Gartner Blog Network


Will Apple Pay Save Merchants from Data Breaches?

by Avivah Litan  |  September 9, 2014  |  6 Comments

Apple has finally gotten into the payments business with its Apple Pay announcement. While details on Apple Pay security features are still scarce, it sounds like they are working with Visa, MasterCard, the other card brands and the major issuing banks behind them to use a payment card tokenization scheme that these financial services companies endorse and recognize.

That means that consumers don’t have to store their payment card data in their mobile wallets. Instead, they would set up their Apple Pay system with a credit card (either one linked to their iTunes account or a separate one). When the consumer is ready to pay, their financial service provider would issue them a one-time token number that would initiate the payment process. The token would have policies governing its use, i.e. how long a time period it can be used in, where it can be used, how much it can be used for etc.

Token numbers are not considered credit card numbers and there are lots of security benefits to merchants when they DO NOT accept, store or transmit actual credit card numbers; i.e.

a) The scope of their PCI compliance audit is greatly reduced

b) They will avoid payment card data breaches and their systems will be more secure since criminals can’t reuse token numbers so they are not going to bother stealing them.

I firmly believe that merchant acceptance is what drives adoption of new payment systems, much more so than consumer acceptance does. For Apple Pay to succeed, merchants are going to have to want to accept it. So are the security features enough to incent merchants to adopt Apple Pay?

a) Probably not for most of the 30 some million merchants that accept credit cards. Unless ALL their shoppers use Apple Pay, merchants still have to spend money on all the onerous security functions required to be PCI compliant.

b) Merchants are already spending money on upgrading to EMV terminals (chip) and have to get ready for that upgrade and liability shift in October 2015 when they will start eating more fraud if they can’t accept an EMV chip card payment.

Granted, EMV-ready terminals come with NFC acceptance capability and merchants have to be able to accept contactless NFC based EMV payments as well. But Apple didn’t say anything I heard about support for the EMV standard, at least not yet. (They likely will support it).

c) Many large merchants Gartner talks with are upgrading their point-of-sale terminals to manage point to point encryption (P2PE) of the card data because they are sick and tired of hearing about the data breaches and don’t want to be the next retailer victim. P2PE affords the quickest and strongest protection to payment card data used at brick and mortar stores –hence there is strong interest in the technology that the card companies have yet to standardize on.

Chip (EMV) cards will take at least 5-7 years to become more or less ubiquitous in the U.S. and merchants can’t wait that long to protect themselves and their card data. P2PE is effective as soon as the merchants implement it. They don’t have to wait for card issuers and consumers to start using chip cards.

So what does Apple need to do to foster wider acceptance of Apple Pay?

a) Lower merchant fees, just like Square and other payment aggregators do. Apple already has experience and expertise with payment aggregation for iTunes payments which it needs to do to keep iTunes transaction costs down. If they did the same payment aggregation for merchants, they could conceivably offer lower rates then the existing payment processors and banks do today, assuming Visa and MasterCard don’t stop them from doing so.

b) Build in revenue generating and loyalty features into the Apple Pay Wallet to foster merchant sales. Apple could conceivably do this as well but this is less important than lowering the fees when it comes to building merchant acceptance.

Bottom Line – This is very exciting news and has the potential to change the payment landscape, at least in the U.S. where merchants are being breached every other day and are up to their eyeballs in security issues and expenses. Apple can certainly ride the security wave and offer merchants and consumers more secure payments. But they are still just a fraction of the shopper base and the other fraction still has to be protected. So Apple will need to offer more than just security features to gain all-important acceptance. IMHO, lower fees are key to Apple Pay success.

Google is likely to copy Apple on the security features and then will have to enlist their handset manufacturer partners to link NFC chips to the Google Wallet. Apple has it easier in this regard since they have a closed system – i.e. they manufacture the handsets and the software that runs on them. But once Google gets in the game and Android phones are enabled with more secure payments, we may actually see mobile NFC payments catch on. Better yet, we may actually see the criminals and payment card data breaches start to go away – or at least migrate to something else.

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on Will Apple Pay Save Merchants from Data Breaches?


  1. Mark Bower says:

    Great analysis.

    With this announcement, Apple validates the data-centric security model, and shines a spotlight on the need for the payment world to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data such as tokenized or EMV style authenticated payments.

    With this data-centric security strategy as applied to mobile-originated payment transactions, Apple Pay may help reduces risk of data breaches and credit card theft where it is supported. However, payment ecosystems will have mixed traditional card payments and new restricted use payment tokens and a variety of wallets, such as Host Card Emulation varieties (HCE). To avoid any risk from advanced threats to vulnerable fields, I envisage that leading merchants will want to protect all transaction data unilaterally given the likely mix of older at risk data, and less risky, but still potentially valuable payment tokens in transaction flows. This is already easily achievable with current data-centric security solutions.

    The retail world today is still in an early adoption phase with regard to new payment methods and mobile wallets. US based retailers in particular still have to contend with EMV upgrades, legacy mag-stripe data, card-not-present e-commerce capture and a variety of advanced threats. Merchants will also need to be update their retail infrastructure to accept Apple Pay, and likely many other wallet schemes. Thus for a significant time, legacy static credit and debit cards, EMV cards and newer schemes like Apple’s will need to co-exist, and advanced threats across all of them managed to avoid continued breaches and customer data exposure.

    Fortunately, even with exciting innovation like Apple Pay, mixed payment environments can be secured end-to-end from the point of card/wallet read to the secure payment host with contemporary encryption solutions and advanced tokenization technology for a wide variety of sensitive data fields. This enables retailers to accept new and old payments protected under a unified data-centric protection framework to thwart advanced threats and protect customer data, all the while ensuring a seamless, yet secured, customer experience.

    Regards,
    Mark Bower
    VP Product Management
    Voltage Security

  2. […] Avivah Litan von Gartner sieht vor allem die Wichtigkeit von Shops für den Erfolg des Bezahldienstes. Nachdem für Betreiber von […]

  3. William Swartzendruber says:

    Google Wallet already tokenizes HCE payments. From their FAQ:

    “Wallet also uses dynamically rotating credentials that change with each transaction and are usable for a single payment only.”

  4. Andrew says:

    I think that there are still a few outstanding questions here that will need to be addressed in advance of the Apple pay launch.

    1. Who takes the risk on Apple Pay transaction? With EMV liability shifts to the issuer in the case of ‘transaction not authorized’ disputes. From what I am reading from issuers currently it sounds like merchants will be liable for fraud with Apple Pay

    2. Will merchants incur higher fees for accepting Apple Pay. Both MasterCard and Visa have announced both tokenization and wallets assessments. Will either or both of these apply to Apple Pay transactions? It sounds like they will.

    3. Are there going to be floor limits with Apply Pay as there are currently with contactless payments? If yes then it will limit adoption.

    A lot is being made of the security of using a fingerprint as authentication with each payment. The reality though is that if you have the password for the phone you can change the fingerprint so that moves the risk model.

    I would debate your comment about Apple becoming an aggregator to lower merchant fees in the future. It looks to me as though the associations and issuers control that. Unless Apple wishes to take on the rule of tokenization service provider instead of token storage then at a flick of a switch Apple Pay goes away if they don’t play fair!

  5. […] to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.