"Bigger differences showed up in security. Softcard uses 10 of 13 security measures we examined—more than its rivals–giving it the best score. For example, though all of the mobile wallets use encrypted storage for sensitive data and require a PIN to unlock the wallet, Google and Loop let you turn off the wallet-lock timer. That makes it easier to pay at the check-out, but it also leaves the wallet open to unauthorized charges if you lose it or leave it unattended. On the other hand, Google and Softcard let you remotely disable the wallet if it's lost or stolen.
Apple Pay offers improved security, particularly with its Touch ID fingerprint authentication, that can take the place of a PIN to unlock the phone and wallet. That's important, because users soon tire of having to constantly punch in a PIN and surrender to the temptation to disable the auto locks altogether. The convenience of Touch ID should boost security, even though it can be disabled for the phone and Apple Pay.
Apple Pay also provides great security by generating a unique code or "token" for each transaction, which can't be re-used, and by storing "device account numbers" on the phone's encrypted chip, in place of your actual payment card account numbers. Even if a hacker gets those numbers, they can't be used outside of Apple Pay.
But Google Wallet and Softcard also use dynamic transaction tokens, and Google generates and stores "virtual card" substitutes for your real payment card numbers. So Apple Pay tokenization is not the innovation it's been tricked out to be. LoopPay says it will have tokenization in 2015.
All four wallets also check to make sure that the card properly belongs to the owner of the phone and virtual wallet, to prevent crooks from adding your card to their wallet."
Still making deals with carriers for specific hardware/software functionality.
Welcome to 2006.
It's like Google fucks around, releasing shit just to bide their time until Apple comes out with their version, so they can see what the "right" way is, after which they decide to dedicate and commit to something. Google had years to make Google Wallet worthwhile, but instead let it flounder. They were "1st", which is all that matters, and gave all the slobbering Android fanboys the "lol we have nfc" useless ammunition for a few yrs.
...and then transmitted to the NFC device. That sounds even safer! /s
From Softcard's FAQ:
What is the "Secure Element"?
The Secure Element is a dedicated hardware component included with your smartphone, and is used to store your payment card information. The Secure Element operates independently from the rest of your phone, and limits access to authorized applications like the Softcard app.
Come on, I view this like a Fox Mews article. Only some of the facts regarding the tech used in Softcard transactions. If you want to see a real breakdown of Apple Pay vs Google Wallet/Softcard etc. Visit the consumer reports review of these payment options. Facts people.
The big downside to Google Wallet right now is the cloud-based tokanization requires a cell signal, problematic in some stores. That needs to change.
But that's issue is inherent to the foundation of Google Wallet as well as the success of ?Pay. Google Wallet forces you to use their partnered bank to route all your transactions, while Apple went with the people that actually verify your transactions. Apple also put the control in the hands of the financial institutions as to how much or little additional security is required to setup ?Pay per device per card. Out of 5 cards 4 of them had different ways to verify I was the card holder. For this reason, anyone trying to say that Google Wallet and ?Pay are the same because they both use a token is like saying that a bank and mobster are the same because the both will loan you money.
Google absolutely uses tokanization, but not exactly the same way as ApplePay. IMHO Apple's is by far the better way but from strictly a payment security standpoint they both are darn secure. The big downside to Google Wallet right now is the cloud-based tokanization requires a cell signal, problematic in some stores. That needs to change.
Here's a thumbnail description I found on ApplePay, Google Wallet and Softcard.
Nothing about Softcard but Google Wallet on tokenization which I already knew. Google tokenization is authenticated by PIN, which can be intercepted and used outside of the app. That's another vulnerability for Google Wallet.
Softcard may work just like this article described: storing CC info in SIM and transmit it (encrypted) to POS, yes, full CC info, not token code.
>> Softcard works via NFC technology, but does not sport the same tokenized backend infrastructure of Apple Pay.
This is incorrect. They both tokenize in essentially the same manner.
>> Instead, credit card data is stored on a user's SIM card and transmitted to a POS terminal for processing.
