Apple Pay for Better Security

Over the last year I’ve had several opportunities to drive to remote parts of Oregon. Often we stop by a local grocery / convenience store to pick up groceries or a snack. These stores are small and often with a single check out lane and a very quaint atmosphere of old-time store goods.

A bit of fun for me is to walk up to the credit card reader which usually has the icon for near field connectivity (NFC) and I surreptitiously use my Apple Watch with Apple Pay enabled to quickly pay for groceries without taking out my credit card. The cashier gets flummoxed and wonders what happened, and I show them my Apple Watch with my card image and they laugh.

What is sad is that Apple Pay works “out of the box” at most of these remote grocery stores but it doesn’t work at many of the large retailers in the city. Instead of encouraging Apple Pay or similar google technologies, the retailers want to control the experience and the data and so they turn off this feature. You have the unfortunate alternative of putting your credit card in the chip reader and waiting for 5-10 seconds which slows the line for the whole process. Worse than the inconvenience is the fact that Apple Pay is much more secure than any card reader – Apple Pay doesn’t provide your “real” credit card to the store, instead it uses a “token” for the transaction.

From a WSJ article titled “Is Apple Pay Riskier or Safer than a Credit Card“,

Apple Pay, Samsung Pay and Android Pay are far more secure than traditional credit cards because they rely on virtual account numbers and create unique security codes, or tokens, for each transaction, payment experts say. Those encrypted tokens are verified by card issuers such as Visa or Mastercard before a transaction is approved.

Add to that the fact that Apple and Samsung Pay require fingerprint verification, and you have a system that is “very secure, and much more secure than the cards we’ve been carrying around in our pockets,” said James Wester, a research director at IDC Financial Insights.

It is very frustrating that a technology that works “out of the box” at a remote grocery store is not utilized by a major retailer who has suffered a highly public consumer security breach like Target. I hope that more people try to use this sort of payment technology, whether it is via Apple or Android, and complain to retailers when they put up barriers to implementation.

Cross posted at LITGM

11 thoughts on “Apple Pay for Better Security”

  1. You put a card in the machine? We just touch our card to the machine, in Canada. It’s pretty well instant, it’s been like that for about a decade now.

    Possibly why there is not much market for pay methods here.

  2. Just spitballing but your description of surreptitiously paying makes me wonder if the physical setup of checkouts in many larger retailers makes it difficult for them to enable this due to the possibility of inadvertent triggering of somebody else’s device. I’ve seen it in use in some convenience stores but in those cases the payment devices are usually widely separated (if there is more than one) with plenty of white space so people don’t crowd up to the register, very unlike the usual crammed cattle chutes in many big box stores.

    From a personal aspect I’m not really keen on enabling access to my bank or credit accounts on my phone in a way that can be triggered without me doing something physical so the time savings is going to be negligible. While the transaction itself might be safer I feel that I’m more in danger of my phone being lost/stolen (a risk with credit cards, too, I know) or the payment app triggered by fraud.

  3. I don’t use debit cards in most big retailers because I worry about access to my account by hackers.

    My son had his bank account emptied around Christmas two years ago. He had used his debit card at a gas station. The bank (Chase) took over a month to restore his balance.

  4. I don’t think debit cards are worth the risk if you have more than a small amount of money in your account.

    Also, you can inadvertently negate the security benefit of two-factor authentication by having the authenticator app on your phone or by configuring your accounts to send authorization codes to your phone.

  5. Carl from Chicago:

    “Apple Pay is much more secure than any card reader – Apple Pay doesn’t provide your “real” credit card to the store, instead it uses a “token” for the transaction.”

    I believe this (and the WSJ article) are outdated. All of my cards (credit and debit) are now “chipped” and in the vast majority of stores, I have to insert the card into a chip reader instead of swiping it to read the magnetic strip. In those cases, the exact same form of encoded transaction occurs. As I have heard it described, a “chipped” card generates a “virtual” account number for that transaction only. The retailer gets that “virtual” account number, but never your real account number. This is also why it takes longer for a “chipped” card to complete the transaction (there is more back-and-forth with the bank/card issuer) versus swiping the strip. This capability has been common in Europe for many years. Your Apple watch is doing the same thing. It may appear to go faster, but the only thing that might actually be faster is not retrieving your card from your wallet/purse and the use of the Touch system versus entering a multi-digit PIN code.

    The NFC capability is just a different form of card reader, and it works with some credit/debit cards too. And I’ve also seen people struggle to get it to read properly, just as with the standard chip reader.

