Apple Pay is extremely likely to finally make mobile payments a reality for regular people. But why ?
- What's so special about Apple Pay ?
- What market forces are in play that will force change ?
- How secure is mobile payment tech ?
- What about privacy concerns ?
The Road Behind
Let's first focus our discussion by defining mobile payments as a payment transaction that is completed with a mobile device, without any conventional plastic card or other medium.
Trying to make mobile payments a reality has been something that many have been working on for years. Google Wallet for example was announced and released back in 2011. The app stores debit, credit and other card types and can use Near Field Communication (NFC) to communicate with Point Of Sale (POS) devices to send payment info. It has had it's security criticisms and privacy concerns.
PayPal, of course, also has a mobile payments offering for paying in stores as well. Other specialized apps have also accomplished mobile payments. For example the Starbucks app, which using a barcode displayed on the screen that is read by a barcode scanner at the register.
Meanwhile Apple decided not to pursue mobile payments until now. Apple Pay is coming this month and is expected to be part of Apple's next event on Oct 16. Apple has previously resisted integrating NFC because it so far has not presented a valuable feature for customers because of it’s immaturity. In 2013, Tim Cook said that mobile payments were "just getting started" and still "in its infancy”. And before that Phil Schiller said “It’s not clear that NFC is the solution to any current problem”. In 2012 they released Passbook which now serves as an excellent platform for Apple Pay. Then Touch ID in the iPhone 5s in 2013.
But now Apple has a great reason to use NFC, so the new iPhone 6 and 6 Plus have NFC tech, and the Apple Watch coming in early 2015, will also support contactless readers in stores. And you can also use Apple Pay within apps to pay for stuff.
Why Apple Pay is special ?
The sheer volume of the tech that Apple has unleashed is in itself a noteworthy accomplishment. But, as Apple knows better then anyone, technology must serve to enable a great customer experience, or it serves no purpose at all. This fundamental perspective is why Apple succeeds where others have stumbled and failed.
Just check out the demo of the Apple Pay user experience in the video of the Sept 9th event. It starts at about the 46:40 mark, but it just lasts a few seconds because it's so insanely simple. As it should be….. BTW: The current awful payment experience that Apple Pay replaces is at about 44:10.
What makes Apple Pay special, and unique compared to every single other attempt at mobile payments, is Apple has created a great customer experience by bringing together exceptional technology including Near Field Communication (NFC), Touch ID, Passbook and the big advances they made in security and privacy in Apple Pay. And using Apple Pay is supported from your hand and wrist with the iPhone 6, 6 Plus and Apple Watch.
The Big Thing
The big leap forward that is a game changer in mobile payments, is the advances Apple has made in security and privacy in Apple Pay, Nothing before it has offered better security and more privacy than Apple Pay. I have experience managing several software development projects for payment services infrastructure, so I understand the great significance of Apple's technology.
All payment systems that you use today, whether in stores or on-line, must get your sensitive credit card information. And all this sensitive information is also completely out in the open printed right on your card. Every time you take out your card, you are exposed to the potential of credit card theft and fraud. And if you store your credit card for re-use, for example in an eCommerce site or mobile app, you're exposed even more because your card info is stored by that merchant.
The Security Delusion
The most dangerous combination of personal information related to credit / debit cards is your name on the card, card number, expiration date and security code / PIN. The security code is also referred to as a card verification code, CVV, CAV and others. It's that 3 digit code on the back of Visa and MasterCards and the 4 digit code on the front of AMEX cards. And PINs are used on debit cards. The security code / PIN is used for authentication in card not present transactions like those done on-line.
If a data thief gets this set of data, it's game over. They can buy anything they want, anywhere they want. And in some places only a card number and expiration date is enough.
You've seen the big headlines of thousands of payment cards stolen. Like the recent breaches at companies like Target, Home Depot and now Kmart. These thefts are sometimes data captured over the air, hacks in to secured databases or hacks that install malware software that captures data in real time and forwards out of the store's network. Another approach to stealing payment cards is by capturing the data right off the magnetic stripe on cards. The mag stripe is the mother load - it stores everything.
The somewhat good news for consumers, is there is an industry council that sets security standards. It's called the Payment Card Industry Security Standards Council (PCI SSC) founded by global payment brands such as American Express, MasterCard, Visa, etc. The security standards are known as PCI SSC Data Security Standards (DSS) and current version of the primary document is called PCI DSS v3.0.