Again incorrect. They both transmit tokens to the POS.
You are incorrect. They both use tokens, but Apple Pay uses network tokenization where you bank/issuer is the one who issues the tokens. Google Wallet does not.
Apple Pay is superior to Google Wallet, LoopPay and Softcard since only Apple Pay is currently using the latest EMVco teoknization technology.
But that's issue is the foundation for the inherent problem with Google Wallet and inherent success with ?Pay. Google Wallet forces you to use their partnered bank to route all your transactions, while Apple went with the people that actually verify your transactions. Apple also put the control in the hands of the financial institutions as to how much or little additional security is required to setup ?Pay per device per card. Out of 5 cards 4 of them had different ways to verify I was the card holder. For this reason, anyone trying to say that Google Wallet and ?Pay are the same because they both use a token is like saying that a bank and mobster are the same because the both will loan you money.
I would not be one of those saying they're the same.
Google is a payment processor for Wallet. Google has your CC information as well as full transaction history.
Wallet is not a full tokenized solution going all the way back to the bank. Google has setup nothing with the banks like Apple has.
The important thing is that some people implicitly trust Google and have no issue handing over this information to them. Google only wants what's best and free for users. They're altruists. They're not evil.
What is the "Secure Element"?
The Secure Element is a dedicated hardware component included with your smartphone, and is used to store your payment card information. The Secure Element operates independently from the rest of your phone, and limits access to authorized applications like the Softcard app.
Sure, which is one of the reasons I was saying that Apple would very likely use NFC if and when they add a mobile payment system, but putting your actual card info in the Secure Element, regardless of whether it has a token and having you go through an intermediary banking service, regardless of whether it requires an Internet connection, is simply myopic. Yes, it's poor planning, but it's poor planning because of the shortsighted motivation involved, when getting the end-to-end security in place was always the only logical option. If I was saying 3 years ago that's how a mobile payment should use a representational card number that is only known by your bank then it's not exactly rocket surgery. IMO, this is why Apple continues to succeed. They create a product with their focus on it being great, and only after that figure out how they can profit from it, not the other way around.
Google offered a secure element integrated with the NFC chip a'la ApplePay several years ago. The carriers blocked it since they were planning their own mobile pay solution. In essence the carriers took away Google's first choice for mobile payment security. As I read about it Google spent a couple of years working to bypass the block. So along comes ApplePay breaking the blockade. Kudos.
So it's not so much Google being caught with their pants down as carrier greed interfering. With the carriers unlikely to continue blocking the NFC-embedded secure element I'll be surprised if Google doesn't go back to it, but who knows but Google. They sometimes do odd stuff.
Google's business model always seems to be beholden to the carriers. Why is that?
I wonder if Google had to share advertising revenue or pay annual fees to get the buy-ins from the carriers.
The old rumor from a month ago had them sharing a bit of their ad revenue with the carriers. No mention so far on the actual finished deal AFAIK.
Apparently Google isn't actually buying Softcard either. Instead they've acquired some IP/tech from them. Softcard itself will likely just fold up it's tent and go away.
The old rumor from a month ago had them sharing a bit of their ad revenue with the carriers. No mention so far on the actual finished deal AFAIK.
Apparently Google isn't actually buying Softcard either. Instead they've acquired some IP/tech from them. Softcard itself will likely just fold up it's tent and go away.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but if I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone. On the one hand that would hurt Apple's bottom line if it's not exclusive, but on the other it would help get more NFC-enabled devices at retailers which will help make ?Pay even more money for Apple. On top of that, banks can't end the fraud claims if people still carry a wallet with cards with them because NFC-based payments still aren't common enough, so the faster this end-to-end setup becomes the ubiquitous the better the results are banks, Apple and consumers.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone.
Agree. The more security for everybody, the better.
On the other hand, I'm sure Apple has all manner of patents on TouchID and Secure Element.
Those are the two crucial user-facing hardware technologies.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone.
I don't think it is an exclusive as much as it reflects a level of effort and time that Google did not attempt.
