I think the 'smart endpoint' will be a fundamental shift in how credit accounts are handled. The physical card is silly, and the intermediate PoS devices are suspect too. Building an end to end solution where each party (buyer, seller, bank) only know what they need to know solves the fundamental issue of too much data passed
I buy a coffee
PoS device says "$4.28 plus what ever tip you want"
I tap my phone, it receives 'Seller XXXX [an encrypted token for their bank account encrypted by their bank's public key and retailers private key] wants 4.28 (4.00+tax)... do you want to pay and how much?"
I click add 15% to subtotal and 'purchase' with my touch ID
which unlocks my account number, which I then encrypt in my private key
Phone sends my bank "Pay Seller XXXX $4.68" encrypted in my banks [or apple's] public key
(all of this is tokenized, checksummed, serialized and tokenized
that the worst thing that can happen is replay of exactly the same
transaction being rejected due to serialization issues)
Transaction goes to PoS device (can't read it), off to the internet to Apple/myBank
My Bank decrypts it, and decrypts my account with my public key
verifies my limits and (if denied, sends a note back to ME saying "sorry, can't pay them")
sends retailers bank (or proxy) a verifiction [do you know retailer XXXX?] [again encrypted in bank to bank PKI
They say yes, bank queues up a transfer and sends me [my public key, bank's private key[ and the Retailer[in retailers public key,] Approved.
Transactions clear on my device and PoS
- Starbucks never knows who I am or what my account is... they just know my bank told their bank 'you'll get the money'
'Loyalty' cards, may obviate that... I know 'who you are' but that's separate from the PAN information from your Credit Account
- Banks don't know the other bank's client's accounts perse, just that real time, each can say, what you sent me was valid.
I drink expensive dirty water, and the barista may get their .60 at the end of their shift.
Even online/offline purchases work for this, by my phone and my bank generating 1 time transaction accounts that are pre-authed for only that transaction amount and that seller at that particular time.
Getting rid of the physical, human readable card is a big deal. Tokenizing the transaction beginning at the Seller and not the PoS device (it's all in the clear in RAM before tokenization... right Target?)
This gets to the crux of information security.... It's not the computers, the networks, or the people... 'it's the DATA, stupid!' The earlier in the transaction you can secure the 'secret' (account number... all the rest is purely authentication data... exp date, name, phone , zip code, CVV CVV2). Using this sort of model, Other than the endpoint setup (where risk of intercept is greatest), your account number should never be known by anyone other than you and your bank.) Then it's just 'authorizing' (who is allowed to use this data), and that's where TouchID (and account setup) narrows it down as well (only these devices, and persons who are registered to use the secure enclave verified by biometrics on those devices are allowed to transact with this account).
The obvious risk is covert takeover of the endpoint. That's where Apple's risk is, and why, I think, you'll never see a 'multi-user' iOS device.
This is pretty much how I do my Google Wallet now. This new Apple NFC thing is great for everyone.
NFC will work with any device. Regardless of OS. NFC is a standard. I use it everyday already from my phone.
You're correct with this. The iPhone will/should have NFC. So now Google can use that for their Google Wallet which will work just the same. This is how I'm going to do it when I get the new iPhone. No lock in for me at all. I can use any device I want at any time and it will all be seamless.
Wooden it be nice?
No I don't.
Paypal and the CC companies actually do something to earn their keep, otherwise people would not use them. What is Apple going to do that warrants anyone giving them money in exchange?
The CC companies and Paypal don't need Apple. They are not going to forego billions in income and hand it over to Apple just because Apple are offering a different conduit for transactions.
CC companies share fees with Square, why? Because Square offers a great service to business owners. Why is Apple any different if they provide a service that users prefer? Besides, Apple can offer what others can't; safer transactions due to TouchID.
The CC companies share their fees? Could you provide a link for that because me reading of it is that they charge a fee on top of what the CC companies do.
Apple is different because the are not offering anything to the merchants - who pay the fees. They aren't offering anything to the consumer either except a minor convenience. If Apple were to try charging a fee to iPhone users for each payment they made, I think they would switch back to just handing their card over.
How much greater security is touch ID to entering a PIN? It has been years since I had to sign and have my signature compared to the one on the card. I don't see touch ID being meaningfully more secure than that process either.
What I meant (perhaps not clearly) is that Square charges 2.75%, of which something like 70-80% funnels back to the CC companies. Apple could essentially be the same. There isn't an additional fee from the consumer standpoint. For the convenience/security of a TouchID payment, Apple would retain x amount and funnel the rest back to the CC companies.
