Find articles from my Blog Archive:

Thursday, 11 September 2014

Some thoughts on Apple Pay

This week Apple launched its “Apple Pay” mobile payment service. To those familiar with NFC-equipped Android phones this might seem a “me too” offering. However, on closer inspection there are some radical differences between this NFC implementation and anything we’ve seen before. This fascinates me and I thought it worth sharing some of my thoughts on why Apply Pay might be significant. I have summarised the interesting points I’ve seen into six key areas:
  • Authorisation & Financial Limits
  • Security & Privacy
  • In-App Payments
  • Business Model
  • How Apple Pay relates to Bitcoin
  • Innovation or not?
I’ll take these one at a time and hopefully you will be able to follow my logic!

Authorisation and Financial Limits

NFC implementations tend to impose a financial limit on every payment transaction. In the UK this is typically £20 per transaction. In other jurisdictions different limits apply - for example, in the USA Google Wallet has a daily limit. These limits are imposed because NFC transactions mostly (always?) require no user authorisation - lose your NFC-equipped card or phone and anyone can spend your money. In these NFC implementations, everyone involved has agreed to make payments very easy by removing the need for signatures or PIN codes. Of course this is a massive security hole, so the limits ensure thieves only get away with a limited amount of our money.

It’s possible to design an NFC implementation that requires the user to enter a PIN number; indeed, I was involved in the outline design of such a solution for a bank a couple of years ago. However, there is significant complexity in doing this. Furthermore, the user experience of “tap, unlock phone, find wallet app, enter pin code to authorise”, destroys the original value of speed and simplicity that made NFC so attractive in the first place. A secure phone-based NFC wallet looked slower and more difficult to use than a plastic card and PIN number - hardly something likely to see market acceptance on a wide scale. Hence, everyone went with the unsecured solution and transaction limits; easier to use, but fairly limited in value.

Now, a £20 limit is OK if the only things I want to buy are sandwiches and coffees. I don’t know about you, but my idea of a wallet includes the ability to be slightly more profligate than that. And a £20 limit means I still need to carry my plastic cards with me. It ensures the mobile wallet is incapable of replacing my physical wallet and this is a significant barrier to adoption.

The big thing about Apple Pay is that it neatly solves this problem. By using TouchID for the authorisation, the transaction limits can be removed without interfering with the simplicity of a tap. All Apple Pay transactions are not only authorised by a biometric fingerprint that ensures we can buy expensive things, but the level of security actually increases over our traditional plastic cards.

In the USA the reliance on signatures for plastic card authorisation is a well understood exposure. In Europe we’ve moved to chip-and-pin, which is more secure - but it’s still notoriously easy for a thief to capture a 4-digit PIN by peering over our shoulders. Neither signatures nor PIN codes are particularly secure and, as a result, fraud in the industry is estimated to be a multiple $bn problem.

Any authorisation method can be defeated with enough effort and fingerprints can be stolen. We went through all of this when TouchID was first launched a year ago. I blogged about it at the time. We heard the nay-sayers warning of fingerprints being stolen off the glass screens of our phones, or of violent thieves amputating our fingers. The fact that we’ve seen no reports of any such James Bond type activity actually occurring tells me that, whilst theoretically possible, its just too hard to justify the effort involved. So, TouchID seems a remarkably easy and secure method of authorising a payment transaction. I’ve used TouchID for a year on my iPhone and can report virtually faultless performance - it hardly ever fails to work first time. Extending this brilliant technology into payment authorisation seems an ideal solution and ensures security without introducing friction to the payment process.

In other NFC implementations that NFC radio is always active, which seems to be the only way to ensure a swift tap-only to make a payment. There has been some controversy about this, because of the concern of ‘accidental’ payments. Some have claimed this happens, others that this is practically impossible. Without wishing to assess the rights and wrongs, it is interesting that with Apple Pay it seems that a transaction can only occur whilst you are holding the TouchID button - so the risk of “accidental” transactions would appear to be virtually eliminated. So the combination of NFC payments and TouchID would appear to be a match made in heaven from what I can see.

Apple Watch can also make payments - so how does authorisation work, given it doesn’t have TouchID? The solution is novel and intriguing. When you put Apple Watch on your wrist, you enter a PIN code. The watch then uses sensors on the back of the it to detect that the watch is in constant contact with your skin. If the watch is taken off, you need to re-enter the PIN code to make a purchase. I would never have thought of that solution - it’s brilliant!

