

Retailers are disabling NFC readers to shut out Apple Pay - gws
http://www.theverge.com/2014/10/25/7069863/retailers-are-disabling-nfc-readers-to-shut-out-apple-pay

======
mortenjorck
The Verge has buried the lede here: major retailers are banding together to
compete with Apple Pay, with their own system made out of QR codes and direct
access to your checking account. Given the security track record of US retail
the past few years, one might wonder what could possibly go wrong.

~~~
malandrew
Security from credit cards isn't really any better, it's just that they
established very strong fraud detection mechanisms and have accepted eating
the losses from credit card theft as a cost of doing business. When I lose my
credit card and someone starts using it to make purchases, so long as I notify
my issuer promptly, they absolve me of being responsible for the fraudulent
transactions.

So long as this new system accepts that this is a cost of doing business and
implements a customer service policy where the risk is spread among all retail
participants, this would be competitive with the status quo.

These merchants aren't going to get out of paying fees, but they should be
able to reduce those fees to the cost of providing a competitive service to
the credit cards. The benefit is that they won't have to also pay higher fees
than necessary to get the benefit of the system.

If they provide this basic safety feature, than upgrading security will be a
given since it will reduce a major cost on their balance sheet, which is
dealing with fraudulent transactions.

~~~
infinite8s
The credit card servicers aren't eating the losses - they offload these onto
the merchants. So retailers are already eating the risk while also paying
fees.

~~~
MBCook
They're also getting the benefit of easy and quick payment.

If a big chain tried to go cash and check only, how well do you think that
would go over? Even if they included debit cards, my guess is it would be a
big problem. I bet shareholders would revolt. The only reason they may get
away with this is Apple Pay isn't established yet so there is no perceived
'loss'. Another commenter was right that if Apple pay impacts their growth
numbers they may be forced to reconsider.

------
sgentle
As I understand it, all the major payment processing companies have their
weight behind NFC payments (Visa: paywave, Mastercard: paypass, Amex:
expresspay). What's to stop them from all writing into their contracts that if
you want to accept payments from our cards you need to accept them via NFC as
well? I'm surprised they haven't already.

~~~
michaelt
Payment processing companies might have got into NFC as a "just in case it
takes off" measure.

If NFC is going to cut their fees or remove them as intermediaries, they might
be happy to see it killed off.

~~~
dwild
Why would NFC kill payment processing fees? There still fees involved when you
use it with your contactless credit card. Apple doesn't ask fees, sure but
they still need to pay credit card fees nonetheless.

------
jwcooper
Seems like an easy retaliation for Google and Apple would be to just block the
CurrenC applications from the app stores when they are released. It's very
similar to what the retailers are doing by blocking Google Wallet, Apple Pay
and paywave by disabling NFC.

Also, I just don't see the banks simply rolling over and losing their beloved
credit and debit card fees. They will definitely find ways to make their money
(sgentle mentioned through contracts requiring NFC, etc).

I've had a paywave for a while, and have used it at CVS quite a bit. Sort of
annoyed it won't work anymore due to this issue.

And giving retailers direct access to your checking account via ACH..uffda.

~~~
malandrew
Yeah, they could do that, and if they do, I honestly hope this whole thing
boils down to a standoff where government gets involved and regulates against
blocking competitors from markets using app stores. Users should be free to
install apps from other sources or other app stores. This is so obviously an
anti-trust issue. Security is achievable without gatekeepers, but there has
been no innovation in this space because their is a market incentive for
abusing the monopoly power of app stores.

~~~
IBM
Apple or Google don't have to block their apps for it to fail. It's going to
fail because it requires customers to give up their credit cards (which many
people love because of the benefits) and connect their bank accounts instead.
Also the UX of using the app versus Apple Pay will also prevent adoption.

