Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

By Glenn Fleishman

A week of Apple Pay: Chips, PINs, and… signatures?

Note: This story has not been updated for several years.

[Glenn Fleishman is the editor and publisher of The Magazine, which is currently crowdfunding an anthology of the best work of its second year in publication. He writes regularly for the Economist, Boing Boing, and Macworld, and tweets incessantly—please someone make him stop before he kills again—at @glennf.]

A week into the rollout of Apple Pay, it’s clear that Apple is on to something, and not everyone understands what. First, Rite Aid and CVS, which have had NFC (near-field communication) readers installed in their checkout lines for some years in anticipation of the future finally arriving, disabled them to prevent Apple Pay’s use. Related, Tim Cook says the uptake for Apple Pay is high: one million activations within the first three days.

Second, Americans and Europeans think that chip-and-PIN is coming to America by October 2015, which it is not. Third, many people (including me and Six Colors chief poobah Jason Snell) thought Apple Pay obviated all signatures. Fourth? I finally used Apple Pay.

Let’s break these down, shall we?

##Starbucks’s bucks

NFC has been an always-next-year technology for payment that’s already been widely adopted for other purposes, few of them visible to consumers. As merchants have revamped their point-of-sale (rightly abbreviated POS) systems to prepare for the future of embedded-chip cards, they’ve had to add NFC support, even though there were virtually no users.

While Google enabled NFC as an option through Google Wallet, the lack of participation by banks and merchants, and of promotion, failed to drive wide-scale adoption. In talking to clerks and colleagues, it’s clear very relatively few people have ever tapped to pay with a smartphone compared to the volume of swipe-based transactions.

As I noted in the Economist last week, Starbucks said in July 2014 it sees 6 million mobile payments a week in its North American stores—about 15 percent of all payments.

Starbucks’s approach, if you haven’t seen it, was to migrate its very popular stored-value Starbucks Card—which carries with it affinity program benefits of free drinks and the like—to an app. You can load the app with value without having a card now, or you can register a card and swipe it or use the app. The app requires that you generate a 2D payment token on screen and scan it or have the barista scan it. With Passbook, any Starbucks store you’ve marked as a favorite is geofenced: arrive there, and the payment 2D code is available from the lock screen.

Rite Aid, CVS, Walmart, Best Buy, and others are part of a consortium called Merchant Customer Exchange. They want customers to use a system under development called CurrentC, which is superficially like Starbucks’s system.

CurrentC’s purpose is to let big merchants bypass credit-card processing fees and reduce the expense of middlemen, while also gathering buying habits of customers across multiple large chains of stores. The app will require customers to link their bank accounts for direct withdrawals, without any sense yet of how MCX will protect or indemnify them against fraud or cracking. (You shouldn’t use a debit card with a PIN for the same reason: debit cards have perilously few protections in America when used with a PIN.)

With CurrentC, the merchant will generate a 2D barcode that a customer will scan from within the app, and then the customer will approve payment through a token system. However, CurrentC doesn’t rely on or require hardware protection of the sort that Apple has built for Apple Pay.

CurrentC is months away, at which point Apple will have tens of millions of people in America, and one hopes tens of millions more elsewhere, making payments each week through new iPhones and linked Apple Watches. CurrentC is the latest in a string of failed merchant-based payment schemes. Starbucks is essentially the only company that’s succeeded in shifting its customers to in-house stored value cards and mobile payments.

And let’s be clear. After the dozens of merchant security breaches of recent years, who among us would give CurrentC—even if it were run perfectly and independently—our bank account information? Thank you, no.

##Chip ahoy!

Yes, embedded chips are coming to America, and you Europeans can stop your crowing about how you had it years ago and it’s so great and your croissants and bangers are terrific and whatever. Europe’s banks typically shifted more burden onto consumers for fraud and other problems, and the industry and regulators pushed more quickly for a technology solution that’s proven quite good in practice.

But Europeans (and folks in other parts of the world) are used to two sorts of payments. All credit cards have an EMV (Europay, MasterCard, and Visa) chip embedded, which performs a cryptographic handshake with a merchant’s terminal to validate the card is genuine. Some cards also have NFC built in, and it sounds like all new American credit cards will include NFC. (Some existing early chipped cards only have the EMV chip, as with American Express.)