Security & Privacy

One of the big challenges with traditional payment solutions is that they always rely on the integrity of retailers. When we make a credit card payment we hand over our card to a retailer, who is perfectly capable of stealing the information written on it if they are so inclined. Its really bizarre that the supposedly “secret” information is in plain sight on that card. A few years ago, when card-not-present transactions started to take off, the industry augmented the card number with the CVV code to increase security. But the CVV code is written in plain sight on the back of the card - presumably on the back because it was thought that thieves wouldn’t think to turn the card over! We’ve all heard the warnings to beware of restaurants who take our card away to process a transaction, because that allows them to easily clone the details - and with good reason.

Many mobile payment solutions work by emulating that plastic card model - our wallet passes the same credit card numbers over to the retailer’s till. Such models, that rely of giving our “secret” details to a retailer and allowing them to debit our account, are all inherently insecure. Any system that surrenders information that can be used over-and-again to process fraudulent transactions has a massive fault-line through the middle of it.

With Apple Pay, Apple is exploiting the new capability of “Tokenisation”. This is a very new concept only just provided by the likes of Visa and Mastercard. It works by using a mathematical algorithm to create a one-time token. That token is what is passed to the retailer and used to complete a transaction, but the token can only be used once. So, even if a fraudster were to intercept the transaction and steal the token, its useless because it can’t be used for any future transactions. My colleague Richard Brown goes into more details about exactly how this works in his blog. Suffice to say that this approach is very neat in that it removes the inherent risk in transactions that work by ‘pushing’ payment credentials to a retailer. Particularly significant is that Apple never stores our payment credentials - so there’s no need to worry about the security (or otherwise) of “the cloud” in this case.
“It’s the most secure combination of technology that we’ve ever deployed,”
James Anderson, group head of mobile product development at credit card processor MasterCard
Much of the thinking for technology-enabled payments has revolved around the capture of data associated with those transactions and how that data might be mined for, usually, advertising purposes. Knowing how much we spend and where we spend it, are very valuable pieces of information. However, for some (many?) of us this has become increasingly disconcerting. Revealing such details and subjecting ourselves to targeted advertising is an increasingly unappealing practice. “It you’re not paying for it, you’re the product” is a cry eloquently made by by @aral.

The Apple Pay commitments on privacy are very illuminating on this point:
“With Apple Pay, your payments are private. Apple doesn’t store the details of your transactions so they can’t be tied back to you. Your most recent purchases are kept in Passbook for your convenience, but that’s as far as it goes. Since you don’t have to show your credit or debit card, you never reveal your name, card number or security code to the cashier when you pay in store. This additional layer of privacy helps ensure that your information stays where it belongs. With you.”
With Apple Pay, we are seeing an explicit commitment not to collect our data or exploit it. For those concerned at a drift away from privacy in technology circles, this will be reassuring. This is a big difference in philosophy from some other providers.

In-App payments

Apple has a reputation for being ‘closed’, whatever that means. However, Apple Pay appears to be remarkably open. The scheme allows for third-party payment API providers to use Apple Pay as the payment mechanism. This is very nice, because it means we can all write mobile apps that take payments and with a choice of provider - a remarkably open approach. We’ve already seen announcements from Stripe, Payeezy,, Chase, Cybersource and TSYS.

Futher, Square’s Jack Dorsey has also tweeted that Square will be accepting Apple Pay in its mobile point-of-sale solutions.

Business Model

There have been a lot of reports circulating in the past week stating that Apple has negotiated a reduction in the “Interchange Rate” on card transactions. Interchange Rate is basically the charges applied for processing a transaction. As consumers we’re blissfully unaware of this because it’s the retailer who pays, rather than us. Reductions in the Interchange Rate are very interesting. How much reduction is being applied, and where that money ends up, might tell us a lot. The latest report suggests that Apple is actually receiving a fee from banks for processing Apple Pay transactions; this is super interesting.

Other suggestions have indicated that Apple is taking some (all?) of the fraud risk. Presumably banks would be happy to pay a fee in order to eliminate their fraud exposure. There’s certainly something interesting going on to get so many banks onboard so quickly. Chase is even mailing it’s customers touting the benefits of Apple pay. Now banks are unlikely to be enthusiastic if they felt that Apple was parking its tanks on their lawn. They must be happy with the solution.

