
Hands on with Apple Pay Competitor CurrentC - jszumski
http://johnszumski.com/blog/hands-on-with-apple-pay-competitor-currentc
======
jimkri
I really don't understand what the companies involved with MCX are thinking.
They build an app that is going in the opposite direction of where the market
is heading and limit the amount of payments they accept.

I was in line at 7-11 at my university, where an girl was trying to use the
currentc app. She was 2 people ahead of me, when I went up to pay she was
still trying to pay with the app. At first her screen was to dim, and the
scanner would not read the QR code. Eventually she was able to pay, but I was
already long gone by that time. If you look on the google play store it has a
rating of 1.1 starts.

This is straight from its website,"Merchant Customer Exchange is the only
merchant-owned mobile commerce network built to streamline the customer
shopping experience across all major retail verticals."

With an app that rates 1.1 stars and no improvement, I don't think it cares
about the shopping experience, and people will see this eventually.

~~~
untog
A clue to what the companies are thinking from the article:

"Its payments are also routed from the retailer to the ACH system instead of
the credit card system, which saves retailers from having to pay interchange
fees (typically around 2% of the transaction amount)"

~~~
jimkri
Yea I realized that when I was thinking about it. Which is a financial smart
reason, but in the end it limits them.

If I only have my phone which I have android pay on and I need to get
something from a drug store, I would go to CVS but they don't accept NFC. So I
will have to go to Walgreen's instead which is usually near a CVS. So I don't
get why they don't offer NFC, because keeping 98% of the transaction amount is
better than 0.

~~~
ISL
If your margin is only a few percent, 2% is a big deal.

What matters to a retailer isn't the revenue, it's the difference between
costs and revenue.

~~~
toomuchtodo
Walmart is also smart about this. They algorithmically determine how many
cashiers to have at certain times of the day, under the assumption that even
though some people may give up and leave instead of waiting in line, its still
more profitable for that to occur than to staff more cashiers for everyone to
complete their purchases in a timely manner.

In the real world, its about profits, not volume.

------
Veratyr
In Australia retailers have supported NFC in the form of Visa's payWave and
Mastercard's PayPass for years now and I've got to say, it's fantastic
compared to the experience in the US.

Walk into a supermarket/retailer/cinema/restaurant in Melbourne and payment is
as simple as waving your card at the terminal. If the purchase is less than
~$100 you don't need to enter a PIN and don't need to sign anything (we
outlawed signatures for domestic payments mid last year). It's just done.
Visa/Mastercard/banks generally cover any fraudulent purchases using the
system so you don't need to worry too much about fraud.

In addition to this, since the US tech companies generally don't appear to
have cared about the rest of the world until now, our banks have provided us
with contactless payment apps for our phones and unlike the numerous standards
being developed in the US, the banks' apps work with the existing
payWave/PayPass systems that are already supported.

The reason I'm bringing this up is to show just how behind the US is when it
comes to payments. I'm currently living in the Bay Area and the only places
I've been able to successfully complete a purchase using a contactless payment
method are Office Depot and Whole Foods. Most fast food places don't accept
it, most retailers don't accept it, most businesses in general don't accept
it. In Melbourne at least nearly everywhere accepts it, from coffee shops to
supermarkets to tech retailers.

Even the US's move to EMV is backwards. The country has the second highest
credit card fraud rate in the world yet when moving to a "more secure" system,
signatures are still being retained as "authentication" or "authorization"
despite being literally attached to the back of the card.

The US is fantastic when it comes to technology but when it comes to banking
and payments it's incredibly dated and behind.

~~~
mikeash
I don't understand why you praise NFC but condemn EMV on the basis of fraud.
In both cases, the possession of some physical item is considered sufficient
for authorization. Copying that physical item is sufficiently difficult that
it's probably not an avenue for fraud, so you have to actually steal
somebody's card.

If physical card theft is actually a big deal, then NFC would be just as bad.
If it's not a problem and fraud comes from copying the information, then EMV
is just as good. No?

~~~
Veratyr
Yes, now that you point it out it does seem odd. The physical presence of the
card and lack of authentication are common to both methods but:

\- NFC reduces risk by limiting transactions to $100.

\- EMV is slower (much slower) and more cumbersome due to the requirement that
a signature still be collected and the card be inserted into the terminal.
This takes a minimum of 15-20s while exchanging receipts etc compared to NFC's
~1s.

NFC has the same level of security while reducing risk and increasing
convenience.

~~~
mikeash
It's pretty common not to require a signature on smaller purchases. It depends
on the merchant and the card, but most purchases under $50 are just swipe and
go. Presumably they'll change to be insert and go.

I totally agree with you that NFC wins for convenience and speed. I just don't
see much of a security advantage, and it looks to me like EMV should
substantially reduce in-person fraud, since you won't be able to copy them the
way you can copy magnetic stripes. The card companies seem to think this way,
at least: the way they're pushing EMV isn't to require it, but simply to say
that if you _don 't_ have it and you participate in a fraudulent transaction,
you're liable for it.

~~~
Veratyr
That's true but it's still possible to make a completely unauthenticated $4000
purchase with a physically stolen US credit card.

I didn't mention this earlier but NFC payments over $100 generally only
require a PIN be entered but this is a relatively (to signatures) painless
process and comes with the benefit of requiring something not printed on the
credit card.

