Apple Pay hit the streets with the release of IOS 8.1 the week of October 20th and at least at the physical point of sale, the mechanics largely seem to be working as planned. With the exception of about 1000 Bank of America customers who experienced quickly corrected duplicate charges, there have been few reported issues with in-store use.
That’s not to say the customer experience has been uniformly ideal. I’ve used Apple Pay twice at launch partner merchants. At both merchants, the clerks knew nothing about Apple Pay, and one of the two clerks told me flatly the service would not work. In fact, Apple Pay worked perfectly at both locations. At a third merchant, also a launch partner, no one knew what Apple Pay was (one person behind the counter thought I was asking for apple pie) and the location had no customer facing terminal that could possibly work with the service. A quick call to the merchant’s headquarters revealed that the chain still had 3,000 locations (a small minority of its U.S. sites) to convert, and that it hoped to have that work done quickly.
Despite the hiccups, my early experience with Apple Pay suggests that the service really is easier and faster than using plastic at the point-of-sale. With less friction of use and more security than other payment methods offer we might expect Apple Pay to be a sure winner. But other events in the last week or so suggest there is a battle ahead, and that security may not be upmost in the minds of all players.
We’ve seen two major drug store chains, CVS and Rite-Aid, generate headlines by turning off sporadically available Apple Pay access after some customers reported successful use, even though both chains had never signed up for Apple’s new service. Merchants associated with the Merchant Customer Exchange (MCX), including CVS and Rite Aid, are behind an alternative wallet, CurrentC, which does not allow payments from bank issued debit or credit cards. Although MCX merchants in the past have been vocal about the lack of security around credit and debit card transactions, their early absence from the Apple Pay ecosystem suggests that there is more than security at stake for these stakeholders. By avoiding bank issued credit and debit cards and relying only on decoupled debit (with customer checking account data stored in the cloud) and merchant issued credit cards, MCX is betting its merchants can provide enough of a value proposition to avoid customers being concerned about the heavy personal information use and data storage issues the wallet may generate.
On October 28th MCX announced that it had been hacked and that testers’ email addresses had been compromised (see http://www.mcx.com/blog/1028-email-incident-report/). MCX also said on Wednesday that it would not fine retailers if they chose to leave the group.
Readers can find a summary of how MCX works at: http://techcrunch.com/2014/10/25/currentc/
For information about Apple Pay mechanics, see the article below, originally posted on September 12th.
Apple Pay – And Dynamic Payment Tokens
(originally posted on Shared Assessments Authorities on Risk Assurance September 12, 2014 blog)
Although Apple’s payments announcement was not a surprise, the platform’s mechanics were largely unknown before Tim Cook’s on-stage introduction at the Flint Center in Cupertino. Cook set the context for Apple’s payments vision quite accurately:
“Most people that have worked on this have started by focusing on creating a business model that was centered around their self-interest instead of focusing on the user experience. We love this kind of problem. This is exactly what Apple does best. And so, we’ve created an entirely new payment process and we call it Apple Pay.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))
Security has been increasingly central to user concerns about all electronic payments processes, and the confirmation of another large data breach at Home Depot has kept the focus on a threat that is arguably unsustainable if we are to avoid a crisis of confidence in consumer payments. So Apple’s introduction of a payments process that goes further than others in mitigating risks at both the physical and virtual points of sale is a very big deal indeed.
Let’s have a quick look at how Apple Pay works. Transactions are authorized using the biometric finger print detection functionality that’s on the latest iPhones, and that’s only after a user has entered a PIN to log on to the device. So we start with biometrics, a strong plus. Cook explained:
“…when you add a new credit card, we don’t store the credit card number, we don’t give it to the merchant.
“We create a device-only account number [token] and we store it safely in the secure element and each time you pay, we use a one-time payment number [dynamic payment token] along with a dynamic security code so you no longer have the static code on the back of your plastic card and if your iPhone is lost or stolen, you can use Find my iPhone and suspend all of the payments from that device… Now, security is at the core of Apple Pay, but so is privacy.
“We are not in the business of collecting your data. So, when you go to a physical location and use Apple Pay, Apple doesn’t know what you bought, where you bought it, or how much you paid for it. The transaction is between you, the merchant and your bank. It’s fast, it’s secure and it’s private.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))
Apple Pay, then, uses dynamic payment tokens that change with each transaction, a real secure element (no host card emulation), a protocol where no Primary Account Numbers (PANS) are stored anywhere on the device, biometric-only payment authentication and initiation, and an easy to use transaction initiation process that works both at the physical point of sale and in cyberspace. The process uses existing rails and focuses on payments instruments (bank credit and debit cards) that consumers have historically seen as best way to pay. Clearly, there’s a lot here to like, including – for me in particular – the use of dynamic payment tokens, which materially contribute to making the process less risky.
What are the real world issues that could hold back Apple Payments? Although many large issuers are backing the program, many large merchants are not. Walmart and Best Buy, for example, have said they do not plan to participate –at least initially – because of contractual obligations related to their participation in the Merchant Customer Exchange, a retailer owned payments group that is about to launch a QR code based competitive product called CurrentC. CurrentC will support debit functionality linked to a customer’s checking account (de-coupled debit), retailer branded credit and debit cards, and retailer branded gift cards – but not general purpose bank credit or debit cards. Other major merchants who are leading the Merchant Customer Exchange include CVS, Loews, Publix Supermarkets, Target, Sears, Shell, and Sunoco. None of these merchants are likely to be near term Apple Pay participants.
Then, of course, there are other payments competitors, such as Amazon and PayPal, which have not announced whether they plan to play in Apple’s sandbox.
No new product entry is a sure thing, Apple Pay included, but we think Apple Pay is currently about as good as it gets in terms of a customer-centric, easy to use, and secure payments process.
For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.