Sunday, September 28, 2014

Apple Pay, Google Wallet, NFC credit cards, and Chip and Pin credit cards for brick and mortar transactions - which why?

NFC credit cards:
  • I am hearing about credit cards with NFC, which means the cards could be used by taping or waving the card at a point of sale (POS) terminal.  Apparently this is real: http://www.consumerreports.org/cro/magazine-archive/2011/june/money/credit-card-fraud/rfid-credit-cards/index.htm
  • These cards are hard to secure.  I do not recommend them!
  • They go by the name of "blink", "PayPass", "payWave", "ExpressPay", or "Zip" and may have a wireless symbol on them (as seen in the consumer reports site listed above).
  • This is not the same as EMV or chip and pin.
The EMV Chip card initiative:
  •  It is what we are currently switching over to use in the US.  My understanding is that all replacement credit cards in the US from now on will have an embedded chip.
  • If merchants continue to use magnetic strip credit card reads past a certain date, then in the end the merchants take on the fraud liability from magnetic strip credit card usage.
  • This system was first used in parts of Europe in the early 1990's; it is not new to the world.
  • When your card is inserted, you must then type in a PIN code, validating that it is you using the card.  This changes things - restaurants and merchants no longer take your credit card, for example; they must let you type in your PIN while the card is in use.  
  • This initiative is a big deal, because it means almost all merchants will be upgrading their POS terminals.  And while they are upgrading, they have an opportunity to add other features, such as NFC.  There was no similar wide-ranging initiative and incentive to push merchants in the US to upgrade POS terminals previously.
NFC:
  • There is an alliance of credit card companies that has a FAQ - http://www.smartcardalliance.org/publications-nfc-frequently-asked-questions/
  • Android, Microsoft, Blackberry, and Apple all have initiatives to use NFC for payments.  Even some feature phones (non-smart phones) have NFC.  I'll explore only Android and Apple in this post, as they have the majority of the smartphone market share.
Google Wallet Tap and Pay (the name for the NFC feature)
  • They have had it since 2011 - for years!  And yet, read on...
  • Google Wallet Tap and Pay - that's a long name (complaint tongue and cheek)
  • Google has not explained their service well.( http://www.forbes.com/sites/quora/2014/09/18/why-do-people-think-apple-pay-is-so-innovative-when-an-equivalent-has-been-part-of-android-for-two-years/ )
  • Some carriers (AT&T, Verison, T-mobile) have been interfering with Tap and Pay, so it is only available with some phones from other carriers.  ( http://phandroid.com/2013/09/19/google-wallet-nfc-payments-blocked/ ) There are notably optimistically titled articles stating that now it can work on all carriers!  However, the articles then admit that in fact that is not true. ( http://www.androidcentral.com/google-wallet-tap-and-pay-can-work-any-android-44-device-still-requires-us-sim )  Carriers can control the software and firmware they are willing to carry with most cell phones.
  • Google changed the rules on its users.
    • When Tap and Pay was first released, it was tied to one card, one carrier, with the secure element.
    • Google changed things in April, 2014, when Google implemented HCE (host card emulation), which replaces the secure element by storing information representing the credit card in the cloud.  Google stopped supporting Tap and Pay for OS versions before Kit Kat 4.4 as they cannot support HCE.  
  • To use Google Wallet for NFC securely, a user must use many (too many?) steps:
    • Type in a code to unlock the phone (the phone must be locked)
    • Select the Google Wallet App
    • Type in the Google Wallet App code
    • Select a card
    • then continue with the transaction
  • Information is power:
    • With the Google Wallet transaction system, Google is enacting the transaction on behalf of the user.  Google gets information about your purchases, for whatever purposes Google uses this information for.
    • If Google Wallet were to have become ubiquitous, Google would have had a huge quantity of information about merchants and their sales data.  Merchants do not all want Google to have this proprietary data.  (This was briefly mentioned in http://blog.euromonitor.com/2013/10/google-wallets-in-store-payment-feature-all-but-dead.html )
  • In addition, some have mentioned that the Google play store is not as secure as the "walled garden" of the Apple App store: http://www.infoworld.com/article/2610099/mobile-security/report--android-malware-and-spyware-apps-spike-in-the-google-play-store.html
  • What does Google earn for transactions it conducts?  This is unclear.
  • Other notes:
    • In 2011, Eric Schmidt predicted 1/3 of all POS devices would be able to accept NFC payments: http://nfctimes.com/news/google-s-schmidt-predicts-contactless-terminal-rollout
    • In 2013, Bloomberg reported that Google was missing out on the mobile payments boom: http://www.businessweek.com/articles/2013-06-06/why-google-is-missing-out-on-the-mobile-payments-boom
Apple Pay:
  • It is not yet in place; we have not yet tried it.  Keep that in mind.  When it is activated, it will start only in the US.
  • Apple appears to have worked very hard to gain both broad acceptance and widespread deployment in the US in 2014 and early 2015.  Apple deployed the technology at a time that worked well for this adoption.  
  • It only currently works with iPhone 6 and 6 plus.  This is limiting, but we know that there are more than ten million of these devices out in the world that could use the feature.  (It will work in the future with Apple Watch paired with an iPhone 5, 5c, 5s, 6, or 6 plus as well).
  • It works with the Apple Passbook app, and TouchID.  It is supposed to be simpler than using a credit card:
    • Hold your phone in place by a NFC terminal while holding TouchID to verify your identity.
  • Apple reports that Apple does not transmit credit card numbers to the merchant, and Apple keeps no information about your transactions.  The transactions are more secure.
  • Apple reportedly earns $0.15 per $100 of transactions.  Even if $20 billion in transactions go through Apple Pay, that is only $30 million dollars to Apple.  I do not see this as a huge money maker at this time, nor a huge drain on the system.
Conclusions:
  • RFID credit cards are insecure.  I would not use them.
  • Chip and pin is coming your way.  ASAP use chip and pin over magnetic stripe.  I would, however, prefer cell-phone enabled transactions as more secure than chip and pin transactions.
  • Google Wallet Tap and Pay:
    • If users follow Google recommendations, I see no evidence that Google Wallet is not fully secure.  They do no longer use the secure element.
    • It is not clear to me what Google does with data about transactions.  This is a worry to some users, and is a big worry to some merchants.
    • Google changed the rules on its users, and devices that were able to use
    • Google was unable to get widespread adoption.  Google was unable to get cooperation from all carriers. 
    • Using Google Pay is not as smooth as using Apple Pay.  Google cannot fully control this.
    • Apple Pay deployment should be a benefit to Google as NFC is more widely deployed.
  • Apple Pay:
    • This appears to be a great time and with great partnerships for Apple to deploy.
    • Apple has taken great care to make transactions as secure, easy, and private as possible.  This appears to be able to keep users, merchants, and partners happy.
  • Both Google Wallet and Apple Pay are more secure than traditional credit cards or chip-and-pin credit cards.

5 comments:

  1. My Apple Experience gives very most information RFID 4u

    ReplyDelete
  2. Nice Post! In future reference i really bookmark your blog! Thank you so much for sharing this one Business App such a Great concept for work in this field, Thanks again all Kind of peaceful info,Love it- NFC App Development

    ReplyDelete
  3. Hello, U write some extraordinarily attractive blogs. I always check back here frequently to see if you have updated
    offshore credit card

    ReplyDelete
  4. You have a great blog - I would think your readership is very high?
    Bad Credit Car Loan

    ReplyDelete