    I do most of the retail shopping for our family and I’ve observed that the real delays in getting through a checkout line stem from the inability of people to understand that the process today is the exact same as the process yesterday and that you can do something to speed it along. Put your bags on top of the goods on the conveyor (I live in California and we have to bring our own bags to the store) so the clerk can scan them and put them directly in the bag. Have your card ready and as soon as the clerk starts scanning, put your card in and start the payment process. Almost always, I’m waiting for the clerk to finish, not the other way around. As the clerk finishes bagging, put the bags in your cart and move away from the reader as soon as you’re done paying so the next person can start. It infuriates me to see people just standing in front of the card reader, doing nothing, watching the clerk scan their items. Then, when the clerk is done, remember that they have bags, struggle to get their card out, try three times to punch in their PIN, then wait for the clerk to finish bagging (I always help with that), get their receipt and only then step away. Evidently, not many people understand how pipelining speeds up queues (to use the technical terms). Yes, a pet peeve of mine. I consider it rude to make other people wait unnecessarily.

  6. BTW, Carl from Chicago, it appears we might be neighbors in a few years. My wife and I have concluded that California is becoming unlivable and we see no prospect that it will get better. We had really hoped that we would be able to retire and stay in our home (which we love) or move somewhere nearby, but all that seems untenable now.

    I already have friends in Amity. My wife had never been there, but in August we went up there for the eclipse. She fell in love with the area, so that is number one on our list. I’m trying to find time to come up in the near future to look at some properties, find a real estate agent and an architect. It’ll be a few years before we can actually move (my wife wants to finish the job she is currently working on), but its time to get started…

  7. A lot of people come to Oregon to visit and want to stay here. Best of luck if you choose to come out and stay!

    I am not sure of the actual reading of the chip card reader but mobile payments are here to stay for most of the world due to convenience. My apple watch is paired to my phone and I have a sign in and need the phone with me so I am not too worried about accidentally paying or it being taken. True that on your phone your security codes come to that same phone (notifications) which is a weaker part of the process.

    All in all security is relative – you want to do the widest range of items with the least risk. I don’t use a debit card at all because there are many risks and virtually no upside against having a credit card, assuming you pay your bills on time and don’t accrue interest.

    If retailers writ large embraced technologies like apple pay or android equivalents the world would be much, much safer in terms of hacking. All those credit cards on file in databases in all these institutions wouldn’t be needed, and the card readers wouldn’t be a continuous point of risk. Also the US chip model doesn’t make a lot of sense because you don’t have an authentication code like Europe – if you steal someones’ card you can just put it in the reader and it works – the only risk it mitigates is the risk that you have a “fake” card. I can’t speak to the chip side using tokens.

    I do think that the world would be immensely better off if we used methods like apple pay and android pay through devices with multi security like 2 factor (need to sign in to phone or have biometrics). And not to have credit cards on file in databases…

    The reason that companies and others are terrified of apple and android pay is that if they ever got together they could replace credit cards entirely with bank wires and avoid the whole world of the 2% charges once people get used to paying through third party devices and when the retailers got on board.

    Credit cards have 2 values – they facilitate payment, and they “loan” money to folks at an interest rate. If you could do #1 without #2 at a cost of almost nothing (because the network is already there) you would drain billions of dollars of overhead waste out of the system each year. This is a topic for another post and the real reason that it is being fought tooth and nail.

    Credit card companies are like cellular companies – they believe they add value but they don’t. Need to dis intermediate the functions and have them stand on their own and costs and monopolies / captive markets will collapse.

    But monopolies like Visa and Mastercard don’t cut their own throats. And retailers are terrified too.

  8. Our entire country uses tap to pay, well most of us, with debit cards. This seems to work just fine and is probably as secure as any phone. I’m not sure why the US seems to be so far behind in this, I suspect unbridled competition. ;)

  9. I decided after I had read the first few pages of boiler plate that handing over a debit card was the same as handing them your bank account, and waiting for them to hand part of it back. The credit card will never get more money than I choose to give, short of legal process. Then there’s cash.

    The credit card terminals conduct an encrypted transaction that bypasses the merchant’s system. The only information that is supposed to be on their system is the last 4 digits of the card and the approval. Most breaches that have occurred were those merchants that used their own systems (the stripe reader on the side of the screen) where the encryption takes place on what is essentially a PC, often running Windows, with some malicious program running in the background. This is why I generally use cash at restaurants or other places that don’t provide a terminal. The terminals themselves are “supposed” to be physically secured as if they were cash.

  10. The banks want us to use the cards, debit that is, they don’t have as much skin in the credit card game. I have been bit on a credit card one time for a fairly trivial amount, and it was back in my account the next day. I talked to the security guys and explained the details and they said that’s not an uncommon scam, and they probably had them at this point.

    Now debit is kinda even harder to break as it’s all on their equipment anyway. As well the amounts in normal transactions are pretty small and only a serious effort will make you money. Now I have my bank on my phone, so if I feel at all uncomfortable, I can simply call up my account right there, and look at the last transaction.

  11. PenGun, I’ve seen those RFI cards in Canada and they are starting to show up in the U.S. I don’t trust the security on them. Someone could just walk up behind you and wave a wand. Now you have a charge on your account. You may be able to dispute it but why go through the hassle? I’ve seen wallets being marketed with RFI protection because of this issue. Not sure how effective they are.

Comments are closed.