The well-publicized Google Wallet hacks from last week are among the least of Google's problems with its wallet.

The mobile wallet remains much more secure than the leather variety and the mag-stripe cards U.S. consumers now carry.

Of course, perception becomes reality when it comes to security fears among consumers, many of whom are already skittish about paying with their smartphones. If the steady stream of largely cloned stories warning of the dangers of the Google Wallet continue from the tech and mainstream press, it's one more challenge Google faces in getting its wallet rolled out widely. 

But the challenges for Google run much deeper than PIN hacks. Google's biggest problem is that it needs to find a way to get more devices to support its wallet and more merchants to accept it. 

And the recent discovery by some Android tech sites that subscribers could download the Google Wallet app to their Samsung Galaxy Nexus on both the AT&T and Verizon Wireless networks–the latter with a few workarounds–will do little to reinvigorate the wallet

What’s needed is a new strategy, and I hear that’s what Google is formulating now. 

I understand there has been much internal debate over necessary changes, and it has helped lead to more departures from the Google Wallet team. The latest to go are the co-founding engineers, Rob von Behren and Jonathan Wall, NFC Times has learned. They remain senior software engineers at Google. Both had started working on the wallet in 2009.

In response to a question from NFC Times, a Google spokesman would only say that “it’s common practice at Google for people to move between teams,” adding: “We typically don't share much detail about our internal operations.” The LinkedIn pages for both von Behren and Wall indicate the pair left the wallet project last month.

The spokesman did not respond to a question on whether Google was reorganizing its wallet unit.

Although the exact reason for the exit of the engineers is unclear, it might have something to do with the structure of the wallet they built and whether they have the support of upper management on ways to change it.

This probably has nothing to do with the hacks of last week, which appear to have caught Google by surprise. The company is working on fixes and temporarily suspended provisioning of its prepaid card to the wallet until the fix is in place. Update: Google said late Tuesday that it had restored the ability to issue prepaid cards after implementing a fix. End update.

Among the deeper issues are how the wallet works with the secure elements in NFC phones, and how open the wallet application-programming interface is for Android developers.

Secure Element Issues
The secure element and Google’s need to control it is one of the main challenges the Web giant faces as it tries to get more handsets into consumers’ pockets supporting the wallet. Google needs to control the secure element for both payment and such other wallet applications as coupons, loyalty programs and daily deals, even though these latter applications require less security.

One of the recent hacks does touch on the secure element. Web security firm zvelo, which demonstrated the first and more complex of the two PIN hacks, recommends that Google verify the wallet PIN on the secure chip, not outside it, as it does now. If Google were to follow that advice, it would need even more control of the secure element or would have to outsource PIN verification to banks using the chip, said the firm–creating more logistical problems.

Of course, we are not talking about PINs or encryption keys for the payment applications themselves here that, once cracked, would enable hackers to clone new cards or print money. It's just the PIN unlocking the wallet and allowing the phone to transmit payment account details to the terminal. There are the same purchase limits and zero-liability for the payment applications in the wallet as apply to contactless cards. And consumers could add a screen lock PIN to make it even more difficult for a thief to profit if he were to steal a user's phone.

Google probably added the Wallet PIN in the first place as a way to ease security fears among anxious consumers. If so, that idea has backfired.

The more important reason Google needs to control the secure element or at least have access to it is not only to safeguard the payment application, but for the search giant to enable its concept of letting consumers pay as well as redeem Offers, coupons and rewards in a SingleTap. This underpins the Google Wallet experience the company is after and is important to the company's revenue model. Google will make money from sending targeted offers and promotions and needs to make the experience convenient.

This is a problem, however, since mobile operators are in the driver’s seat when it comes to the secure chips in the NFC phones they sell. 

And mobile operators, including the two largest telcos in the U.S., Verizon and AT&T, but also those in Europe and Asia, are not so keen on seeing the Google Wallet succeed–though the Web giant has prospects for the wallet in Japan. Overall, major telcos in most developed countries have their own NFC m-wallet plans.

The carriers have full control over SIM cards used as secure elements. And in some phones–such as the NFC version of the popular Galaxy S II from Samsung–this is the only secure element available, not counting a possible add-on technology using microSD cards.

Therefore, it would be difficult for Google to gain support for its wallet on these phones, though the Web giant continues to negotiate access with operators.

But even phones with embedded secure elements will likely come under the control or strong influence of telcos, because carriers buy and distribute most of the phones in developed markets. That is especially true in the U.S.

This is why Google had to comply when Verizon asked it not to include the wallet functionality in the Galaxy Nexus phones destined for Verizon shops and not to include the wallet in the Android Market app store for Verizon subscribers.

Some Verizon users, nonetheless, found a workaround to get the wallet onto their Galaxy Nexus phones, which have an embedded secure element. AT&T didn’t try to block the wallet, instead allowing subscribers to download it to the phone directly from the Android app store if they searched for it there. But AT&T is doing nothing to promote the availability of the wallet to its customers.