Comments
>> Softcard works via NFC technology, but does not sport the same tokenized backend infrastructure of Apple Pay.
This is incorrect. They both tokenize in essentially the same manner.
>> Instead, credit card data is stored on a user's SIM card and transmitted to a POS terminal for processing.
Again incorrect. They both transmit tokens to the POS.
Google is a payment processor for Wallet. Google has your CC information as well as full transaction history.
Wallet is not a full tokenized solution going all the way back to the bank. Google has setup nothing with the banks like Apple has.
Google search will bring number of references. One of the less technical is Consumer Reports which has accurate information: http://www.consumerreports.org/cro/news/2014/09/virtual-wallet-review-apple-pay-google-wallet-softcard-and-loop-wallet/index.htm:
"Bigger differences showed up in security. Softcard uses 10 of 13 security measures we examined—more than its rivals–giving it the best score. For example, though all of the mobile wallets use encrypted storage for sensitive data and require a PIN to unlock the wallet, Google and Loop let you turn off the wallet-lock timer. That makes it easier to pay at the check-out, but it also leaves the wallet open to unauthorized charges if you lose it or leave it unattended. On the other hand, Google and Softcard let you remotely disable the wallet if it's lost or stolen.
Apple Pay offers improved security, particularly with its Touch ID fingerprint authentication, that can take the place of a PIN to unlock the phone and wallet. That's important, because users soon tire of having to constantly punch in a PIN and surrender to the temptation to disable the auto locks altogether. The convenience of Touch ID should boost security, even though it can be disabled for the phone and Apple Pay.
Apple Pay also provides great security by generating a unique code or "token" for each transaction, which can't be re-used, and by storing "device account numbers" on the phone's encrypted chip, in place of your actual payment card account numbers. Even if a hacker gets those numbers, they can't be used outside of Apple Pay.
But Google Wallet and Softcard also use dynamic transaction tokens, and Google generates and stores "virtual card" substitutes for your real payment card numbers. So Apple Pay tokenization is not the innovation it's been tricked out to be. LoopPay says it will have tokenization in 2015.
All four wallets also check to make sure that the card properly belongs to the owner of the phone and virtual wallet, to prevent crooks from adding your card to their wallet."
...and then transmitted to the NFC device. That sounds even safer! /s
Still making deals with carriers for specific hardware/software functionality.
Welcome to 2006.
It's like Google fucks around, releasing shit just to bide their time until Apple comes out with their version, so they can see what the "right" way is, after which they decide to dedicate and commit to something. Google had years to make Google Wallet worthwhile, but instead let it flounder. They were "1st", which is all that matters, and gave all the slobbering Android fanboys the "lol we have nfc" useless ammunition for a few yrs.
What is the "Secure Element"?
The Secure Element is a dedicated hardware component included with your smartphone, and is used to store your payment card information. The Secure Element operates independently from the rest of your phone, and limits access to authorized applications like the Softcard app.
https://www.gosoftcard.com/help.html
http://www.consumerreports.org/cro/news/2014/09/virtual-wallet-review-apple-pay-google-wallet-softcard-and-loop-wallet/index.htm
But that's issue is inherent to the foundation of Google Wallet as well as the success of ?Pay. Google Wallet forces you to use their partnered bank to route all your transactions, while Apple went with the people that actually verify your transactions. Apple also put the control in the hands of the financial institutions as to how much or little additional security is required to setup ?Pay per device per card. Out of 5 cards 4 of them had different ways to verify I was the card holder. For this reason, anyone trying to say that Google Wallet and ?Pay are the same because they both use a token is like saying that a bank and mobster are the same because the both will loan you money.
Google absolutely uses tokanization, but not exactly the same way as ApplePay. IMHO Apple's is by far the better way but from strictly a payment security standpoint they both are darn secure. The big downside to Google Wallet right now is the cloud-based tokanization requires a cell signal, problematic in some stores. That needs to change.