~~~
atmosx
People in the US love their credit cards????

~~~
mcphage
Absolutely. They don't love their credit card companies, but it's crazy how
many people (me included) have moved to an almost completely cashless
existence.

------
malandrew
The problem is that Apple completely played their hand in the markets they
entered in early: music with iTunes and mobile apps with the AppStore.

Now that everyone has seen how much the experience has sucked for many
participants in those markets, participants in other markets Apple wants to
enter, such as ebooks, movies and tv shows, and now payments, are extremely
wary about cooperating. They want Apple's solution, but I don't see any new
market playing along unless Apple changes their strategy to one that permits
openness and competition as a poison pill in the case that Apple continues to
treat its "partners" like shit.

Openness is great because it forces the best solution out there to always
compete on being best instead of competing by abusing its market position. No
market wants to let Apple establish a strong market position anymore.

~~~
itg
They are shutting down NFC terminals so this also impacts Google Wallet and
any other method that would use NFC. If they want to use their own
implementation, let them, I'll be taking my business elsewhere.

~~~
malandrew
Interesting. Funnily, I don't care either way. With the exception of eating
out, entertainment and clothing, all the money I spend is spent online, so
none of this impacts me either way.

------
eddieroger
I work for a retailer that has a card-to-check form of payment already, and
I'm required to use that for my discount. I don't love the idea of having my
checking account tied to a piece of plastic, but since it stays all in the
family (card is only good at the retailer, and the only plastic card is in my
wallet), I live with it.

That all said, there's no way I'd introduce a third party to this, well,
party, and give direct debit access to my checking account to someone I don't
know, who's security practices I don't know, and who's primary form of
interaction is a freaking QR code - and I have nothing against QR, but I would
never trust this to a single barcode of any kind. And the retailers are all
going through all of this effort simply to avoid interchange fees and the
impact ApplePay will have on them.

To me, the winner will be whoever balances security with ease of use, and
ApplePay is the winner right now (and I say that having used Google Wallet). I
use my existing cards and retailers I already go to, so it feels the same, but
no actual, useful information is being transferred, so I'm better protected.
All transactions show on my statement as if I'd swiped. If retailers shut me
out in favor of proprietary systems that require work on my part, I will vote
with my dollars and shop elsewhere.

------
nsxwolf
As soon as I have to fumble around looking for an app to launch, it's already
easier to just pull out my credit card. I'll just be doing that.

Apple Pay is just easy enough that I will use it.

~~~
spb
Google Wallet launches as soon as you tap your phone to the NFC reader.

~~~
goatforce5
Google Wallet and Apple Pay both have special status on their phones.

The CurrentC app will be just another app I assume, and so will be trickier to
use than Wallet or Pay. I'm guessing the retailers disabling NFC at the moment
are just trying to stall things until CurrentC is ready. i.e., they don't want
people to get comfortable using alternatives before they have a chance to
launch their app.

------
tzs
Apple describes the security features of Apple Pay (and the security features
of iOS and Apple mobile devices in general) in the document "IOS Security
October 2014"[1].

Of particular interest:

iPhone 6 includes a separate chip, called the "Secure Element", that is used
as part of Apple Pay. Here's how Apple describes this chip:

    
    
        The Secure Element is an industry-standard, certified
        chip running   the Java Card platform, which is compliant
        with financial industry requirements for electronic payments.
    

Here is how Apple Pay uses the Secure Element:

    
    
        The Secure Element hosts a specially designed applet
        to manage Apple Pay. It also includes payment
        applets certified by the payment networks. Credit or
        debit card data is sent from the payment network or
        issuing bank encrypted to these payment applets
        using keys that are known only to the payment
        network and the payment applets' security domain.
        This data is stored within these payment applets and
        protected using the Secure Element’s security
        features. During a transaction, the terminal
        communicates directly with the Secure Element
        through the Near Field Communication (NFC)
        controller on iPhone 6 and iPhone 6 Plus over a
        dedicated hardware bus.
    

The information stored in the Secure Element, which is what is used to
actually make payments, is restricted:

    
    
        Full card numbers are not stored on the device or on
        Apple servers. Instead, a unique Device Account
        Number is created, encrypted, and then stored in the
        Secure Element. This unique Device Account Number is
        encrypted in such a way that Apple can’t access
        it. The Device Account Number is unique and
        different from usual credit or debit card numbers,
        your bank can prevent its use on a magnetic stripe
        card, over the phone, or on websites. The Device
        Account Number in the Secure Element is isolated
        from iOS, is never stored on Apple Pay servers, and
        is never backed up to iCloud.
    

The system these retailers want to push, CurrentC, will just be an ordinary
app. It will have no access to the Secure Element. Doesn't this considerably
limit how secure it can be?

[1]
[https://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_20...](https://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.pdf)

------
deedubaya
Let's see how this bold move plays out for them when Google and Apple block
their mobile apps from the App Stores. Doh.

