It’s been a week since Apple announced its new shininess, long enough for some of the shine to dull somewhat. The watch is unavailable, the phones are bending, and the new iOS 8 rollout was uncharacteristically botched. This is the right time, I think, to reflect on what was really important from the announcements. The answer is none of the above. Apple Pay was the only genuinely transformative announcement made last week.
Let’s first do some revision on what makes a good payment security scheme. It really boils down to two things: authentication (so that both sides know and trust the other) and non-repudiation (so that the transaction completes exactly as both sides have agreed). For the purposes of this post, we’ll focus on authentication. (We’ll ignore for the moment other, no less important aspects of a good security system such as: secure internet access, secure fulfilment, anti-malware measures, keeping software and hardware up-to-date, and the ability to do all of this cheaply and easily.)
Authentication is based upon tokens: user name + password or credit cards. The theory is that only you and the other side know both bits of information, so if both sides accept the token, you’re authenticated. The key weakness is that it’s inherently one-way: at the time of authentication, you are providing all the information, and the other side is making all of the evaluation. Are you sure that it’s the boutique shoe shop asking you for your credit card details? And how does the shoe shop know that the person entering the credit card information is authorised to spend on it?
A credit card number is also a single piece of information. You can marginally improve the security by requiring more than one piece of data before you are authenticated (CVV2 number as well as CC number, mother’s maiden name etc.). You can also improve by asking a trusted third party to ask the question (as in the Verified by Visa scheme or WorldPay).
But these measures do not address the problem that the customer is not in control of the process. It is the faceless computer on the other side that only has the power to accept or reject. Nor do these measures address the problem that the trusted information is from a limited set (security questions are limited by your memory). Both concerns are addressed by two-factor authentication.
Two factors are better than one
The two factors are: something only you have (so that we’re sure you’re you) + something only you know (so that you’re authenticating intentionally – non-repudiation). In this scheme both sides prove themselves to each other, so both sides retain control.
The first person to prove themselves is usually the bank, by texting you a code to your pre-registered mobile. This code is then your password (or an additional password). This code doesn’t have to be agreed in advance, so can be anything, not limited to something you can remember. And because this password is single-use, nobody else can read your text and misuse it afterwards.
Two-factor authentication is transformative for online commerce because it removes a barrier to purchase that has nothing to do with the goods you want to buy – it removes the fear of being defrauded. However, physical commerce, has yet to catch up.
Interlude – whose problem is credit card fraud?
Just because the credit card company, or retailer, will assume liability for fraud, doesn’t mean that there’s no impact for the consumer – distress of having a crime perpetrated against them, inconvenience of proving that the fraud took place, and impact to credit score.
However, the way the system is supposed to work, financial losses are not borne by the consumer. The cost of fraud is the cost of doing business for the credit card company, and the hefty transaction fees charged to the merchant means that business is good. So perhaps the person that really loses out is the small merchant in the middle, who can’t afford to be defrauded by their customers. This is a point missed by many (like in this recent NYT article).
How Apple Pay works
You need one important fact to put this next part into context, if you’re a non-North American reader: US credit cards still relies on swiping a magnetic strip and checking a signature. Europe has been significantly ahead in this concern, as chip and PIN is now de facto in many countries. As you can imagine, fraud is rightly a significant concern in the US. Simply asking for photo ID significantly improves security, because it effectively replaces the trusted token of something you have (the credit card) to something you are (your face) – biometric authentication.
We’ve seen how single-factor authentication is inherently weak: it’s one-way and relies on a limited set of trusted information. Apple Pay eliminates these limitations by providing secure transactions with the merchant whilst maintaining a trusted relationship with you. Let’s examine how it works.
When you want to make a payment, you select the goods or service within the retailer’s (or card issuer’s) app and choose Apple Pay as the payment mechanism. Alternatively, by tapping the NFC Point of Sales payment terminal, the terminal and your phone negotiate the exact content of the transaction, and presents the Payment Sheet to you via an app. Either way, you then authorise it using your fingerprint and Touch ID.
Once authorised, the app receives a payment token from the iPhone PassKit secure software module. Alternatively in the case of an NFC tap, PassKit presents a payment token to the POS terminal. The actual credit card details are not shared. Furthermore, this payment token is specific to the transaction. The merchant asks its payment processor to authorise the payment token on his behalf (with the card issuer). Once the payment is authorised, the merchant can confirm the order. The only people to see the credit card information are the payment processors. Everybody else sees a payment token, which expires once the transaction has been completed.
Apple Pay solves the two problems we say earlier: providing two-factor authorisation (the iPhone is “something you have” and your fingerprint is the “something you know”), and not sharing your credit card details (by using payment tokens instead).
Better yet, if you wear an Apple Watch, you don’t even have to take out your obviously expensive iPhone to complete the purchase. The Apple Watch can communicate with the POS terminal to create the Payment Sheet. When you first put it on, you can authenticate it using the Touch ID on your phone, and so long as you keep the watch on and next to your skin, it remains authenticated. So the Apple Watch proves your biometric identity.
Why Apple Pay is genuinely important
Apple Pay brings secure commerce to the physical world, but why should we care? I think the answer lies not so much in the way it’s better, but the way that it’s Apple.
Apple’s mojo is sky high. People love using their iPhones. And imitators such as Android benefit from the halo effect. Now that Apple has combined security with convenience, there’s no friction to making a transaction both secure and convenient. People will want to use Apple Pay, and because of this, the ability to provide Apple Pay point of sales will be a competitive advantage. Conversely, not providing Apple Pay will be enough of a disadvantage to warrant any additional investment merchants.
What’s the down side? For consumers, it’s a further barrier to leaving Apple’s technohug. For merchants, they lose access to the user-identifiable purchase data that they got with their credit card purchase info. But this can be replaced with loyalty programmes, and even iBeacon proximity offers. Replacing Point-of-Sales equipment with NFC will be expensive (replacing POS hardware is a key reason why chip and PIN is still uncommon in the US). (It’s perhaps interesting to note that merchants solely taking payments through an app won’t even need new POS, so long as they’re happy ceding payment control to Apple.) There may even be some up-side as Apple has negotiated lower “no card present” fees than merchants currently suffer.
Before long, it won’t just be Apple Pay. Google Wallet already exists, but isn’t widely accepted yet. The more that these secure payment mechanisms are implemented in physical commerce, the more merchants will offer it, the more consumers will use it, and the more consumers and merchants will be protected against the potentially catastrophic effects of fraud. That’s why this is the most impactful of Apple’s announcements; Apple Pay will benefit physical commerce globally by making security a problem that everyone wants to solve.
(To explore this topic further, have a read of this great post by Richard Gendal Brown on why the current credit card transaction model is inherently weak.)