
How Apple Pay works and why it matters for developers - johndbeatty
http://clover-developers.blogspot.com/2014/09/apple-pay.html
======
cdnsteve
Maybe it's just me but I'm not drinking the kool aid about Apple Pay in
today's announcement. Aside, I really hated the fact that to watch the event
you had to use a Safari browser, same with watching Swift tutorial videos on
their website, using latest Chrome on a Mac...

Maybe I'm old school but I'm actually finding that payment options are getting
worse, not better. This is another example of further fragmentation. Tap
cards, stripe cards, chip cards - all the machines have different interfaces,
some touch screen, some with pens. Not sure about you guys but I forget my
credit card pin compared to my bank card pin half the time. I have a way to
many accounts to remember already. What happened to just a signature?

It's like someone needs to come up with an interface for payments. That
universally accepted. Think of a wall socket for power, 3 prongs, supports 2
prong interface. Works great.

Lets step back. Oh wait, we have one. It's called CASH. Cash seems to make
more and more sense these days. No overage fees for using your own money.
Accepted everywhere already. It doesn't get malware and steals your data. It
doesn't need charging or have bugs. Doesn't seems as easy to spend when you
physically see it leaving your old school wallet.

I for one won't ever use my phone for payments nor will I be looking to work
on apps trying to convince others that its fairy land for payments and makes
your life better because of revolutionary Apple marketing spiels. Virtual apps
on the app stores, fine, I see it makes sense. Brick and mortar, I just don't
see it.

~~~
DrewAllyn
I'm a Canadian who is temporarily in the US, and it seems so backwards to me.
A signature? You mean writing on a piece of paper that probably never gets
looks at allows someone to take money out of my bank account? Chip+Pin at
least has a semblance of technical security.

And cash? Don't get me started. Cash can be physically lost. Cash can be
stolen. When you pay with cash, you get given coins as well as the thing you
are buying. Coins suck. To me, cash makes less and less sense these days. In
Canada, I never carry any. In California there are enough cash only places (in
2014!) that I have some at most times.

I will probably not know it when I see it, but I look forward to the last day
I touch cash.

~~~
AYBABTME
This, I'm living exactly the same situation right now.

Last time I came to the US, I realized my cards' magnetic bands weren't
working. Would have never noticed otherwise, chips don't wear off. Had to
prepare for new cards before my next trip. Chips came so long ago in Canada
that I can't recall when. My surprise every time I remember they're still not
here.

Then cash only places and having to receive coins; the worst. And then what do
you do with the coins, hope that one day you'll get the chance to use them?
That never happens. You must accumulate coins in your pockets. Accumulate
discomfort and never dare throwing them away. And what's up with cents, what
do you buy with a cent?

Back in Canada, all I carry is a debit/credit card (wink) and a health
insurance card (wink).

~~~
pyre
> Chips came so long ago in Canada that I can't recall when.

I left Canada in 2008, and I don't remember chip & pin being prevalent as it
is now, so it's not quite as "long ago" as you are implying.

But... you might have issues carrying just a credit card. Many places only
accept debit due to there being smaller merchant fees and there are still many
cash-only places (in Toronto at least).

And seriously? When I end up with cash / change in my pockets I end up using
it. Your comments about "OMG! What do I do with physical money?! It's sooooo
useless" are a bit hyperbolic.

~~~
AYBABTME
Yeah the hyperbolism was on purpose. =P

------
21echoes
> Apple Pay marks the first time a popular operating system is making payments
> a platform service for real-world, non-digital-good transactions, in a
> broad, inclusive manner that is compatible with the mainstream payments
> processing industry

I'm sorry... what? How is this different from Google making Google Wallet back
in 2011? They both use the same tech (PayPass, an industry standard), and both
are made by an OS company.

~~~
gress
Google wallet was unpopular and was impeded by the cell carriers. It was a
business failure, not a technical one.

~~~
21echoes
Sure, I totally agree that Google Wallet was basically a business failure.

