastercard-VISA initially, now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa).

The Vinny brick
Are EU regulators going to argue that ‘open NFC’ is defined as NFC A-B-F on the hardware side and EMV, MIFARE, FeliCa protocols on the software side? Of course not. They will narrowly define their Vinny brick as NFC A-B and EMV, and maybe Calypso as the transit protocol is used in France for transit. Why would they do that?

It’s very simple. European banking interests don’t want to pay transaction fees to Apple, the Apple Pay tax. They want to cut out the middle man with their own exclusive apps and harvest user data. They don’t want inconvenient questions such as why there are all those different NFC standards and protocols out there, how this came to be and what really constitutes ‘open’. Why did the ISO/IEC Joint Technical Committee choose Phillips NFC-A and Motorola NFC-B while shutting out Sony NFC-F? Was that part of creating an ‘open’ and level NFC playing field on the global marketplace? Of course not, it was about playing favorites while shutting Sony and Japan out of the game. Now they want to do the same to Apple Pay. I still think Junya Suzuki is right: the EU will never demand the same thing of Samsung Pay or Huawei Pay that they are demanding from Apple.

Ignoring the game platform comparison
Sawada Sho tweeted a thoughtful question recently regarding the App Store in-app payment controversy. He pointed out that gaming and other platforms charge developers great deal of money for hardware and software access, nobody questions that. Apple offers a lot of access for a very low price, is it fair to demand free passage on the App Store because it is Apple? Sho san thinks the Apple transaction cut is a fair tradeoff. Some tech writers have occasionally asked the same basic question: what’s fair?

EMV, MIFARE and FeliCa all have licensing and certification fees that all customers (developers) pay. Apple has gone to a lot of expense licensing those technologies in addition to licensing a GlobalPlatfrom Secure Element that they build into their own Apple Silicon. Those costs are recouped by Apple Pay transaction fees and fund future developments like digital keys with UWB, ID and other Wallet goodies we’ll get later on in the iOS 15 cycle. I’ve said it before and say it again: Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

I guess EU regulators want to give those away to EU banking interests and let them have their way in the interest of ‘open standards’ that they define and end up protecting the home turf. That sounds like a good deal to me.


Related
If you want to understand how hot the whole ‘who owns the secure element’ debate is and the lengths that 3rd parties willing to go to gain control, check out:
Contactless Payment Turf Wars: the Smart Navigo HCE power play
How much will Smart Navigo HCE suck?