On September 9, Apple (News - Alert) announced an exciting new feature, Apple Pay, a mobile wallet payment system available on the new iPhone 6 and Apple Watch devices. My initial reaction to the announcement was "Not another mobile wallet option!" After researching implementation details, my attitude quickly changed and I became intrigued.
Apple Pay enables a safe and secure transaction between Apple devices and a retailer’s contactless payment reader or online storefront. The consumer avoids the tedious step of swiping or entering credit card numbers or passwords since it's already stored in Passbook, an application first introduced in iOS 6.
What’s important is how Apple Pay transforms traditional theft-prone credit cards into a unique Device Account Number stored securely on a special chip in the device. It then, pairs that number with transaction-specific dynamic security codes. This ensures that intercepted transactions cannot be used to conduct fraud since each security code is only good for the one transaction. This is the most obvious benefit, similar to the protections in place with EMV: to prevent the chips from being copied.
Another less obvious security benefit Apple Pay has over EMV is that sensitive card data is never handled by the merchant. EMV passes plain text card data to point of sale systems which can later be stolen by RAM (News - Alert) scrapers and used to commit fraud. With Apple Pay, the physical phone becomes the sole point for potential exploitation. Hopefully, Apple has implemented significant and sophisticated measures into protecting card data stored in the iPhones Passbook from theft or unauthorized use. Regardless, removing sensitive payment data from the merchants’ hands is a necessary step to solve the increased breach epidemic retailers have been facing.
What’s especially bold is Apple’s move to bypass the payment processors that have been used for decades. Point of sale and online ordering systems integrated to support Apple Pay can send the Device Account Number and the dynamic transaction security code directly to the card issuer for approval. In essence, they’re creating their own secure payment network to facilitate their proprietary payment technology.
Unfortunately, adoption will be a significant challenge. If you look at past attempts to change consumer payment behavior, there’s a long list of failures. For example, contactless payments were rolled out on a limited basis by inserting a rice-sized RFID chip in credit cards to which a purchaser waves in front of the terminal instead of swiping the magnetic stripe. Adoption was abysmal. More recently, mobile wallet offerings such as Visa payWave used NFC for contactless payments in stores, but gained little traction beyond pilot implementations.
Apple Pay is a strategic move to expand further into the major mobile wallet marketplace to rival PayPal (News - Alert) and other contenders. The big question is whether Apple can succeed in convincing consumers and businesses to ditch the plastic. They both need compelling benefits to justify the behavioral changes. For example, Starbucks successfully leveraged its mobile application with payment capabilities to enhance the customer experience and their loyalty program.
One way Apple could incentivize adoption is by providing loyalty points for purchases made using Apple Pay, redeemable in the form of Apple Store purchases. Consumers would get rewarded for making the switch while driving increased traffic to the Apple stores. This in turn would generate demand for merchants to support Apple Pay. Finally, by eliminating the payment processors from the transaction flow, retailers would reap greater benefits with lower processing fees and increased cost savings that yield higher profits.
If successful, Apple Pay would cement Apple’s dominance across the user experience and extend its domain to mobile payments where the biggest potential is in the rapid adoption of mCommerce, defined as shopping online from handheld devices.
Lucas Zaichkowsky is the Enterprise Defense Architect at AccessData, responsible for providing expert guidance on the topic of CyberSecurity. Prior to joining AccessData, Lucas was a Technical Engineer at Mandiant where he worked with Fortune 500 organizations, the Defense Industrial Base, and government institutions to deploy measures designed to defend against the worlds most sophisticated attack groups.
Edited by Stefania Viscusi
Back to Mobile Commerce Insider Home