These are among the first shots fired in the brewing wallet wars in the U.S. and beyond. AT&T, like Verizon and T-Mobile USA, is a member of the Isis consortium. All plan to launch their own Isis NFC wallets later this year, so are discouraging take-up of the Google Wallet.

Even though the Galaxy Nexus, like the Nexus S before it, is Google’s own smartphone, made for it by Samsung, I had thought that Verizon and AT&T would demand that Google hand over the keys to the embedded chip in exchange for the telcos subsidizing and distributing the device to customers. But Google retains the keys, otherwise users would not be able to get the wallet to work on the phones.

AT&T Not a Google Wallet Partner
Verizon took flak from some consumer groups and influential bloggers after Google outed its efforts to block the wallet. AT&T, on the other hand, decided it wasn’t worth risking a backlash, observes U.S.-based m-commerce analyst Cherian Abraham. So the telco allows the wallet to appear in the Android app store for its subscribers.

But this in no way makes AT&T a Google Wallet partner, notes Abraham. The only U.S. carrier that supports the wallet so far is Sprint, which will have a couple more phones, including a 4G LTE version of the Galaxy Nexus, available to host the wallet by the second quarter.

But relying on Sprint, the No. 3 U.S. carrier, to spread the Google Wallet widely among U.S. consumers is not a winning strategy. And it won’t help much even if Google is able to install the wallet on all of its future Motorola-made Android phones.

Limited Reach Versus Isis
Therefore, Google with its present wallet strategy, will not be able to compete with the reach of Isis, whose three telcos control about three-quarters of the U.S. cellular market and buy 130 million phones a year.

Isis has already announced that six major handset makers will have models supporting its wallet. That and Isis’ greater ability to scale up its platform has convinced some large U.S. banks, such as JPMorgan Chase, to put their payment applications in the Isis wallet, as NFC Times has reported. Plans call for Isis to launch in two U.S. cities this summer before a national rollout planned for next year. Meanwhile, Citigroup remains Google’s only banking partner, though the bank’s key wallet backer and point man, Dickson Chu, departed last fall.

“Google, with a fragmented Android ecosystem and (facing) a growing carrier clout may either have to make peace with competing NFC models, such as Isis, or embrace the cloud,” Abraham told NFC Times.

Cloud-based payment at the physical point of sale would use the Internet, not the conventional POS terminal network at the checkout counter, and is a strategy that PayPal is pursuing as it seeks to make the jump from the online to offline payment worlds.

PayPal hasn't rejected NFC technology, however, as recent reports suggest, PayPal tells me. It plans to use the technology when it’s more pervasive at the point of sale. Until then, it will pursue cloud-based payment to tie PayPal accounts to consumers, who would enter their phone numbers and PINs into terminals.  

Google likely will embrace the cloud, too, to enable purchases at the physical point of sale with its wallet, believes Abraham. It has already integrated its unsuccessful e-commerce payment system, Google Checkout, into the wallet.

Von Behren and Wall are not the only ones to exit the Google Wallet team recently. AllThingsD reported two weeks ago that Vikas Gupta, Google’s head of commerce, had left Google. He had reported to Osama Bedier, vice president of payments, according to the publication, which said Bedier would take on an even larger role in the wallet because of the move by vice president of commerce Stephanie Tilenius to a more global position at Google.

Push for Open Platforms
Bedier has argued for open platforms when it comes to mobile wallets–mainly alluding to Isis, which Google believes is restricting consumer choice.

But Bedier now has an opportunity to make Google even more open, itself, especially its wallet API, which remains unpublished in the Android open-source platform specifications. Google has said it doesn’t publish the API for security reasons. It was not clear where the engineering people stood on opening up the API.

Google’s problems with the wallet, however, go well beyond open APIs and the work of the engineers. At present, the Nexus S 4G remains the only phone officially supporting Google wallet, since it launched last September.

Besides the scarcity of NFC phones supporting the wallet, Google also must convince wary merchants to trust it with their customer data–one reason there are few point-of-sale terminals accepting payment, as well as offers, coupons and loyalty programs. These nonpayment applications are the incentives that will get consumers more excited about using the wallet.

But the terminals must be upgraded with NFC chips and new software–old contactless-payment terminals won't support SingleTap. Google, however, has said it isn't planning to pay for a large rollout of the terminals. That would leave merchants on the hook for the cost, unless banks or payment networks agreed to pay for them.

And Google also needs to recruit more service providers, such as banks and transit operators, while finding ways to ensure a consistent user experience for the wallet across a range of devices.

I've no doubt that Google and its partners are meeting to discuss these and other topics as they try to chart a new strategy for the wallet. They will have plenty to talk about.