I'd also say that the only thing that may stop Apple Pay from being a business
failure is that it's _Apple_ doing it this time (even tho, frankly, their UI
looks significantly worse than Google Wallet, and has far less functionality,
and Google Wallet is no longer impeded by the carriers)...

But that's not what the article section i quoted was talking about. It just
made an unqualified claim "this is the first time an OS maker has made a
payments product for the physical world"

~~~
GuiA
I've never used Google wallet- but how could Apple's UI be worse? All you do
is tap your device. How did Google Wallet work?

~~~
21echoes
that's the payment experience, sure, but there's all those moments before and
after your payment. say, adding a card, managing which cards you want to use
at which locations, etc. there was plenty of footage in the live stream this
morning, or stills here: [http://www.apple.com/apple-
pay/](http://www.apple.com/apple-pay/)

but the bigger point: you're quibbling over the first of three points i made
in an aside (the other two being that google wallet has way more features, and
that google wallet is now not blocked from being on Verizon et al). The larger
point is that the article saying that this is the first OS to have a payments
solution is... very strange.

~~~
gareim
Well, there's the second half of that sentence which qualifies it with "broad,
inclusive". I'm not saying I agree, although it could be that Apple believes
Google Wallet was not broad, inclusive, or both.

------
Schweigi
_Apple Pay uses industry-standard EMV contactless protocols over NFC (and MSD
contactless for backward compatibility). This makes it compatible with a wide
range of contactless payment terminals in deployment today._

So if the last section of the article is correct that means ApplePay will be
compatible with Mastercard PayPass terminals? If this is true it would be
really easy to roll out ApplePay as for example in Switzerland most terminals
are PayPass ready.

~~~
johndbeatty
Apple Pay is very standards compliant and the networks are very global. So I
wouldn't be surprised.

~~~
iancarroll
This is also great for us Android/GWallet/Isis/Softcard users, as more
merchants will want EMV and have it implemented.

------
panabee
One reason Apple Pay matters for developers and startups is it erodes a key
advantage of leaders and incumbents. By dramatically reducing the friction
around account creation and payments, Apple Pay makes it much, much easier for
consumers to try new services. Ride sharing services, for example, could
benefit from this. Of course, it will take a while for the effects to be felt,
but increased competition in commerce is a positive long term implication of
Apple Pay.

~~~
XorNot
It really doesn't do this. Apple Pay is not the solution to moving money
between parties who aren't registered merchants, with the relevant banking
setup.

 _Anyone_ can be become a merchant with a PayPass reader today. Apple Pay is
not changing that, nor can it since that sector is entirely dependent on local
commerce/finance laws and payment processor anti-fraud costs.

~~~
panabee
Apple Pay is focused on easing _consumer_ pain and friction, leading to more
competition among service providers and retailers since trying new services
will become easier for users.

~~~
XorNot
Ok now I'm not sure which aspect you're talking about.

Because in the physical world the friction is not "oh I need a card" it's
physically getting the customer in the door. Otherwise, what's involved is
needing merchants to have NFC readers. This _might_ be an exciting new thing
in the US, but certainly in my neck of the woods NFC has near universal
penetration.

In the virtual world...this problem has been solved over and over and over.
I'd argue it would be very surprising to see Apple displace Paypal. _Everyone_
has Paypal - very few people (relatively) will have ApplePay.

~~~
aianus
> Everyone has Paypal - very few people (relatively) will have ApplePay.

Today Paypal has something like 150 million users worldwide while there are 72
million iPhone users in the United States alone. Presumably all of these
people will eventually upgrade to an iPhone supporting ApplePay.

~~~
XorNot
That is a big assumption. Phones have been getting a longer and longer tail.

Moreover, there's almost certainly >50% overlap between iPhone user/Paypal
user/other service user.

------
3JPLW
> com.apple.WebKit.Networking.xpc wants to sign using key "Apple ID
> Authentication …" in your keychain. Do you want to allow access to this
> item?

