Given some of the details provided here, which make sense to me as they use the existing transaction fields already handled by payment terminals, I don't think public key cryptography is part of it, and the merchant is given some ability to track user purchases:
I'm sure the shops will figure out some way to track you... For example, if your device is in NFC range (10cm) it's probably also in Bluetooth range, and Bluetooth has a unique mac address.
I think the point is that the vendors will continue to figure a way to track us and I consider it my job to make it harder at each step. I have "Glimmer Blocker" (a personal firewall - so webpages or an app cannot access given websites) on my Apple MBP and I keep adding the url for many sites to it. I also have AddBlockerPlus and it is amazing how much is getting blocked. Lastly, I use "DoNotTrackMe" and it provides redirected email addresses so websites where I have to register do not actually have my email address on their databases.
When and where is Apple expected to put out a simple "here's what you need to know about ApplePay and how it works"? Anyone know?
I think I'll wait for that, instead of the confusing emails from my credit card companies and such.
With the iOS 8.1 install, Apple will walk users through the setup for whatever credit card you have on file with iTunes. And likely tell you what you need to know in order to setup additional cards and how to use Apple Pay at stores and online retailers.
I'm sure the shops will figure out some way to track you... For example, if your device is in NFC range (10cm) it's probably also in Bluetooth range, and Bluetooth has a unique mac address.
They still will not have your name and address, but to your point I notice that most merchants are either asking for a phone number or email address this is how they tracking, but you have choose to share with them, but with the current CC process they take you address and name without asking you.
In the case of walmart they may never allow or move to Applepay, why most of their customers are not apple users, walmart customers are budget buyer which are not apple customers.
The only analytics they do on your buying habits is to watch for fraud. Walmart wants to know who you are and what you are buying. Applepay will cut them out of knowing who you are unless you use a frequent buyers card or their own CC.
Also note that while Apple is certainly committed to user privacy (kudos for that!) they've at the same time added some new and unannounced user tracking capabilities to iOS8. They've apparently recognized iAd customers need to have access to some personal user data to make their spending with Apple worthwhile.
It's important to note Apple didn't really invent Apple Pay. The banks/CC companies/EMV are the ones who created the system and the infrastructure.
Apple happens to be the first with a phone-based "implementation" of this system. Of course, Apples implementation is fantastic so they deserve some credit for Apple Pay. But the underlying security (tokenization) was not created by Apple.
A lot of people don't get this and think Apple is creating some new proprietary system, and this is why some stores aren't signing up. Or that it's less secure because it's Apples own system (also untrue).
I fully expect Apple Pay will be prominently featured in the story lines of current TV programs of all kinds to familiarize people with the actual use. Also, I've no doubt it will be splashed all over every news story from top to bottom. Remember, banks and credit card companies benefit from Apple Pay, and if any of us have learned anything over the past decade plus, it's that the banks run everything (and this is no longer tinfoil hat conspiracy chatter). ????
It's important to note Apple didn't really invent Apple Pay. The banks/CC companies/EMV are the ones who created the system and the infrastructure.
Apple happens to be the first with a phone-based "implementation" of this system. Of course, Apples implementation is fantastic so they deserve some credit for Apple Pay. But the underlying security (tokenization) was not created by Apple.
A lot of people don't get this and think Apple is creating some new proprietary system, and this is why some stores aren't signing up. Or that it's less secure because it's Apples own system (also untrue).
I have a link to a patent that indicates otherwise. Apple designed Apple Pay to improve the existing, flawed system. They removed the area of greatest risk by disintermediating the credit card.
It's important to note Apple didn't really invent Apple Pay. The banks/CC companies/EMV are the ones who created the system and the infrastructure.
Apple happens to be the first with a phone-based "implementation" of this system. Of course, Apples implementation is fantastic so they deserve some credit for Apple Pay. But the underlying security (tokenization) was not created by Apple.
A lot of people don't get this and think Apple is creating some new proprietary system, and this is why some stores aren't signing up. Or that it's less secure because it's Apples own system (also untrue).
This is correct, Apple didn't invent any of this technology. Apple only created the best implementation of contactless payments to date using proprietary technology. Innovation isn't the same as invention but innovation is equally important for mass adoption of complex technologies. Innovation is what Apple does far better than anyone else:
I have a link to a patent that indicates otherwise. Apple designed Apple Pay to improve the existing, flawed system. They removed the area of greatest risk by disintermediating the credit card.
I don't think so, but I'd like to see that link.
EMVco only published their tokenization specification in May of this year. Apple is using that system. Apple is big, but not big enough to force the big banks and CC companies to adopt their system.
Visa, for example, is saying their token service works with Apple Pay now and Android in the future. If it was truly Apples system then I doubt they'd be allowing Visa to let Android devices also use it.
EMVco only published their tokenization specification in May of this year. Apple is using that system. Apple is big, but not big enough to force the big banks and CC companies to adopt their system.