~~~
deet
Sounds like a perfect way to trigger scrutiny of how the app approval process
mixes with anti-competitive actions and maybe even an antitrust investigation.

Edit: (Unfortunately. I find this story utterly infuriating as a consumer who
used Apple Pay at CVS just a few days ago.)

~~~
frankchn
I suspect we will see there will be additional criteria for these sort of
payment apps with the App Store soon -- which will include criteria about
privacy/security at CurrentC will be unwilling or unable to meet.

------
twic
As with Coin, this seems like another rather US-specific situation.

I get the impression that in the US, credit cards are more common than debit
cards, and the banks try to keep it that way. Debit cards are also somewhat
expensive - customers pay 0.79% on average [1].

In the UK, and i believe in the rest of Europe, everyone uses debit rather
than credit cards in shops, and they are much cheaper - interchange fees for
debit cards are about 0.2% [2]. Most debit cards these days are also
contactless payment devices.

If Apple Pay takes off here, it will be just another contactless payment
option. I don't see any great reason for shops, banks, or customers to feel
strongly about it.

[1] [http://www.federalreserve.gov/paymentsystems/regii-
average-i...](http://www.federalreserve.gov/paymentsystems/regii-average-
interchange-fee.htm)

[2]
[http://www.bbc.co.uk/news/business-23431543](http://www.bbc.co.uk/news/business-23431543)

~~~
surreal
I'm inclined to agree with you here, but if I may question a couple of your
points:

1\. Isn't Apple Pay/the tokenization it uses is a whole new ball game? The
contactless that currently exists in the UK is only for transactions up to 20
GBP, which presumably won't be the case with Apple Pay. Do we know that
merchants will only be charged what they currently are for contactless?

2\. Your statement that no one uses credit cards in shops seems anecdotal. Do
you have a source? Most people I know in the UK do all their spending on a
credit card, for a number of reasons. (Me included; I only use a debit card
for the few things that have credit card fees - flights, council tax, ...)

------
SethMurphy
It seems very much like the browser wars of old. I think that soon your NFC
payment system on your phone will have to be your choice, and not that of the
carrier or manufacturer. Retailers however will always have a choice to accept
or not, unless collusion is found that is. When large retailers are the
payment system, as is what it seems here, I think they will be forced to
accept more than just their own.

------
freshflowers
I'm wondering why Apple keeps launching in the American market first. Both in
mobile and payment the US has been pretty much the most backward and
conservative of any of their primary Western and Asian markets.

~~~
8uyhaeryo
...because it's an American company? With Americans as their primary market?

------
johnyzee
Bitcoin enthusiast wet dream:

Google gets behind bitcoin, integrates bitcoin NFC payments directly in
Android, a la Apple Pay.

~~~
mcphage
I'm not sure how this will help, given the issue is retailers turning off the
NFC readers. It doesn't matter if it's via a credit card, bitcoin, or Google
paying everyone's prescriptions—if the NFC reader is off, transactions ain't
going through.

