Apple has done it again – stolen the headlines. There’s much buzz around the launch of Apple Pay, a virtual wallet that allows users to enter their credit card information into their devices or iTunes accounts and then use the devices to securely make purchases online, through an app or in stores.
Virtual wallets aren’t new, Google, PayPal and a host of others are out there. But leave it to Apple to add an innovative twist. A new report from Celent says Apple Pay has a good chance to be successful because it offers a very slick user experience. It says Apple Pay is the most secure payment method to date, as it combines a new tokenization approach with biometric cardholder authentication. It offers enhanced security not only for payments in physical stores, but those made directly from a merchant app.
"Rather than disrupting the payments industry, Apple is working with incumbents, card issuers and networks to bring a familiar payment instrument (card) into the digital world," notes the Celent report.
The rush to embrace Apple Pay is an exciting, yet challenging opportunity for financial institutions. According to banking industry trade group Bank Administration Institute (BAI), Apple has worked magic in steering customer behavior in the past, and the prospect that they can do it again in mobile transacting is a compelling offer for many financial institutions.
What makes Apple Pay special?
When paying with Apple Pay, you’re never passing payment information to the point-of-sale system, because it’s based on a tokenized system of transaction data. This is a similar technology that’s used in applications like gas stations and restaurants where a preauthorization of funds might be required because the final amount of the services are not actually final and held until you add your tip or are finished pumping your gas, explains Ryan Carlson, tech evangelist at The Nerdery, a technology firm.
Tokenization allows the point-of-sale to hold the transaction information in memory without storing sensitive card information on their point-of-sale system. The token is only good for a single transaction. "So even if you were able to obtain the token, it would be meaningless and at most usable for a single transaction since Apple Pay creates a new unique token with each transaction," adds Carlson.
Being able to lock a payment down to the use of Touch ID and a fingerprint scan, in conjunction with an unique one-time use payment token, means that the loopholes around the physical security of a users payment information has been closed, says Carlson.
Some are hailing this a new era in which digital providers seek to answer the call for greater security and could lead to higher adoption rates than before.
"Apple’s use of tokenization is definitely stronger than what was seen from Google or PayPal," says Doug Brown, senior vice president and general manager at FIS.
While PayPal was a pay innovation, it was and still is a major target for hackers, says Kellman Meghu, head of Americas Security Architects at Check Point Software Technologies. "Anywhere a consumer has to input, not just their credit card information, but bank account number, there is a huge opportunity for theft."
Google Wallet suffers from poor implementation, says Dennis Restauro, a technology expert with groundedreason.com. "Usage of Google Wallet requires users to wake their phone and type a pin. I might as well just reach in my wallet for a card. Google holds on to purchase data. And PayPal’s mobile app is even more cumbersome than Google Wallet. I need to wake my phone, turn on the app, check into the store, choose the account, then I pay. Like Google, PayPal holds onto to transaction data."
Apple already has arrangements with 220,000 retail locations that will accept payment on the new iPhones. Major payment networks like Visa, MasterCard and American Express and more than 500 banks are signed up to participate, says Darren McGrath, Unisys Global Director Mobility Solutions. "With this type of ecosystem support and the broad device adoption, Apple Pay is sure to be a success."
Simply put, says Restauro, "If Apple Pay doesn’t usher in adoption of virtual wallets, it’s hard to imagine anything would."
Best thing since sliced bread?
But for all the hoopla, some say there’s a lot of hype around Apple Pay.
"Regardless of the encryption for each purchase not being tied to a specific credit or debit account, the fact that the first level of security can be ‘faked’ is an issue," says Ritch Blasi, president of MediaRitch, a mobile and wireless consulting business.
"Less than a week after the introduction of Touch ID, it was spoofed, which is synonymous with hacking. Right now, most fingerprint ID solutions offer an accuracy rate between 12-20% -- not secure enough to protect the privacy mobile users expect or require for financial transactions or for their healthcare information," says Blasi.
Then too, points out Damien Hugoo of Easy Solutions, which provides anti-fraud services to financial institutions. "A big concern is that the authentication mechanisms for validating cards is unclear. Apple seemed to have focused on security payment mechanisms such as tokenization and fingerprints (which we believe are solid steps). But payment can only be as secure as the authentication, which starts with registering cards to an account, as well as granting access to a particular account."
"Without the proper authentication mechanisms, Apple may have just made it easier for criminals to counterfeit credit cards from the black market. You don’t need a physical card to make a purchase in person. You can simply take a picture of numbers superimposed (or Photoshopped) on a card, and run with it," says Hugoo.
Apple Pay overnight raises the value of a lost iPhone, creating greater incentive for theft says Hugoo. If your battery dies you essentially lose your wallet.
Hugoo recommends individuals and financial services firms continue to adopt a multi-layered security strategy. For individuals, this means enabling as many security mechanisms as the vendor provides. For financial services firms, this includes continued monitoring of black-market and card-not-present transactions.
Says Hugoo,"We predict that banks will also start paying more attention to ‘device health’, as visibility into the status of a device, potentially malicious apps running on it, etc., is going to be more important going forward. We don’t think people will throw away their wallets, but we do believe financial institutions should be thinking about steps to protect themselves and their customers from the new fraud schemes that are sure to emerge."