How is it more secure than a PIN? Simple. The card is stored on the phone itself in the secure enclave, and only accessible via TouchID. You don't need a physical card nor a PIN.
Lock in? Maybe. Maybe not. One person's "lock in" is another person's godsend.
Either way, there will be huge benefits for iPhone ecosystem users: convenience and security.
Sign me up.
Oh, and in case anybody has forgotten, Apple has worked long and hard on adding value to their hardware.
iTunes, iWork, iCloud, and umpteen other ecosystem features all add enormous value.
An "iWallet" strategy would add significant value to that already massive ecosystem.
Apple will not be a bank but might well buy one. That way the bank gets regulated but Apple does not.
The important thing to remember is that banking is not Apple's business, and the banking business can be treacherous (you can ask GE about that). Apple would probably prefer not to do banking, but will do it if it's the only way to get where they want to be.
With regard to Apple getting a better deal but accepting part of the risk - my guess is that Apple would insist on this. Not because it wants to take on risk, but it know that the risk is slight because the system is secure. On the other hand, Samsung's "system" is not. Samsung will certainly try to do a similar deal and will have to accept the risk, or no deal. That could be expensive, very expensive. And that is precisely Apple's plan here -- you have copied our look-and-feel, well now put your money where your mouth is.
The reports I have seen suggest three things:
1. the fee is lower - merchants will love that
2. Apple gets to keep a piece of that fee, and assumes some of the fraud risk
3. card-present and not-present (i.e. on-line) transactions have the same fee, not different (as happens today)
Merchants in the U.S. do not check signatures (when I recently used my U.S. card in England and Germany - it worked OK and the merchants checked every time). And so there's fraud but the fee is enough to cover it (and we all pay, in the end). But with TouchID fraud becomes almost impossible. And secure-enclave-enabled end-to-end secure transactions mean that the POS-scraping stuff (i.e. Target, maybe Home Depot) become impossible. The local store and even the head office processing system never get data than can enable later fraudulent transactions.
So I see what the banks and card issuers like this -- but where is the benefit for users? I guess we'll have to wait until Tuesday to know that part.
Edit: add link <http://bankinnovation.net/2014/09/apple-said-to-negotiate-deep-payments-discounts-from-big-banks/>
Apple will probably be more than a little unhappy about this.
johnny mozzarella wrote: »
In order to do these digital payments you will need an iOS device with NFC.
if you already have an iPhone then all you need is the iWatch.
If you don't have an iPhone, then you need to buy the iPhone 6 with NFC.
tenly wrote: »
You lost all credibility with the very first sentence of your post. You clearly have a lack of imagination if you think the only way to do mobile payments is via NFC.
NFC is certainly one technology that could be used to facilitate a mobile payment system, but I can think of a couple other systems off the top of my head - and I'm confident that Apple can think of even more!
Whatever it is that Apple announces next week in terms of their mobile payment system, it will certainly *not* require an NFC chip!
Apple doesn't release new features on a whim - especially one of this magnitude. This feature has been in design/development for well over a year and if there were even the slightest chance that it would require NFC to work - last year's iPhone 5S and 5C would 100% for sure have included an NFC chip. They didn't! So this mobile payment system is going to be different - possible based on some variant of iBeacon technology, Bluetooth low-energy or something completely different! But definitely not NFC!
I think one exciting twist to Apple's mobile payment system would be the incorporation of the new "Family Sharing" feature! Imagine being able to help out your teen by letting then carry a digital copy of your credit card with them - that they could use as if it were there own - but with every purchase they make being presented on the head of the families device for authorization! This would be the ultimate in convenience and flexibility - and they've already built-in this exact capability for purchases made via an iTunes account!
I don't know if you heard it here first - but you sure as hell have heard it here! LOL. Whatever it ends up being, Tuesday is going to be an exciting day!!!
Oh! Did they announce "Tap and Pay"?
I thought the announcement was for a "Mobile Payment Solution".
Or are you just so far inside the box that you don't even realize that you're in a box at all? Mobile Payments does not necessarily mean "Tap and Pay". That may be the way it works today, but there's no reason to believe that will be the way it works tomorrow! If anyone can take the "tap" out of "Tap and Pay", Apple can.
I envision one possible solution where your bill gets transmitted directly to your phone over Bluetooth and your phone picks it up because its the only one in range and automatically displays it - even on the lock screen. If the amount is below a certain threshold, the payment just goes through. If it's above the threshold, you may be prompted to authenticate the purchase using your thumbprint or a PIN code. It it's a tipped purchase, it may prompt you to enter the tip amount!
I stand by my prediction that NFC will not be a part of Apple's Mobile Payment Solution.