Here's a thumbnail description I found on ApplePay, Google Wallet and Softcard.
http://www.creditcards.com/credit-card-news/apple-pay-google-wallet-softcard-mobile-wallet-review-1457.php
Nothing about Softcard but Google Wallet on tokenization which I already knew. Google tokenization is authenticated by PIN, which can be intercepted and used outside of the app. That's another vulnerability for Google Wallet.
Softcard may work just like this article described: storing CC info in SIM and transmit it (encrypted) to POS, yes, full CC info, not token code.
>> Softcard works via NFC technology, but does not sport the same tokenized backend infrastructure of Apple Pay.
This is incorrect. They both tokenize in essentially the same manner.
>> Instead, credit card data is stored on a user's SIM card and transmitted to a POS terminal for processing.
Again incorrect. They both transmit tokens to the POS.
You are incorrect. They both use tokens, but Apple Pay uses network tokenization where you bank/issuer is the one who issues the tokens. Google Wallet does not.
Apple Pay is superior to Google Wallet, LoopPay and Softcard since only Apple Pay is currently using the latest EMVco teoknization technology.
I would not be one of those saying they're the same.
The important thing is that some people implicitly trust Google and have no issue handing over this information to them. Google only wants what's best and free for users. They're altruists. They're not evil.
Sure, which is one of the reasons I was saying that Apple would very likely use NFC if and when they add a mobile payment system, but putting your actual card info in the Secure Element, regardless of whether it has a token and having you go through an intermediary banking service, regardless of whether it requires an Internet connection, is simply myopic. Yes, it's poor planning, but it's poor planning because of the shortsighted motivation involved, when getting the end-to-end security in place was always the only logical option. If I was saying 3 years ago that's how a mobile payment should use a representational card number that is only known by your bank then it's not exactly rocket surgery. IMO, this is why Apple continues to succeed. They create a product with their focus on it being great, and only after that figure out how they can profit from it, not the other way around.
Google offered a secure element integrated with the NFC chip a'la ApplePay several years ago. The carriers blocked it since they were planning their own mobile pay solution. In essence the carriers took away Google's first choice for mobile payment security. As I read about it Google spent a couple of years working to bypass the block. So along comes ApplePay breaking the blockade. Kudos.
So it's not so much Google being caught with their pants down as carrier greed interfering. With the carriers unlikely to continue blocking the NFC-embedded secure element I'll be surprised if Google doesn't go back to it, but who knows but Google. They sometimes do odd stuff.
Google's business model always seems to be beholden to the carriers. Why is that?
Apple, not so much.
I wonder if Google had to share advertising revenue or pay annual fees to get the buy-ins from the carriers.
Apparently Google isn't actually buying Softcard either. Instead they've acquired some IP/tech from them. Softcard itself will likely just fold up it's tent and go away.
No Google's pants was down when Pay came out.
Apple figured a way around it and Google should have also. Flat out they didn't think payments would be this big.
I don't think Google got caught with their pants down.
More like their jaw dropped when they realized how little pull they have with carriers and how much pull Apple has.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but if I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone. On the one hand that would hurt Apple's bottom line if it's not exclusive, but on the other it would help get more NFC-enabled devices at retailers which will help make ?Pay even more money for Apple. On top of that, banks can't end the fraud claims if people still carry a wallet with cards with them because NFC-based payments still aren't common enough, so the faster this end-to-end setup becomes the ubiquitous the better the results are banks, Apple and consumers.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone.
Agree. The more security for everybody, the better.
On the other hand, I'm sure Apple has all manner of patents on TouchID and Secure Element.
Those are the two crucial user-facing hardware technologies.
Ultimately I expect all mobile payments to be pretty much exactly like ?Pay, insofar as the per device credentials are setup, saved and sent by each bank to the device. Meaning, there is no carrier or 3rd-party banks involved with the setup.
Perhaps Apple has an exclusivity right now, but I were running Apple I wouldn't have requested such a thing because this sort of security is simply too beneficial to keep out of the hands of everyone.
I don't think it is an exclusive as much as it reflects a level of effort and time that Google did not attempt.