My Apple Pay vs. CurrentC blog post set a personal record for emails from readers, most of whom contacted me to defend Apple Pay. Of the many emails, a well-written and much-appreciated one from Ms. Lynn McDonald identified a few important points omitted from the original story. I'd like to respond to the top issues Ms. McDonald and other readers raised in response to that last post.
Approaching this payment controversy from the perspective of the retailer was wrong
Barely hatched and condemned as the Anti-Apple Pay, CurrentC could improve shopping experiences in the microcosm of a retailer’s brand in ways that Apple Pay’s brand macrocosm can’t. It’s premature to burn CurrentC at the Apple heresy stake.
Apple reached out to banks, credit card companies, and retailers before announcing Apple Pay to consumers. So did MCX, the developer of CurrentC. MCX was formed by some of the largest retailers, chartered to build a retail mobile payment system to deliver features unavailable in existing payment tools and mobile wallets. Apple’s widely recognized brand let the company bring Apple Pay directly to consumers. It will be up to the retailers to bring CurrentC to their customers after early testing is complete.
CurrentC will be wrapped in retailers’ brands. It’s a stretch to think that big brick-and-mortar retailers will build a disruptive branded app, like Uber or AirBnB, but there is much to be gained from the application of mobile technology to the retail shopping experience.
Apple Pay is secure, so it’s better than Credit Cards
Indisputably, Apple Pay is at least more secure than the mag-stripe plastic credit cards. Who benefits from Apple Pay security? The credit card companies, banks, and to a limited extent the retailers that are liable. Consumers aren’t responsible for any fraud whatsoever.
Credit card companies, banks, and merchants deliberately chose a system that sees more point-of-sale fraud rather than less. Credit card companies could have had a secure credit card years ago, but no one wanted to pay the price of moving from mag-stripe cards to the much more secure Chip and PIN cards, even though the markets that did, like the UK in 2005, experienced a 70% decrease in POS fraud in the first five years it was deployed.
Merchants and credit card companies were in a standoff over who should pay for the upgrade of POS terminals to reduce fraud. According to a high-level payment card industry source, in 2011 new and secure Chip and PIN credit cards would have cost credit card companies $2 billion to issue, and it would cost merchants $7.7 billion to upgrade POS equipment. But merchant credit card fraud only amounted to $1.3 billion that year, so there wasn’t an incentive for change.
The incentive to upgrade became a reduction in the fees merchants paid for credit card compliance. The credit card companies made an offer to merchants – upgrade POS equipment to Chip and PIN, referred to as EMV in the industry, meet some transaction volume commitments, and skip annual compliance audits. That way, merchants could spend the money they saved by avoiding audits on POS equipment upgrades. Also, on October 1, 2015, merchants will pay the cost of fraud if the old POS equipment hasn’t been replaced with EMV and near-field communication (NFC) POS equipment.
This leads to tokenization, something that Apple Pay does really well. In a nutshell, a cryptographically generated random string of letters and numbers that make up the token that replaces the consumer’s credit card number and personally identifiable information at the point of sale. A token is generated for each transaction, so if it is intercepted it can’t be used to make additional fraudulent purchases. The merchant can verify that the token is valid but can’t extract the card number or personal data. The credit card companies extract the card number and bill the consumer. If fraudsters breach the merchant’s POS equipment or data center, all they get is a useless batch of tokens.
But tokens are another example of Apple leading by following. Google Wallet, Braintree Payments (acquired by PayPal), and Stripe, to mention a few, adopted tokens years ago. CurrentC uses tokens. If the credit card companies adopted tokens, the many breaches from POS equipment and data centers would have just produced worthless one-time use tokens.
Relative to mag-stripe credit cards, Apple Pay is very secure through the omission of the credit card companies that own the problem of fraud. Consumers aren't liable for fraud losses, so the improved security of Apple Pay doesn't benefit them at all.
An industry consensus on a secure mobile payment standard for mobile payments like EMV – which was ignored by Apple, the credit card companies, and mobile carriers – is the elephant in the parlor. Almost every smartphone has hardware that would make all mobile payments secure, called the secure element. But the mobile carriers demand a toll from payment companies to use the secure element, so it’s not used. Apple’s proprietary payments interfere with a secure payment standard, and with its 20% market share and long cycle of upgrades to Apple Pay-compatible iPhones, it will have a limited impact on fraud.
POS machines are the primary targets of credit card hackers
Not exactly. Let’s look at the Target exploit, where criminals stole a reported 40 million credit card numbers. The criminals breached Target’s enterprise perimeter security defenses, installed malware on the old POS equipment running Windows XP (which is prone to exploits), collected credit card data, then commandeered a Target server that automated the theft of batches of credit card data over Target’s internet connection. The theft could have been stopped dead had the software on the POS equipment been better written to restrict the thieves’ malware or if the option to encrypt using the hyper-secure DES3 algorithm between the card reader and terminal had been implemented. And new POS equipment would have defended against the malware where that old Windows XP-based equipment could not.
Breaches of merchants’ and banks’ data centers are a much bigger problem than POS fraud. Total credit card fraud amounted to about $11 billion in 2011, compared to $1.3 billion of POS fraud, according to the aforementioned source. Out-of-date POS equipment is certainly a target (no pun intended) but the number of POS breaches is declining as merchants upgrade the equipment EMV and NFC.
I don’t want CurrentC to give my personal data to merchants
According to Scott Rankin, COO of MCX:
"Your choices about what data you wish to share with merchants will not be affected by CurrentC. In fact, CurrentC actually will give you better visibility into those choices by offering a dashboard that will let you view and set your data-sharing preferences with icons and plain English descriptions. You can opt in, opt out, or opt not. It is your choice."
A merchant may by law or bank policy need more data for certain types of transaction, or the merchant might offer consumers a mobile app, giving a better mobile retail experience and promotional discounts in return for his or her information.
It's wrong for CurrentC to disable Apple Pay
In response, Rankin explained:
"MCX did NOT disable Apple Pay. MCX merchants make their own decisions about what solutions they want to bring to their customers; the choice is theirs."
That CVS disabled Apple Pay and Walmart won’t accept it could be more of a brand identity issue. If a merchant were to add a new form of payment, it might choose one like CurrentC that promotes its own brand instead of Apple’s.
CurrentC can’t be trusted because the company disclosed that CurrentC has been compromised already
Rankin provided the following update on MCX’s previous statements:
"MCX remains confident that the information accessed at its email service provider (ESP) last week did not include any financial information, as this information was not stored by, and has never been provided to, MCX’s ESP. While the party who gained unauthorized access has not been identified, the method by which the access occurred was identified promptly and remediated.
"MCX’s investigation into this incident is ongoing. Third-party computer forensic experts Mandiant, are assisting in the investigation in order to confirm MCX’s findings. MCX reported this incident to the United States Secret Service. MCX remains committed to consumer privacy and security and will provide updates on substantive developments in the ongoing investigations as warranted."
A breach during a test of a new software product shouldn’t be unexpected. Early releases are intended to find bugs and expose weaknesses. All the media attention playing to consumers’ anxieties about this has been an unfortunate distraction.
Apple Pay is a good product, but a limited proprietary solution to fraud. A revolutionary product, by comparison, would require Apple to work with competitors and other payments services to standardize on a design that works with all smartphones. Mobile payment solutions by definition have to be low-cost, pervasive, and able to deploy without an upgrade to POS equipment. It should also have one other feature – it can’t cost more than the fraud it prevents.