For physical transactions there's barrier of hardware and network effect - everybody has card terminal. Users expect near 100% acceptance for them to use payment method daily.
If you consider creating own NFC payment app instead of Google/Apple Pay - that's actually possible, but more expensive and often disliked by the users due to inability to easily switch between cards issued by different apps.
Is it? Last time I checked, Apple & Google were also interfacing with banks on the server side, i.e. banks had to integrate with Apple/Google specifically. I'd love to be wrong, though.
It's even better than NFC because a small store can print their QR code on a piece of paper and not need to buy a terminal. Most stores just have the normal card terminal print the QR code and people scan it.
The last time I looked at it, it was not possible because Android doesn't let apps control the uid that gets used for NFC.
Either way, even if apps had full control over the chip, my understanding is that building a wallet app would still amount to much more than just interfacing with the NFC chip.
The TWINT app says -- if their promo videos are to be trusted -- "Scan only QR codes from trusted sources and check the receiver of the payment in the next step". That doesn't fill me with confidence :(.
A dynamic QR code could be fine -- they have their app, you're able to bootstrap what is effectively a secure channel between the PoS machine and the app to give the vendor confidence their device has received payment and the consumer confidence that they're paying the right vendor. A static QR code is more challenging, and it sounds like they're putting more weight into social protections than I'm comfortable with -- especially considering a technical solution is possible and exists.
I'm especially wary of the warning that individuals can't have QR codes. Why not? Unless it's part of the social protection. But I can personally accept NFC contactless payments (having opened an account with a suitable provider), and indeed I bought a device which means I can accept chip and PIN payments too.
That's not related to ability to create own app - on both ios and Android you can access NFC hardware directly (on iOS it's limited geographically), and send card data as you see fit - Google & Apple do nothing in such case.
* The vast majority of the payments (almost all of them) are done with dynamic QR codes.
* The static QR code is mostly used by very, very small entities. Like the person asks you to scan their code, enter the amount and show them the confirmation. It is in their interest to show the right QR code.
* Sending money to a friend is done with the phone number as an id. It works, but you need to enter the mobile phone number of the receiver.
* There is one situation where static codes are printed and where phishing has been reported (it's not MITM, it's really just a QR code that sends you to a bad website): when paying for parking. You don't have to use it if you don't feel comfortable, and it is possible to feel comfortable because it actually just opens a website (so if you use it regularly you can learn to check that you are on the legit website before you make the payment).
Overall, it is super popular and it works really well. No need for NFC, and no need to install the Google Play Services \o/.
For technical side - there are companies selling complete SDKs.
While I've known that building a wallet is not as simple as configuring the NFC chip and one would have to interface with banks on the backend etc., I've failed to understand exactly why. What prevents a phone from emulating a regular physical credit card?
What it means - you cannot obtain working card profile if bank doesn't issue it to you. Therefore you need blessing from bank & card scheme to be connected to this ecosystem.
If you want to go deeper into this rabbit hole I can recommend two sources:
* https://developer.mastercard.com/product/mdes - Mastercards framework for tokenization
* https://developer.verestro.com/books/token-requestor - actual solution. It focuses on offering for single issuer, because market for Google Pay competition is pretty narrow, but technically it's mostly the same + way more red tape.
If you ever decide to try - ping me, I happen to know a few guys there :-)
If this were possible fraudsters would be easily be able to clone people's cards by getting close to them. The protocol was explicitly designed for this to not be possible. There are secrets that live on the card itself and are not exposed
A counter-point might be that my credit card doesn't require Google Play Services either. And won't run out of battery. And works with all the local businesses, including the smallest -- while there are some people (mostly outside cities) who still only take cash, I can't imagine them signing up for TWINT either.
There are several providers of services allowing individuals and small traders to accept credit and debit cards, and I've happily accepted cards from foreign banks too.
I'd be sceptical of anything like TWINT catching on in the UK, because NFC payments are already ubiquitous and also really easy to use.
I didn't say you have to like them. But if you claim they are insecure, I feel like it's my right to note that you may be wrong.
> A counter-point might be that my credit card doesn't require Google Play Services either.
That is not exactly a counter-point in a discussion between a mobile app doing NFC and a mobile app using QR codes, is it?
> I'd be sceptical of anything like TWINT catching on in the UK, because NFC payments are already ubiquitous and also really easy to use.
That's another question. My original point was that non-US banks should not depend on Google Play Services or Apple Pay (which at least until very recently was the only way to pay with NFC on iPhones, wasn't it?).
Behaving like a credit card does not mean that the credit card is clonable.
With some luck it will be even routed to your bank. Then it will fail due to invalid authentication. I think there's a defcon talk on YouTube that details the exchange.
> If you ever decide to try - ping me, I happen to know a few guys there :-)
Ha, I have actually been entertaining that idea for quite some time, but it seems rather difficult to penetrate that domain as an outsider. The links you shared only seem to confirm that. :-\ I'm not sure I would even want to compete with the Google/Apple Pay duopoly, for now I'd mostly just be interested in an open-source, privacy-preserving solution for contactless payments.
Anyway, you might want to add your contact info to your HN profile – just in case. ;-)