Although Apple’s payments announcement on Tuesday was not a surprise, the platform’s mechanics were largely unknown before Tim Cook’s on-stage introduction at the Flint Center in Cupertino. Cook set the context for Apple’s payments vision quite accurately:
“Most people that have worked on this have started by focusing on creating a business model that was centered around their self-interest instead of focusing on the user experience. We love this kind of problem. This is exactly what Apple does best. And so, we’ve created an entirely new payment process and we call it Apple Pay.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))
Security has been increasingly central to user concerns about all electronic payments processes, and this week’s confirmation of another large data breach at Home Depot has kept the focus on a threat that is arguably unsustainable if we are to avoid a crisis of confidence in consumer payments. So Apple’s introduction of a payments process that goes further than others in mitigating risks at both the physical and virtual points of sale is a very big deal indeed.
Let’s have a quick look at how Apple Pay works. Transactions are authorized using the biometric finger print detection functionality that’s on the latest iPhones, and that’s only after a user has entered a PIN to log on to the device. So we start with biometrics, a strong plus. Cook explained:
“…when you add a new credit card, we don’t store the credit card number, we don’t give it to the merchant.
“We create a device-only account number [token] and we store it safely in the secure element and each time you pay, we use a one-time payment number [dynamic payment token] along with a dynamic security code so you no longer have the static code on the back of your plastic card and if your iPhone is lost or stolen, you can use Find my iPhone and suspend all of the payments from that device… Now, security is at the core of Apple Pay, but so is privacy.
“We are not in the business of collecting your data. So, when you go to a physical location and use Apple Pay, Apple doesn’t know what you bought, where you bought it, or how much you paid for it. The transaction is between you, the merchant and your bank. It’s fast, it’s secure and it’s private.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))
Apple Pay, then, uses dynamic payment tokens that change with each transaction, a real secure element (no host card emulation), a protocol where no Primary Account Numbers (PANS) are stored anywhere on the device, biometric-only payment authentication and initiation, and an easy to use transaction initiation process that works both at the physical point of sale and in cyberspace. The process uses existing rails and focuses on payments instruments (bank credit and debit cards) that consumers have historically seen as best way to pay. Clearly, there’s a lot here to like, including – for me in particular – the use of dynamic payment tokens, which materially contribute to making the process less risky.
What are the real world issues that could hold back Apple Payments? Although many large issuers are backing the program, many large merchants are not. Walmart and Best Buy, for example, have said they do not plan to participate –at least initially – because of contractual obligations related to their participation in the Merchant Customer Exchange, a retailer owned payments group that is about to launch a QR code based competitive product called CurrentC. CurrentC will support debit functionality linked to a customer’s checking account (de-coupled debit), retailer branded credit and debit cards, and retailer branded gift cards – but not general purpose bank credit or debit cards. Other major merchants who are leading the Merchant Customer Exchange include CVS, Loews, Publix Supermarkets, Target, Sears, Shell, and Sunoco. None of these merchants are likely to be near term Apple Pay participants.
Then, of course, there are other payments competitors, such as Amazon and PayPal, which have not announced whether they plan to play in Apple’s sandbox.
No new product entry is a sure thing, Apple Pay included, but we think Apple Pay is currently about as good as it gets in terms of a customer-centric, easy to use, and secure payments process.
For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.