Apple has finally gotten into the payments business with its Apple Pay announcement. While details on Apple Pay security features are still scarce, it sounds like they are working with Visa, MasterCard, the other card brands and the major issuing banks behind them to use a payment card tokenization scheme that these financial services companies endorse and recognize.
That means that consumers don’t have to store their payment card data in their mobile wallets. Instead, they would set up their Apple Pay system with a credit card (either one linked to their iTunes account or a separate one). When the consumer is ready to pay, their financial service provider would issue them a one-time token number that would initiate the payment process. The token would have policies governing its use, i.e. how long a time period it can be used in, where it can be used, how much it can be used for etc.
Token numbers are not considered credit card numbers and there are lots of security benefits to merchants when they DO NOT accept, store or transmit actual credit card numbers; i.e.
a) The scope of their PCI compliance audit is greatly reduced
b) They will avoid payment card data breaches and their systems will be more secure since criminals can’t reuse token numbers so they are not going to bother stealing them.
I firmly believe that merchant acceptance is what drives adoption of new payment systems, much more so than consumer acceptance does. For Apple Pay to succeed, merchants are going to have to want to accept it. So are the security features enough to incent merchants to adopt Apple Pay?
a) Probably not for most of the 30 some million merchants that accept credit cards. Unless ALL their shoppers use Apple Pay, merchants still have to spend money on all the onerous security functions required to be PCI compliant.
b) Merchants are already spending money on upgrading to EMV terminals (chip) and have to get ready for that upgrade and liability shift in October 2015 when they will start eating more fraud if they can’t accept an EMV chip card payment.
Granted, EMV-ready terminals come with NFC acceptance capability and merchants have to be able to accept contactless NFC based EMV payments as well. But Apple didn’t say anything I heard about support for the EMV standard, at least not yet. (They likely will support it).
c) Many large merchants Gartner talks with are upgrading their point-of-sale terminals to manage point to point encryption (P2PE) of the card data because they are sick and tired of hearing about the data breaches and don’t want to be the next retailer victim. P2PE affords the quickest and strongest protection to payment card data used at brick and mortar stores –hence there is strong interest in the technology that the card companies have yet to standardize on.
Chip (EMV) cards will take at least 5-7 years to become more or less ubiquitous in the U.S. and merchants can’t wait that long to protect themselves and their card data. P2PE is effective as soon as the merchants implement it. They don’t have to wait for card issuers and consumers to start using chip cards.
So what does Apple need to do to foster wider acceptance of Apple Pay?
a) Lower merchant fees, just like Square and other payment aggregators do. Apple already has experience and expertise with payment aggregation for iTunes payments which it needs to do to keep iTunes transaction costs down. If they did the same payment aggregation for merchants, they could conceivably offer lower rates then the existing payment processors and banks do today, assuming Visa and MasterCard don’t stop them from doing so.
b) Build in revenue generating and loyalty features into the Apple Pay Wallet to foster merchant sales. Apple could conceivably do this as well but this is less important than lowering the fees when it comes to building merchant acceptance.
Bottom Line – This is very exciting news and has the potential to change the payment landscape, at least in the U.S. where merchants are being breached every other day and are up to their eyeballs in security issues and expenses. Apple can certainly ride the security wave and offer merchants and consumers more secure payments. But they are still just a fraction of the shopper base and the other fraction still has to be protected. So Apple will need to offer more than just security features to gain all-important acceptance. IMHO, lower fees are key to Apple Pay success.
Google is likely to copy Apple on the security features and then will have to enlist their handset manufacturer partners to link NFC chips to the Google Wallet. Apple has it easier in this regard since they have a closed system – i.e. they manufacture the handsets and the software that runs on them. But once Google gets in the game and Android phones are enabled with more secure payments, we may actually see mobile NFC payments catch on. Better yet, we may actually see the criminals and payment card data breaches start to go away – or at least migrate to something else.