Visa, for example, is saying their token service works with Apple Pay now and Android in the future. If it was truly Apples system then I doubt they'd be allowing Visa to let Android devices also use it.
Apple already said that it will roll out in Europe next year. I guess that Canada will get it also (maybe even sooner ?)
Europe is attractive because there are lots of NFC terminals already. OTOH, they already have chip+PIN so there's less urgency for it than there is in the U.S.
... pending banks getting on board.
Canada and Europe have chip+pin, and we also have NFC already. So if the NFC terminals need to be updated to support Apple Pay, there might be some balking at having to cycle the hardware out yet again, but we've had chip+pin terminals long before chip+pin was rolled out. In fact (in Canada) we had CIBC/Amex try to roll out a chip card more than a decade before EMV chip+pin actually got forced on everyone.
The thing is, chip+pin and NFC payments as they are currently in Canada and Europe, don't work like US payment systems work. Even Canadian banks that own American Banks (BMO, TD) aren't rolling out Apple Pay at their Canadian banks. The systems are all internally different. In a sense, when you use BMO in Canada with your US debit card, it's being treated as a cash advance on a credit card, and you can't actually access the US bank account to withdraw "US cash"
So this is why there will obviously be problems with Apple Pay being rolled out in Canada and Europe, because we have different debit card systems, and the banks have their own proprietary solutions they would rather you use. http://www.iphoneincanada.ca/news/td-bank-cio-apple-pay/
Martin also addressed Apple’s new NFC mobile payments system, Apple Pay. He says the bank is closely watching developments, but also reiterated the U.S. and Canadian banks are different in the way credit card and debit transactions are handled. Down in the States, banks can make fees off debit transactions, opposite of what Canadian banks are able to charge. For this reason alone, Martin opines Apple Pay is “at least a year away” from coming here.
In a technical sense Apple Pay is more secure than chip+pin, as it uses a biometric "PIN", and Apple never stores the card number in the device (like Google does.)
The tokens are stored with the bank on their own servers and are resolved to actual card numbers there.
I believe the article is stating they are stored with the card network (MC, Visa, Amex).
Quote:
Tokenization is not a new concept, but Apple's implementation is reportedly far more secure and brings tokenization into the real world. Traditionally, credit card tokenization was an online-only affair and the token vault -- a database that maps tokens to credit card numbers --?was maintained by the payment gateway.
Apple has worked directly with credit card networks like Visa and American Express to move tokenization to their end of the chain, according to details of Apple Pay's design revealed by POS provider Clover.
Another competitor, SoftCard --formerly ISIS --stores consumers' credit card numbers in a secure element on the SIM card itself. During a transaction, the number and additional metadata is transmitted via NFC as though the card were swiped, and the rest of the process continues in the same manner.
I wonder why they changed their name? Was it a branding problem of some kind?
I believe the article is stating they are stored with the card network (MC, Visa, Amex).
Indeed it does.
But for this payment flow to work how it does, both Visa/MC/AMEX and the banks will need to store this translation data.
Visa/MC/AMEX to know which bank to actually route the transaction to, and the bank to combine the device account number with the dynamic security code to verify the transaction is valid.
It's not about forcing anyone to do anything, it's about making a system that generates more net profit for the financial institutions.
Force is not a good word. Why does Apple need to re-invent the wheel? EMVco has been dealing with online transactions and security forever. It doesn't make sense that they would use an outside developed system from a company with very little transaction processing experience.
Read this specification on EMVco tokenization. Especially the part about where tokens come from and compare their graphic/description to the one above in the Clover article linked regarding Apple Pay. See anything similar? Apple Pay and EMVco tokenization systems are the same.
Edited: Forgot, go to page 24 of the PDF so see their graphic.
I wouldn't count on it. Some of the Maps implementation is overdue to certain international customers since iOS 6 and iTunes Radio is still a US-only feature (AFAIK).
I use it here in korea. Sure- from the U.S. store, but at least it is not blocked like the others.
Comments
http://www.tuaw.com/2014/10/02/apple-pay-an-in-depth-look-at-whats-behind-the-secure-payment/
I'm sure the shops will figure out some way to track you... For example, if your device is in NFC range (10cm) it's probably also in Bluetooth range, and Bluetooth has a unique mac address.
I think the point is that the vendors will continue to figure a way to track us and I consider it my job to make it harder at each step. I have "Glimmer Blocker" (a personal firewall - so webpages or an app cannot access given websites) on my Apple MBP and I keep adding the url for many sites to it. I also have AddBlockerPlus and it is amazing how much is getting blocked. Lastly, I use "DoNotTrackMe" and it provides redirected email addresses so websites where I have to register do not actually have my email address on their databases.
Good luck all....
With the iOS 8.1 install, Apple will walk users through the setup for whatever credit card you have on file with iTunes. And likely tell you what you need to know in order to setup additional cards and how to use Apple Pay at stores and online retailers.
