My thoughts on Apple Pay

And another thing ... if Apple can't keep Jennifer Lawrence's naked photos secure in iCloud, I'm not so sure people are going to trust them with their credit card and banking details...

David, in response to your question: "Why would any merchant in their right mind invest in a system that will only be able to serve a tiny minority of consumers?"

I agree, they'd be crazy. That's why Apple has gone down the EMV NFC path.

Any retailer who adds a contactless EMV terminal can accept Apple Pay and any other mobile solution using EMV/NFC such as all of the Android HCE solutions that we'll see in market soon.

Oh. and all of the millions of contactless EMV cards that much of the rest of the world is already using.

Not such a "tiny minority" I'd say.

I think Apple see the writing on the wall and while there was some measure of fanfare, it looks like a product that will work seamlessly and may be easier for Banks to roll out. Keep in mind that it's gone down the tokenization path, this will be great for merchants trying hard to implement/maintain PCI.  

This is not about Apple leading the pack, they resisted NFC for years. The fact they are now adopting this technology shows it is gaining traction and is an endorsement of the approach that others have developed.

There are plenty who are ahead of Apple, banks in NZ, Australia, Spain have already adopted the same technology and are seeing good rates of adoption. MasterCard has recently mandated all merchants must switch to contactless ready POS terminals by 2020 and Visa has begun tokenisation roll out in the US. The potential advantages are so huge and the risks of being left behind are so high this is an unstoppable train for the card processors and banks and tech companies.

What remains to be seen is how resistant consumers are to the new technology, there will be concerns about security around handing personal financial information to the likes of Google and Apple but the advantages and convenience will surely outweigh those concerns.

The magnetic strip is on its way out and once contactless terminals are everywhere you will be able to pay by card or mobile. The card experience will be no different but the mobile experience will become more and more compelling, geolocation of payments, electronic receipt stored with the payment, biometric security and so on.  The huge ecosystem of Android and Apple app developers will dream up functionality that we cannot even imagine ourselves right now.

There hasn't been the large adoption of paying with NFC (contactless).  The issue was merchants didn't want to upgrade to terminals that would support it until they saw the need.  Consumers didn't see the advantage of using it (if they could) because they never saw anywhere to use it.

With all merchants updating their terminals to meet the October 2015 EMV requirement, most will also support NFC.  So, one side of the equation is now resolved.

As more people upgrade to the new Iphone and try out the new features, I think most will give it a try.  Even Android phone users will probably see an uptick in use as they see Iphone people using it.

There are definitely a large group of users who may forget their keys or wallet but never forget their phone.

Also, not to be overlooked is that a SmartPhone card emulation offers numerous ways to carry out cardholder verification that an NFC-enabled card does not.  This offers the opportunity to remove limits on NFC transactions.

Because offline PIN is standard practice in Europe, there is no cardholder verification for an NFC-enabled card transaction, so transactions were typically limited to €20.  SmartPhones offer the opportunity to avoid this limitation.

Firstly, I think David is 100% right. Apple Pay seems as disappointing as Google Wallet at this rate.

Martin - I think you may be misleading the discussion by introducing EMV NFC.

By simple definition EMV prevents counterfeit fraud because the EMV card is issued with cryptographic keys that can be verified by Visa/MasterCard and the Bank-card Issuer.

Then how could the EMV Bank-card Issuer in their right mind, authorize a transaction from an iPhone user that simply took a photo of a card (not necessarily their own) to add it to their Apple Pay wallet, without then defeating the whole point of EMV?

It follows, that EMV NFC would then kill the ‘generic wallet’ market - if it wasn’t dead already : )  and by implication only bank issued Wallets would survive. 

In any event, contactless (NFC) EMV is a bit of a dog because the hand-shake with the terminal takes as long as contact EMV so what’s the point? Plus like Stephen eludes to, below X limit being without PIN means cards can be ‘milked’ or users must keep them in a NFC shielded wallet only to take them out when needed - so what’s the point, squared.

@CraigK: Good point about "Then how could the EMV Bank-card Issuer ... authorize a transaction from an iPhone user that simply took a photo of a card (not necessarily their own)...". Your question would sound even more ominous when we learn from Apple's website that users can "simply type" card details "manually" to add new cards to Apple Pay (http://www.apple.com/iphone-6/apple-pay/). In other words, you don't even need to have somebody else's card to snap a picture of it!

What Stephen Hanlon says is a very important point, and one of the reasons why mobile technology is such a good solution for combatting credit card fraud - both offline and online.  With mobile, dual-factor authentication can be employed where your mobile wallet can be linked with only a single handset.  Add password/pin protection, and you have dual authentication: something you HAVE (must have the phone), and something you KNOW (the pin/password).  Then you can remove the silly NFC transaction limits.

Using mobile, apps can be trigger-agnostic: QR-code, NFC, audio tag, Bluetooth beacons ... whichever the merchant wants to adopt.

I firmly believe, though, than in order for m-commerce to achieve real scale the solutions must work across all (or most) mobile platforms.  Apple is being Apple, trying to play within their own little ecosystem - which worked fine for iTunes, but won't for m-commerce.

Whether you think they've been smart in holding out until now with NFC, or too slow and now lucky (what with HCE, contactless rollout in the US, etc) is almost a moot point. Sure there are lots of ways to build security around a payment, but without ubiquitous acceptance, it will always be limited. NFC is a good horse to bet on right now.

What is more interesting in their play is the very deliberate move to stay away from the purchasing data. This has won friends and will foster participation - we've already seen significantly more of that than with either the Google Wallet or Softcard. And friends will create apps to add to the overall wallet value and experience. Don't forget that Apple is not defined as a payments company; they have to act with some caution.

A good move, in my opinion. A good first step, should I say; there will be more to come.

Craig and Ketharaman, I'm a little confused by your reactions. I'm not privy to the fine detail and don't work for Apple, a card scheme or any of the involved banks but I think it's pretty clear from the publically available information that the transaction at the POS is an EMV transaction using an EMV cryptogram to secure it. The difference here is that this cryptogram is created using a random number and the replacement PAN that is provided by the scheme tokenisation services to ensure that it's good for one transaction only and can be identified as a mobile transaction.

The PAN entry (or picture) is merely part of the enrollment procedure and doesn't imply (to me) that the transaction is not EMV.

This article explains it reasonably well: http://bankinnovation.net/2014/09/heres-how-the-security-behind-apple-pay-will-really-work/