Analysis: Or is the tech giant more interested in shifting handsets?
Apple Pay is somewhat dividing the security world right now over smartphone payments. Steve Jobs’ company may be latecomers to the market, but it has serious pulling power, with about 44% of mobile users running iOS, according to NetMarketShare.
But there’s more to it than numbers. In the words of Winston Bond, European technical manager for mobile security firm Arxan, Apple is "quite good at taking old ideas and making them exciting again. I’m not sure Apple Pay is that different to NFC (near field communication) pay but now it’s in the headlines once more."
Many in the payments industry feel it has long been dragging its feet over mobile. "It’s important to remember that this is not new technology; it’s taken almost half a decade to get us to this point," said Chris Wade, head of strategic programmes at Sage Pay."So while we welcome this move from Apple, the impact might take a little while to fully work through."
According to Bond, whose company creates tools for mobile app developers to improve their security, financial groups are increasingly looking to turn people’s phones into bank cards. "We’re certainly seeing a lot of interest from the supply side from people wanting to start providing the technology to do this," he said. But what does it mean for security?
Comparing phones to bank cards
Security has never been a world of absolutes, but rather managing risk on a sliding scale. In this sense mobile payments has to compete with bank cards and contactless payments. A big divide in finances between Europe and the US is the prevalence of Chip and PIN in the former, compared to the prevalence of magnetic stripes in the latter.
"If you are looking at it from a magnetic stripe the only way is up," Bond said. "If you are looking at it from Chip and PIN the only way is down." The good news for consumer is that Apple’s approach takes advantage of the latter technology, in the form of a chip that comes with the phone.
Using a chip to secure payments is one old method of dealing with the security concerns surrounding mobile payments, according to Richard Moulds, vice president of strategy at Thales e-Security. The other method uses the phone as a conduit for the payments process through tokens that expire after one use, which Apple is also employing.
"What Apple did, I think, was the best of everything," Moulds said. The reason it took so long is that the firm waited for a "critical mass" before it made its move: "Most of the point of sale (PoS) devices in the US could not communicated wirelessly until fairly recently."
What changed is that in the US the card processing firms Visa and MasterCard pushed for retailers to switch to PoS systems that could process Chip and PIN cards, partly because of the risks of fraud associated with magnetic stripes, but also out of a desire to take payments from international tourists more easily. As a bonus, many of these systems also allow NFC payments.
In a departure from their reputation as disruptors Apple has taken advantage of existing technology and infrastructure that has built up without their involvement. "That sends a strong message to the security industry they’re not trying to reinvent the wheel here," Moulds said.
Tying up the market
"Up until Apple stepped in you had quite a fragmented market," Greg Day, EMEA chief technology officer at security firm FireEye, told CBR. Unlike iOS, Google’s Android is a confusion of handset makers, app developers and security firms, an ecosystem that has proved quite difficult to tie together.
Consumer uptake of mobile payments has certainly been slower than expected. Last year the research firm Gartner cut its forecast for mobile transaction volume after growth failed to live up to hype around the world, especially in North America and Africa. Even so, more than 450 million people are expected to be using the tech by 2017.
Given that Android is even more popular than Apple it seems unlikely that Google will not respond to this development in iOS. NFC and chips are already present on Android devices, and there’s no reason that security companies could not make use of tokens on the platform. In other words, security is not the issue.
Some argue that mobile payments are only slightly more convenient than cards, and setting up the ecosystem is, as some have said above, considerably more challenging. In the end most of those CBR spoke to saw it more likely to supplement old forms of payment than be a wholesale replacement, and some suggested contextual mobile marketing was the real draw for Apple.
"Mobile payments is really about mobile selling," Moulds said. "I doubt Apple care very much if you’re paying using the mobile. They care about getting you into the store in the first place."
For now at least, that appears to be true.