I'm sure the shops will figure out some way to track you... For example, if your device is in NFC range (10cm) it's probably also in Bluetooth range, and Bluetooth has a unique mac address.
They still will not have your name and address, but to your point I notice that most merchants are either asking for a phone number or email address this is how they tracking, but you have choose to share with them, but with the current CC process they take you address and name without asking you.
In the case of walmart they may never allow or move to Applepay, why most of their customers are not apple users, walmart customers are budget buyer which are not apple customers.
...or if you have an iBeacon app on your phone using the same background provider as the one the retailer you're visiting uses. Or if you click on an in-store ad as explained in this article.
http://www.acquisio.com/blog/mobile/apple-pay-answer-store-attribution
Also note that while Apple is certainly committed to user privacy (kudos for that!) they've at the same time added some new and unannounced user tracking capabilities to iOS8. They've apparently recognized iAd customers need to have access to some personal user data to make their spending with Apple worthwhile.
Apple happens to be the first with a phone-based "implementation" of this system. Of course, Apples implementation is fantastic so they deserve some credit for Apple Pay. But the underlying security (tokenization) was not created by Apple.
A lot of people don't get this and think Apple is creating some new proprietary system, and this is why some stores aren't signing up. Or that it's less secure because it's Apples own system (also untrue).
I have a link to a patent that indicates otherwise. Apple designed Apple Pay to improve the existing, flawed system. They removed the area of greatest risk by disintermediating the credit card.
This is correct, Apple didn't invent any of this technology. Apple only created the best implementation of contactless payments to date using proprietary technology. Innovation isn't the same as invention but innovation is equally important for mass adoption of complex technologies. Innovation is what Apple does far better than anyone else:
When paying with Google Wallet, consumers aren't paying directly. Google actually foots the bill and then charges the customers' card on file.
Oh Nice!
EMVco only published their tokenization specification in May of this year. Apple is using that system. Apple is big, but not big enough to force the big banks and CC companies to adopt their system.
Visa, for example, is saying their token service works with Apple Pay now and Android in the future. If it was truly Apples system then I doubt they'd be allowing Visa to let Android devices also use it.
http://www.patentlyapple.com/patently-apple/tech-nfc/
Look around here. They have most Apple patents on Apple Pay linked.
It's not about forcing anyone to do anything, it's about making a system that generates more net profit for the financial institutions.
... pending banks getting on board.
Canada and Europe have chip+pin, and we also have NFC already. So if the NFC terminals need to be updated to support Apple Pay, there might be some balking at having to cycle the hardware out yet again, but we've had chip+pin terminals long before chip+pin was rolled out. In fact (in Canada) we had CIBC/Amex try to roll out a chip card more than a decade before EMV chip+pin actually got forced on everyone.
The thing is, chip+pin and NFC payments as they are currently in Canada and Europe, don't work like US payment systems work. Even Canadian banks that own American Banks (BMO, TD) aren't rolling out Apple Pay at their Canadian banks. The systems are all internally different. In a sense, when you use BMO in Canada with your US debit card, it's being treated as a cash advance on a credit card, and you can't actually access the US bank account to withdraw "US cash"
So this is why there will obviously be problems with Apple Pay being rolled out in Canada and Europe, because we have different debit card systems, and the banks have their own proprietary solutions they would rather you use.
http://www.iphoneincanada.ca/news/td-bank-cio-apple-pay/
In a technical sense Apple Pay is more secure than chip+pin, as it uses a biometric "PIN", and Apple never stores the card number in the device (like Google does.)
I believe the article is stating they are stored with the card network (MC, Visa, Amex).
Apple has worked directly with credit card networks like Visa and American Express to move tokenization to their end of the chain, according to details of Apple Pay's design revealed by POS provider Clover.
I wonder why they changed their name? Was it a branding problem of some kind?
Remember, Apple is not rolling out ApplePay so I doubt ....
With all due respect, I have no idea what you're talking about. That's like saying the record companies were the ones rolling out iTunes...
I believe the article is stating they are stored with the card network (MC, Visa, Amex).
Indeed it does.
But for this payment flow to work how it does, both Visa/MC/AMEX and the banks will need to store this translation data.
Visa/MC/AMEX to know which bank to actually route the transaction to, and the bank to combine the device account number with the dynamic security code to verify the transaction is valid.
It's not about forcing anyone to do anything, it's about making a system that generates more net profit for the financial institutions.
Force is not a good word. Why does Apple need to re-invent the wheel? EMVco has been dealing with online transactions and security forever. It doesn't make sense that they would use an outside developed system from a company with very little transaction processing experience.
http://www.emvco.com/specifications.aspx?id=263
Read this specification on EMVco tokenization. Especially the part about where tokens come from and compare their graphic/description to the one above in the Clover article linked regarding Apple Pay. See anything similar? Apple Pay and EMVco tokenization systems are the same.
Edited: Forgot, go to page 24 of the PDF so see their graphic.