[http://imgur.com/n3Ay8Ik](http://imgur.com/n3Ay8Ik)

What is this? I've never seen this before. Loading (and reloading) pages from
this domain prompts this popup.

~~~
astrange
That would be SSL Client Certificates!

------
exelius
I'm curious how much, if anything, Apple makes off of this. It's pretty clear
they're not displacing anyone in the existing merchant payment value chain
(which is the mistake most other companies have made) but it's not clear how
Apple makes any money off of this.

I have a hunch that Apple might not be making any money at all off of Apple
Pay. Apple operates their business very differently than many tech companies.
The vast majority of Apple's profit comes from the ridiculously high margins
on their hardware. They develop services to increase the capability of the
hardware platform; and any money resulting from the operation of those
services is secondary.

When Apple initially released the iTunes store, they operated it at a loss.
The entire iTunes store and all the payment systems, etc. that go along with
it were built in order to sell iPods.

There's a very real possibility that Apple looked at the mobile payment market
and said "Shit, there are way too many entrenched interests for us to insert
ourselves in the value chain and take a cut. But having a superior mobile
payment system will help us sell more iPhones, so we'll do it anyway." Those
entrenched interests are what have kept every other mobile payment company
from making a real dent in the overall payments ecosystem. Unlike with iTunes
where Apple made demands about how the store had to function, they placated
the industry while coming up with a solution that worked for both end users
and the industry players. We'll see if it catches on, but I expect it will.

~~~
gambiting
>>The vast majority of Apple's profit comes from the ridiculously high margins
on their hardware.

I am not saying you are wrong, but could we see a source for that please? I
always assumed that no matter what they do, the profit margin on hardware
cannot be THAT large, because the costs of R&D and marketing for apple devices
must be huge(they ship with their own in-house developed operating
system,after all), so I always assumed that Apple makes most money off
platforms like iTunes, not hardware profits. I would be very happy to be
proven wrong though.

~~~
exelius
I don't have an explicit source; but we can back into the numbers. Apple only
breaks out COGS for the entire company; not by division. But regardless, the
iTunes division is dwarfed by the iPhone/iPad/Mac divisions. Apple's gross
margins are right around 37.5% -- which is very high. The average for the
computer/electronics industry is closer to 20%. If you look at historical
trends through their past SEC filings, you'll see that margins have actually
been declining, and that iTunes was only a significant percentage of revenue
for the last couple of years. It was less than 1% of revenue before 2007, so
it operated as a very small part of the company for the first 10 years of its
existence. Online media direct sales are actually not as big of a business as
you might think -- for example, Steam alone did more revenue than the entire
online movie sales/rental business (not counting subscription services).

As a percentage of revenue, Apple's operating expenses (which include R&D and
the operation of the Apple stores, servers, etc.) are pretty low -- less than
10%.

All of this info comes from Apple's 10-K:
[http://investor.apple.com/secfiling.cfm?filingID=1193125-13-...](http://investor.apple.com/secfiling.cfm?filingID=1193125-13-416534&CIK=320193)

------
induscreep
How does Apple pay differ from Google's ecosystem and whatever it provides?
There, the smartphone app (Google Wallet vs passbook) and the hardware is not
made by the same people (Samsung vs Apple) - so does this pose any problems?

~~~
natrius
Apple Pay gets a token from your card issuer and uses that to pay. Google
Wallet pays with their own card and charges your card the same amount. Only
difference I see is that Google knows about every transaction you make. Apple
doesn't.

~~~
stephenr
Wow that's creepy and yet completely unsurprising from google..

~~~
damian2000
That data is fed into their Google Now servers, so that it can predict your
buying patterns, hence offer you contextual adverts just as you're planning to
buy something. /joking

------
bsaul
A few counterpoints to having your phone used as a payment device :

\- it breaks more easily and wears out quicker than a card

\- you can't lend it to a friend to have him buy stuff for you ( i don't have
a pass id iphone so maybe i'm wrong on this one)

\- it gets stolen more often because it has intrisic value ( and a big one for
the iphone)

\- if it gets stolen, how are you going to call your bank to disable it ?