With a card that lacks NFC, the transaction is always chip-and-PIN: the card is dipped or inserted into a reader that communicates with the chip for validation, and then the consumer enters a PIN, a second factor only you know. If a transaction is below a certain level and the card has an NFC chip, you can wave your card, and the chip validates wirelessly, and no PIN is required.

Wikipedia lists these values as “under US$25 in the U.S., under A$100 in Australia, under NZD$80 in New Zealand, under €25 in most euro area countries (but only under €15 in Ireland), and under £20 in the UK.”

This will be confusing with Apple Pay, as an Italian colleague notes that there’s no option in Italy to use contactless payment for amounts above €25—you have to enter a PIN. How will Apple implement that with European banks? And how will European banks allow their NFC-based cards to be used here?

When I heard a year or two ago that chip-and-muffled-sound were coming to America, as the fraud rate was too high, and all the parties who control the conversation had finally agreed to put chips in cards, I wrongly assumed like most people I’ve spoken with—Americans and otherwise—that the October 2015 deadline would require banks and merchants to adopt chip-and-PIN. Nuh-uh. Even the Wall Street Journal got this wrong earlier this year and had to run a correction.

As spelled out neatly at CreditCardForum, on October 1, 2015, the liability will shift from the credit-card processing networks like Visa and MasterCard to banks and merchants for fraud, card reissuing, and the like. Banks who don’t put chips in cards or merchants who can’t read the chips will have full exposure to any liability from swiped transactions.

But that’s just the minimum requirement. Some banks say they will only issue chip-bearing cards that work with a PIN; all merchants are going to have to support the entry of a PIN where it’s required. And from many sources, it seems clear that the PIN is a bonus to reduce fraud—just as a second factor helps when a password is stolen—but that the chip provides the primary benefit.

Apple Pay is essentially chip-and-PIN where your fingerprint is the PIN. Except…

##Signing of the times

A few days ago, poor John Gordon tried to convince Mr. Snell and myself that Apple Pay required a signature for each transaction, because he was forced to sign for an Apple Pay transaction at an Apple Store. We were in disbelief, because Apple Pay isn’t supposed to require a signature.

It turns out John and Jason and I were all correct, sort of: John used Apple Pay at an Apple Store and had to sign; and Apple Pay doesn’t require, but allows a signature. As John pointed out to us, the Apple support document for Apple Pay clearly explains that there may be an optional signature required!

Place your finger on Touch ID and move your iPhone near the reader to complete the payment. You might also need to sign a receipt, depending on the store and the transaction amount.

So we’re not free of signatures yet. We expect that as Apple Pay’s robustness is demonstrated and merchants (including Apple!) update their POS systems, that the signature requirement might ease, or the dollar amount threshold might rise. Since Touch ID is technically a second factor of authorization—the equivalent of a PIN or a signature—it’s possible that Apple Pay transactions will be capable of being completed without a third factor of verification. Reports have indicated that Apple is assuming some of the cost of fraud with Apple Pay and making some of its money from the banks for so doing. Thus, Apple may be able to negotiate with banks and merchants for higher amounts.

##Walgreens for the win

Our friend Ed Bott, Windows enthusiast and the recipient of the Glenn Fleishman unlocked iPhone 5s of 2014 award (for a small fee), noted this tweet from Walgreens on October 28:

Clever. Given that there’s a Walgreens across the street from my co-working space, I dashed over and bought some heart-healthy 75-percent cacao chocolate. Research is critical.

As with Jason’s experience last week, clerks are still getting used to Apple Pay, and are baffled and amused by it. Before trying to pay with my phone, I told the young woman helping me—who was clearly an experienced employee based on how she managed the POS controls—that I was going to use the phone to pay.

She didn’t know exactly what I meant. I held my iPhone 6 near the terminal, it showed the credit card and transaction, and asked for my fingerprint. I held my finger down and the transaction was instantly approved. She looked mildly confused, and said that she hadn’t seen it used before, or maybe a single time. The experience was so seamless, I wasn’t quite sure what had happened.

I did not go full Abe Simpson, but I did hear that whooshing sound in my ears, as technology sped past my ability to immediately accept it. Then I ate some chocolate.

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors