The Upcoming Fight Over Phone Payments

There’s an interesting battle developing related to the new “Apple Pay” feature introduced with the iPhone 6 series of phones.

The Background

Apple Pay uses a hardware feature called NFC, or near field communication. It’s a combination of antenna, radio, and identification chips that can only broadcast for extremely short ranges, and thus is incredibly difficult to eavesdrop on. It can also be encoded to uniquely identify the hardware running it.

Think of it as a wireless unique key or lock combination that can be put in your phone or watch, or a key fob.

With it, it becomes practical to store banking related information in a digital “wallet” (or “passbook”) on your phone, and then at stores that have NFC readers (including Whole Foods, Walgreens, CVS) to put your phone next to the terminal and pay.

The advantages are that you don’t have to produce a card who’s number has to be recorded, or be swiped (possibly through a rogue card swiper).

The disadvantages so far have been that many android phones have had the wallet features locked out by the phone carriers, and that adoption of NFC-ready terminals at checkout registers has been slow due to the additional expense. Also, the apps have been somewhat clunky to use, requiring unlocking the phone, supplying a PIN, etc. – not making it much easier than just pulling out a card.

Of course, as fraud has increased – such as the recent hacks at Home Depot and Target – it is becoming enough of an expense to justify pricier terminals that help cut down on that fraud.

So what makes Apple Pay so great (assuming you have a compatible bank – only one of mine is currently on board – the other will be soon)?

  • Your default card is available without ever having to unlock the phone. No apps to open up.
  • With reliable touchID, you don’t have to enter a PIN, you just hold the finger you always unlock the phone with over the home button.
  • Your credit card information is never stored on the phone, or given to the retailer.

The first two points make it far more convenient to actually use – as in more convenient than digging out your wallet, fishing a card out, swiping it, and entering the PIN or signing on the screen.

The last point directly deals with recent hacks of user info at various stores. Your phone only sees the credit card information long enough to register the phone with the bank. It stores a completely different ID internally, and generates a unique one-time number for every transaction. Anyone hacking a store you’ve used Apple pay will never get useful information to hit up your bank account. Like your touchID fingerprints, the information is encrypted on your phone in a way that it cannot be extracted.

The Fight

While the list of retailers supporting Apple Pay is fairly short, many quickly discovered that it worked at places not officially supporting apple pay, as long as they had enabled NFC readers. This included CVS, Rite-Aid, and other stores.

Now, these retailers have disabled their NFC readers. They no longer work with Apple Pay, or with the Android phones they used to work with.

If you’re wondering why they would make life less convenient for customers, it’s because they want to implement their own system called MCX, one not tied to the banks as the system that Apple (and Google wallet) are using. The reason they are doing this is one I’m highly sympathetic with – it’s a reason the company I worked for stopped taking credit cards for a while – the requirements and charges tied to credit card processing. And they have every right to decide how and when they get charged to process a payment.

Unfortunately, that’s where my sympathy stops.

First, their alternative solution is not out yet, and assuming it’s not delayed, won’t be out until next year.

Second – it is far clunkier to use, even compared to Google’s wallet. You not only have to open up an app, but now you have to scan a QR code (one of those funky squares-full-of-static patterns) which allows the phone to set up the transaction, which gets triggered between the merchant and the bank, and gets approval.

I’m going to ignore for a minute how often (though rare these days, especially indoors in ideal lighting) QR codes simply don’t read. Even on a high resolution “retina” display generated barcodes can be difficult for existing scanners to pick up.

Per the article, it will “enrich the customer experience” – not by making you spend less time checking out – but by allowing your retailer to better track you so they can give you coupons.

How will they get your money if they don’t send a transaction to the credit card company?

The retailer themselves may not store your card and account info, but your (debit and store, not credit) cards and account info for “ACH” (direct) access will be stored online in a “cloud vault”.

Three guesses what’s going to be a major hacking target? In the case of Apple Pay, the Credit Card companies and banks have been dealing with this for years, and as they absorb the fraudulent charges, have one heck of an incentive to stay on top of things.

So they disabled the Apple Pay/contactless terminals their proposed system wont need. This shows the priorities: the retailers are willing to disable features that improve customer convenience and choice, that don’t cost them any extra, so that they can gather more data on their customers.

The Upshot

It won’t get me to stop shopping at some of these stores that have cut off Apple Pay, but where an alternative exists that fills the same niche that does accept Apple Pay, I’ll be more inclined to spend the money there instead. I don’t plan on using the MCX alternative.

Apple pay (and related systems) are:

  • Easier to use – more so Apple Pay here, though I look forward to Android making some changes to improve ease of use…
  • More private – retailers can collect far less information on you.
  • More secure. No retailer or clerk gets to see your credit card, no retailer stores it, and your chances of someone stealing that drop massively.
  • Here now.

The alternative:

  • Gives you less privacy
  • Has less security of your banking information as you have to store it at a third party
  • Will be clunkier to use, and
  • Isn’t available yet.