Plus, retrieving fingerprints from a stolen iphone was demonstrated last year
and seems pretty easy. Now that iphones will be used to pay, you can expect
criminals to get very familiar with the technic very fast.

~~~
jhgg
>\- it breaks more easily and wears out quicker than a card

I don't know about you, but personally I use my phone far more all of my
credit cards combined on a daily basis. Is pulling out my phone to process a
transaction going to add additional ware to it? Probably not. It's most likely
out already from me using it while waiting in line.

------
tonyb
The part I'm not quite following is when the tokenization takes place.

If it takes place per transaction then the PAN must be saved in the phone
somewhere and the phone would have to be online to do the tokenization in
real-time.

If it is a one-time tokenization that happens when the card is added isn't
that token just as valulable as the PAN since the token can be used across
merchants? Maybe the 3-D secure piece of the puzzle protects the token but I
think this still means the phone has to be on-line to use the NFC payment
feature.

~~~
debt
I would think compromise of the token, while bad, is way less bad than
compromise of the PAN. I would think it's much easier to regenerate the one-
time token than to create a new PAN.

~~~
iknowthisstuff
The token seems to be generated randomly (per transaction) in the Secure
Element. See my above post.

~~~
tonyb
I don't think that is quite correct. There is per-transaction stuff going on
but it isn't being tokenized for every transaction.

The token is stored in the secure element but is generated by the Token
Service Provider (for example Visa Token Service).

After reading the EVM token spec linked in the post[1] and the developer guide
I think I'm able to answer my own question.

The card is only tokenized once (or at least not per-transaction). For in-app
purchases it is using 3-D Secure and for NFC is it using EMV, both of which
provide some per-transaction security. Unlike a standard card the token will
only work with 3-D Secure or EMV. For example a standard Chip&Pin card could
still have it's mag-strip data extracted by a malicious POS system and used at
a merchant that only uses magstripe terminals. With Apple Pay (and any other
network token based system) a copied token would be worthless because it can't
be used at a magstripe terminal.

Basically the phone is acting both as an automated 3-D secure checkout (it is
processed by the processors just like 3-D secure but the authentication
process is automated) and as a contactless EMV card without the downside of
also having a magstrip with the PAN on it.

[1][http://www.emvco.com/specifications.aspx?id=263](http://www.emvco.com/specifications.aspx?id=263)

------
thinkling
I'm very curious about the business side of ApplePay. Is Apple going to get
some (miniscule) cut of every transaction performed? I.e. is this a new
revenue stream for Apple?

~~~
kunaalarya
they said in their faq that they won't be taking a cut. Either this is purely
for improving the ecosystem, or they're getting a cut from banks for cutting
down fraud.

~~~
iknowthissuff2
The latter is most likely

------
greggarious
One thing I am not clear on: Will Apple make ApplePay available to Android
users?

If they do, they would get more sales. More people wielding compatible phones
would also drive adoption. (Think of how Discover used to be made fun of on
Family Guy, but now almost everywhere will take it)

I personally think that will be the tipping point to getting a critical mass
of users - making sure it's cross platform.

------
mrweasel
The 3DSecure stuff gets a bit weird, do you still get redirected to you banks
3DSecure page? If so I don't see that working to well in at least some
countries (I know Apple Pay is US only for now).

In Denmark a large number of banks would present you with a Java applet on the
3DSecure page, that's not really going to work on the iPhone.

------
pbreit
I haven't seen yet how (or if) recurring payments are supported. Anyone know?

~~~
redstar504
See page 5 of this document for evidence that recurring payments are indeed
supported. [https://developer.apple.com/apple-pay/Getting-Started-
with-A...](https://developer.apple.com/apple-pay/Getting-Started-with-Apple-
Pay.pdf)

------
f3llowtraveler
The future of payments is Bitcoin.

------
LeicaLatte
eBay should have spun off PayPal when they had the chance. With this year's
double blow of Amazon Payments and Apple Pay, their end seems near.

------
gaius
I assumed from the headline this would be about Apple's wage-suppressing scam.

------
itry
So we want to make payments via our phones. My first thought would be to
create a protocol for this. Instead we get ApplePay and GoogleWallet and
whatnot.

If the internet was invented today, we would have AppleMail instead of email
and GoogleTrans instead of http.

