Friday, September 19, 2014

Musings on Apple Pay

I have waited several years for Apple Pay and am glad it is finally here. What I am not so happy about it uses NFC and hence works only on iPhone6 :-( Ostensibly, this is for "security" (and there is mention of "secure storage" as well) but I question that.

Secure Storage
I think even the iPhone 3GS has reasonably secure storage to store any private keys that may be needed to generate one-time transaction authorization codes.

Barcodes, WiFi, Bluetooth
The random token can be sent to the payment terminal using a barcode displayed on the screen and still be as secure. It can use WiFi or Bluetooth as well. Barcode at first glance would appear to be a one-way channel but the phone has a camera too (in case we want the payer to check if the payee is legit, but I don't think that is done or needed for credit card payments). WiFi might be tricky if a user is on a network different from the one the payment terminal wants to use and it is not as power-efficient as Bluetooth. Barcode has the advantage that existing payment terminals with Barcode readers can be updated to Apple Pay with software changes.

User Experience
One might argue that a barcode based system would be a less appealing user experience than a radio based one. However, I fail to see why Bluetooth would not achieve the same. Why did Apple choose to have another component in the system? Perhaps because there is an installed base of NFC payment terminals? I doubt that.

Why Security Matters? Consumer is not on the hook for that
We all know that we are not responsible for fraudulent charges on credit cards. That burden is borne (rightfully so) by the payment processing industry. However, they pass on the cost of fraud to merchants as high transaction fees and the merchants pass that on to consumers. By designing a system that is more secure than the physical credit card (at least those common in the US), Apple was able to convince the payment processors to give it discounts on transaction fees. Of course, it will not translate to lower prices for consumers anytime soon (sigh!) but the payment industry needs a lot of shaking up. 1-3% processing fee is ridiculously high in the electronic age.

I hope that Apple starts supporting Bluetooth based Apple Pay in the future because I believe it will be as good as NFC.