Apple Pay is upon us. The automatic, card-less, payment method that makes it easy to transact business with only your phone and your finger. Easy. Simple. Unlike the media, and in some respects Apple themselves, I want to talk about the game changing technology that has just been unleashed into the market. No one is talking about this and as sad as it seems the reason may be that the public can’t understand it. Apple Pay brings a 50 year old process to the 21st century, it improves security for individuals and removes significant liability from the merchants.
Apple Pay should be the first of the next generation of electronic payments. I foresee every vendor, maker of phones, merchants moving to this system of payment. Why wouldn’t they? Apple has done what the industry has tried and failed to do for years and they did it better. For starters it removes the need to carry a plastic card that contains every piece of information on it to make a transaction, it has the card number, your full name, expiration date and a ‘security’ code on the back. One stop shop of information. Apple Pay uses the card information to connect to the bank but it does not store it. What the Apple Pay does on the phone is create a new, random account number for that connection. If you lose your phone you wipe the data remotely but you don’t have to go get new cards issued. For a user this is the most safe and secure method to store financial information in a mobile device. As I watch the news stories and read the blog one argument against Apple Pay bothers me a great deal because it makes no sense. The argument is that if you lose your phone you lose the data. However, they never seem to mention what this replaces and the security of the old method –
Everyone seems to be overlooking the wallet and how, terribly, insecure those storage units are. A single wallet on an average person, purses too, have drivers licenses, multiple credit cards, medical insurance cards, auto insurance cards, names, addresses, birthdates, photo of you, where you shop and money. You lose the wallet you have an exponentially more devastating possibility of identity theft and fraud problems on your hands. We keep it loosely sitting in a fabric pocket or slung over our shoulders, yet people are complaining the the secure storage in the iPhone can’t be trusted? Really?
Apple has started the wave to a new token based payment system, ridding the world of the account number based method for good. However with any new technology, especially one that ushers in change to a well established routine, it will take more than a smile. Motivation, demand and/or financial incentives are the reasons why the industry shifts from old to new, not because it’s the latest cool new fad. Trends must be realized over time along with the value.
Here’s how (and why) Apple Pay and upcoming payment systems like it should replace everything we know about electronic payments –
- Consumers/Users won’t demand the change, but their use will – The more people that use it the more business, banks, retailers and other users will take notice but that’s not enough. Apple Pay could rid the world of fraud completely and it would never be adopted if the users reject it.
- Identity theft risk from a retailer’s breach is reduced significantly, almost to zero – With Apple Pay’s token based transaction a user’s account information even their name is not stored with the retailer. Only the transaction data is retained at the retailer. Apple Pay uses a random token that is the bridge between the you, the retailer and the bank to issue payment. If the retailer is compromised, unlike today, the data doesn’t contain everything a hacker needs to go on a shopping spree at the user’s expense. This also raised another big motivator for businesses to accept Apple Pay, if they are not storing personal information around the transaction the requirements of meeting PCI regulations goes down along with all the costs around meeting those.
- Banks, credit card companies start to see a way to make more money – Security and privacy today is not in the front of people’s mind…yet. Much likethe elimination of paper checks it will be the banks that will motivate retailers to get off an antiquated system. Billionsare spent and lost each year to fraudulent charges, left, services, if there’s a way out of that money pit they will take it.
- Right here, I predict that in the next 3 years you will start to see ‘Security Fees’ for retailers that do not accept Apple Pay type token payment systems. One example could be that Apple Pay transaction are 2.5%, traditional cards %3. Make it more costly to use an older system, if you can’t force, motivate.
- Retailers stop accepting account numbered cards and the banks stop issuing them – Either you have token based payments or you use cash. Like checks and if the financial incentive and fees are large enough retailers will force the move through banks fees and reduce liability of data stored. This will take years but all it takes is one big player to do it and the rest will follow.
Privacy of user’s data is going to get closer to the center stage in 2015. The increasing number or breaches and the volumes of the user data that is compromised is staggering. Eventually a large entity will take action to put an end to it, either the banks, insurance companies or the government will step in with a firm hand. Another prediction, I predict that a breach will occur and it will show that the Apple Pay token users’ data contained no identity information vs. traditional credit card users and then the public will understand the improvements this makes. If 40 million records were stolen, 20 million were Apple Pay transactions and not impacted, non-Apple Pay users not so much.
While I was having a discussion around security vs. privacy this topic came up and one obstacle because clear that would fight tooth and nail to stop this. Marketers. When you use the traditional credit/debit card a business knows everything about you. They can track you over time, Target sends you custom coupons and knows when you would run out of toilet paper. They do this from the free data they get from you, who you are, what you buy and when. Apple Pay doesn’t give them your name anymore, the whole purpose of token based payment systems is the buyer is private. If you pay cash for something you are anonymous, any payment method should be the same. No retailer needs your name, zip code, address, email, or know anything about you. They sell, you buy. They get this information for their Big Data efforts. For years marketers have gotten free data and analytics, sold it, used them for research all without your consent or knowledge. Big Data in the retail space will change from Apple Pay and get much harder to gather the same data when electronic payments data become benign around who the buyer was.
Apple Pay needs to be successful. Other companies need to spin up their own token based systems, the Internet needs to accept it on all e-commerce sites, the public needs to look beyond waving your phone to buy something and understand what this really means for their private data.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.