Quite what is happening here we might never know in detail, given the secrecy involved. However, it does seem there is some form of rebate or fee involved and possibly some risk-sharing. I blogged about the implications of this when the rumours first appeared.

If, as now might seem to be the case, Apple is receiving some form of fee for each transaction, this has huge implications. This potentially means that Apple is building a revenue stream from our usage of iPhones. If successful, this could allow them so subsidise the purchase price of phones. Given that the big benefit that Android phones have is a lower purchase price, this gives Apple a way to eliminate this competitive advantage. I have no idea if they really are receiving a meaningful fee or if they actually plan to use this to offset iPhone acquisition costs - I’m just speculating. Apple are cautious - no doubt they will be looking to see how Apple Pay takes off and see revenues become concrete, before deciding how to use this ‘fund’. But I think they have strategic options they didn’t last week.

How does Bitcoin relate to Apple Pay?

The payments world is currently obsessed with Bitcoin. However, Bitcoin isn't really analogous to plastic cards, and thus the current Apple Pay solution, because:
  • It's not provided by trusted or recognised brands familiar to average consumers,
  • There is no way to resolve the loss of a password,
  • There are no procedures or solutions to remove the risk of financial loss in the event of a hack or stolen password.
This means that Bitcoin is far more like cash than plastic cards - you loose it, it's your problem. There is no governance, no help desk and no anti-fraud procedures - but neither is there for cash.

We are beginning to see a strategy develop amongst the larger financial players of establishing trusted brands, electronic payment methods and wallets on top of the existing card infrastructure in order ease consumers into the idea of more novel forms of payment. Once these have been established, Bitcoin (or other electronic currencies) can be added as an additional payment form - much like we carry both credit cards and cash today. For example Stripe, who power a lot of in-app payments, first started by exploiting cards but are now working on easing Bitoin in as an alternative payment method. This kind of approach legitimises novel currencies like Bitcoin for average consumers. Its easy to see that, once Apple Pay has achieved traction and consumer trust/acceptance, more novel payment mechanisms like Bitcoin could similarly be added.

“Doing Bitcoin” straight off would be very un-Apple. It’s much more like them to first establish trust in Apple Pay by using existing recognisable brands and payment mechanisms. Only once that is established would more novel approaches be considered. I see Apple Pay as buying a strategic option to potentially adopt novel payment mechanisms or currencies in the future. Whether they will or not I have no insight - but I think they just bought themselves a future option.

Apple Pay - an Innovation or not?

I do a lot of work with customers around Innovation. I’m always careful to distinguish between “Invention” and “Innovation”, for they are different concepts.

Invention is the creation of entirely new things. This typically involves deep research and science. Its more often the case that the initial releases of Inventions are not well tuned to the marketplace. Technology needs to mature, consumers minds need time to adopt to new concepts, manufacturing costs need to drop to affordable levels. Invention is necessary to create a pipeline of new products, but those products are more often than not created from second-generation inventions, where the “newish” but “not entirely new” concepts and inventions are pieced together.

The Oxford English Dictionary defines Innovation as “the introduction of novelties; the alteration of what is established by the introduction of new elements or forms.” I like this definition because it succinctly defines what Innovation is and why it isn’t the same as Invention.

Whilst all of the elements of Apple Pay are indeed not new, the combination of NFC, Tokenisation, TouchID and Apple Watch’s skin sensors together create something that has never been seen before. This is certainly novel, it certainly introduces new value and it looks very probable that we are seeing the establishment of a new model for payments. I think this easily counts as Innovation.

To see what others think about Apple Pay and it’s implications, this handy summary by Fortune is very useful. Hopefully my thoughts align with those with only a slightly higher profile than my humble self ;-)

Update 11th Sept 2014

As a result of some useful prompts from @BillyBambrough I have revised the section on Bitcoin in order to better represent that it is more analogous to cash, than to credit cards. This is an important point, because trying to fix Bitcoin to make it work like a credit card would likely destroy what makes it so unique. Perhaps there is a future role for such novel currencies in the same way that we all carry cash in addition to credit cards today. My thanks to Billy for his helpful intervention to sharpen my thinking on this important topic!

No comments :

Post a Comment