The enforcement is done by the card companies and banks. Violations are attempted to be found, before a thief does, through independent and self audits. I have seen enforcements made by fining a merchant 100s of 1,000s of dollars until a violation is fixed and charging transaction penalties in higher fees for every transaction. Obviously these efforts don't always work all the great, so….. Caveat emptor.
For customers, the security standards could be boiled down to this:
- All payment card data must be fully encrypted when transmitted and stored.
- Security codes and PINs must never be stored anywhere.
- The physical location and systems handling stored data must be tightly secured with physical locks, firewalls and access controls.
If these rules were followed by all merchants, almost no payment cards would ever be stolen. But of course, they don't. Hence, the Security Delusion.
So the best possible prevention against theft, is for customers to never give anyone their payment card data, ever. Apple Pay makes that possible.
Why does Apple Pay Change the Rules ?
Having now laid down a foundation, I'll now cut to the chase and summarize why Apple Pay changes everything, and will cause a massive disruption in the payment business.
There is nothing to steal
- Your payment card data is NEVER shared with ANYONE. Only you and the company that issued your card, will ever have it.
- Not even your name is shared.
- Card data is not even stored on the iPhone or Watch.
- Apple isn't even involved in the transaction.
- No one, except of course your payment card issuer, has a record of the payment transaction.
- A merchant that you do not use an account with, cannot track your purchases back to you. If you have only made a payment with the merchant and you do not use an account that identifies you, the payment can never be related to your identity.
How does Apple Pay Work ?
There is a good break down of how Apple Pay works in relation to security, published by TUAW. It boils down to card info is never stored any where, except with your card issuer (bank, credit company, etc.). A unique token (number) is generated and stored securely on your iPhone and is useless by itself.
A number of banks are confident in Apple Pay's security, and will be assuming liability for fraudulent purchases.
Regarding privacy issues, Apple has pledged that they will never keep a record of your payment transactions (also stated on the Apple Pay page in the section, Keep your purchases private). And given the way experts expect Apple Pay to work, it looks like Apple's systems may never be involved in payment transactions at all.
In addition, merchants that you do business with regularly using an account that identifies you - such as eCommerce sites and loyalty or frequent purchase programs - will never need to store your credit card data. And may not even store your token, depending on how all this gets implemented..
Since Apple Pay is not released yet, it's not completely clear how the security standards will work related to token storage. But with the way Apple Pay works to authenticate you with Touch ID at the time of purchase with your fingerprint, it seems totally unnecessary for even an online merchant to store the token ever. Because every time you order something you can authorize payment with your finger and you're done. Except for scheduled automatic purchases, which may very well not be possible with Apple Pay nor be necessary to use it with those kinds of purchases.
Inevitable Market Forces
Although a ton of retailers have already announced support for Apple Pay, and it has not even launched yet, other retailers are hesitant. But it's important to know a few things that will drive adoption quicker and more effectively than any mobile payment tech that has come before it.
Modern Point of Sale (PoS) Systems already support Apple Pay
Even if a retailer does not explicitly offer support for Apple Pay, it will still work in any retail store that supports contactless payments using NFC. And many modern Point of Sale (PoS) systems come with NFC capabilities.
Regulations will Push Adoption
Regulatory changes will require merchants to update their payment systems over the course of the next year. Those updated systems will support NFC and therefore Apple Pay and other payment solutions that use NFC.
Money will Push Adoption
Money talks, and…..
According to this MacRumors article:
"As of October 2015, merchants that do not offer support for EMV credit cards (cards that contain integrated circuits to prevent fraud) will assume responsibility for any fraudulent transactions that take place. Normally, banks assume liability, so it is in the best interest of retailers to deploy these new payment processing systems. EMV cards, or chip cards, are already used in many other countries around the world."
So by next holiday season, if retailers have not upgraded their payment systems, it will cost them money. In this case, due to fraud that they will be liable for, and probably increased transaction fees for using less secure payment tech.
EMVCo (EMV = Europay, MasterCard and Visa) exists to facilitate worldwide interoperability and acceptance of secure payment transactions and is overseen by the same kind of payment card companies as those that founded the Payment Card Industry Security Standards Council (PCI SSC). A number of the technical aspects of the financial and logistical processes that may be used in Apple Pay can be gathered from the EMV Payment Tokenisation Specification Technical Framework.