Just to be clear - I was responding to your comment which basically claimed NFC transactions were unsecure - as if the credit card companies/banks didn't think of something like this.
"All a crook has to do is install a small NFC reader under the terminal. Every single transaction they record is going to be a financial transaction. This is a gold mine for criminals."
This is basically misinformation for an existing product live in the marketplace.
Square is also hardly where Apple wants to play - they basically created a 'better' POS terminal with a modern UI, integration into smart devices, and simplified pricing. However, they fit into the payment ecosystem simply as another processor without changing the overall equation at all - you either swipe your card for it to go through as a magstripe transaction or you type it in for a card not present (CNP) transaction. And they happen to be bleeding money and basically looking for a buyer.
Say Apple does release a new Bluetooth method to pass payment credentials from your phone to a POS through some TBD whatchamacallit (BTW you painfully underestimate the sheer number of POS terminals globally as well as the certification process with each one to ensure end-to-end security). By default it will have to default to a CNP transaction which would be terrible for in-store merchants. Magstripe, chip and sign, chip and pin, NFC, etc are all certified delivery methods that are supported by the card issuer and enforced globally by the big payment networks (MC, V). You simply cannot create a new method by yourself and expect the payment ecosystem from processors to acquirers to the network to card issuers to magically support it. If Apple wants this new delivery method to be considered secure and not CNP, all of these parties have to be onboard. Otherwise guess what, it's CNP.
If Apple is truly going to release an in-store solution that they want to be used globally, I'd put my money that it will ride existing rails (most likely NFC) simply b/c Apple is smart enough not to get into the quagmire of the end-merchant world, globally. But for sure it'll add something new and likely a step forward in security. But it'll be with through playing with the other big players.
First off, I never said NFC was insecure. From the get go I stated that the close-coupling of NFC doesn't make it more secure than other forms of wireless. I was talking about the possibility of sniffing data from NFC vs BT or other wireless technology. All things being equal (the type of data being transferred) there's no difference in security. If there was useful data then it's easier to crack NFC because you can target your sniffer to an exact location to get only the data you need.
As to Apple implementing a payment solution, you completely missed my point. Apple doesn't need to make a system that works with current payment processors - Apple can become their own payment processor. That eliminates the majority of the issues you brought up. This is how I foresee and Apple system working:
- Store provides merchant ID and dollar amount to your iPhone over BT. You authorize the purchase and select payment method (credit, debit or gift card).
- Your device ID along with the merchant ID and amount is encrypted and sent to Apple over LTE/3G. No card numbers or personally identifiable information gets sent to Apple. Simply a request that this device wants to send money to that merchant.
- Apple checks your selected payment method, ensures funds are there and approves the transaction. An encrypted reference number is sent back to your iPhone. At the same time a matching encrypted reference is sent to the Apple POS system in the store over wired Internet.
- Your iPhone sends its reference number to the POS terminal which compares it to the one also sent from Apple (and also to an internal encryption key that's unique to every POS terminal).
- Retailer says thank you and lets you leave.
- Apple transfers money from their account to the merchant account.
BTW, This is similar to another market Apple has been rumoured to get into. TV. Apple doesn't want to sell people an Apple TV that still has to deal with cable networks and the idea of "channels and bundles". They want to distribute content a-la-carte, just like they do with music. They want to cut out cable companies and distribute content directly themselves.
Apple has no interest is adding a service on top of an existing system run by cronies who are slow to embrace new technology and are stuck in a 20 year old mindset.
Author of The Fuel Injection Bible
Author of The Fuel Injection Bible