For small payments, NFC is faster. For large payments, NFC (at least as
implemented in Australia, with PIN), is significantly more secure.

~~~
mikeash
That certainly does sound better for fraud, but that's just a policy choice,
not anything inherent to NFC or EMV. NFC could be without limits (I think
that's how it is in the US) and EMV could require a PIN (as is typically the
case in Europe).

It would be interesting to see the breakdown of different types of credit card
fraud. How much fraud is physically stolen card versus copied card versus
online purchases? I have no real idea myself.

------
mfringel
Between the privacy concerns and the fact that it's ACH only, it sounds like
it has a tremendous benefit for retailers.... and precisely none for me.

------
prplhaz4
I believe CurrentC's (Paydiant's) QR code tokenization works the same as
you've described Apple Pay tokenization - the merchant POS does not see any
payment info other than a one-time-use token.

This was another decent teardown of Paydiant's Subway app - but it looks like
someone high up has had some of the code redacted :)
[http://randywestergren.com/reverse-engineering-the-subway-
an...](http://randywestergren.com/reverse-engineering-the-subway-android-app/)

Functionally, it looks like CurrentC only has two advantages over *Pays -
loyalty integration and big box retailer backing. Not likely enough, but will
be interesting to see how it plays out in the lower end market where a
flagship device is not required...

~~~
ascagnel_
As far as loyalty integration, there is some of that in Apple Pay -- it
supports my local supermarket and drug store (Wegman's and Walgreen's,
respectively).

~~~
prplhaz4
Any chance you can point me to a good demo? I haven't seen a good single-scan
loyalty/payment demo for ApplePay yet, and the SamsungPay demo seems to imply
it but isn't very clear...

------
sarahprobono
I have to say, just because of the privacy implications, I'm much more
inclined to use Apple Pay than CurrentC.

~~~
DaveWalk
I'm not an Apple Pay user -- is their privacy policy any good? Does it not
collect metadata?

The article highlights CurrentC's brazen lack of privacy. From their policy:

> We share your information across our network of merchants and with our third
> party service providers. MCX may share...To third-party analytic providers
> and advertising partners to help us deliver, track and analyze the
> operations and effectiveness of our marketing campaigns, promotions or
> advertisements.

~~~
macavity23
Apple Pay's privacy is much better. AIUI:

Apple knows nothing about your cards (they are all encrypted on-device), and
nothing about your transaction except that there was A transaction (since
Apple just sees a token that gets passed from you to the card provider).

The merchant doesn't see your real cc number, just a one-use token. So they
can't track you unless you choose to add a loyalty card.

The card provider sees all details of the transaction. Just as now, and what
you want.

And the real cc details are stored in dedicated silicon on a fingerprint-
locked device.

~~~
pdpi
> The merchant doesn't see your real cc number, just a one-use token

It's worth noting that the token is one-per-vendor, rather than one-per-
payment. This is what allows TFL to match your tap-in to your tap-out on the
London Underground, and what allows them to apply daily/weekly capping on
fares.

------
chasing
Just the name ("CurrentC") seems like it's going to lead to numerous Who's-On-
First kinds of interactions...

A: "Do you take CurrentC?"

B: "Of course we take currency."

A: [Pulls out CurrentC app.]

B: "Oh, no. We don't do that."

Might do better if it sounded distinct when spoken. Like "Apple Pay."

A: "Do you take Apple Pay?"

B: "No, we only accept payments in currency, not in fruit."

A: [Pulls out CurrentC app.]

B: "We don't take that, either."

[Audience laughter, applause, and scene.]

~~~
glhaynes
First time I tried Apple Pay in a McDonald's drive thru I ended up with an
apple pie added to my order.

------
wahsd
"...retail customer's money is on the line in the event of fraud..." is a good
point that may just slide by. The fact that corporations have significantly
moved to evading any kind of responsibility through various means from
regulatory capture to force arbitration and market monopoly; it strikes me
that the factor of risk to the retail consumer aspect will play a huge role.
It is a huge competitive disadvantage, to both not develop something well and
with vigilance towards security like Apple Pay is, while also then setting in
place a framework for conveying to customers that "if there is fraud because
of our poorly designed and developed system, we are going to duck and weave
like champions".

Do you want to keep away customers, i.e., revenue, because that's how you keep
away customers.

------
prplhaz4
Did more research - it seems like this article is wrong about fraud liability
(in addition to QR tokenization). There are plenty of things wrong with
CurrentC, no need to make stuff up...

 _To further protect CurrentC™ consumers, our zero-liability policy protects
consumers in the event unauthorized or fraudulent charges are made to their
checking account as a result of unauthorized ACH transactions processed
through BIM._

[http://finance.yahoo.com/news/mcx-adds-bim-guaranteed-
ach-17...](http://finance.yahoo.com/news/mcx-adds-bim-guaranteed-
ach-170000793.html)

~~~
mfringel
Even with a zero-liability policy, the money is coming directly out of your
bank account, and will be put back in eventually, after investigation.

Since the only person that's out money is you, no one has financial incentive
to speed the process.

------
LeoPanthera
The article seem to suggest that your phone requires a working internet
connection in order to make a payment. This seems like a huge limitation
compared to Apple Pay (and presumably Android Pay?), which does not.

------
serge2k
> 3 security questions

Why are these still a thing? Is it regulations or something?

------
draw_down
Sounds great!

