Hacker News new | comments | ask | show | jobs | submit login
How Apple Pay works and why it matters for developers (clover-developers.blogspot.com)
184 points by johndbeatty on Sept 9, 2014 | hide | past | web | favorite | 113 comments

Maybe it's just me but I'm not drinking the kool aid about Apple Pay in today's announcement. Aside, I really hated the fact that to watch the event you had to use a Safari browser, same with watching Swift tutorial videos on their website, using latest Chrome on a Mac...

Maybe I'm old school but I'm actually finding that payment options are getting worse, not better. This is another example of further fragmentation. Tap cards, stripe cards, chip cards - all the machines have different interfaces, some touch screen, some with pens. Not sure about you guys but I forget my credit card pin compared to my bank card pin half the time. I have a way to many accounts to remember already. What happened to just a signature?

It's like someone needs to come up with an interface for payments. That universally accepted. Think of a wall socket for power, 3 prongs, supports 2 prong interface. Works great.

Lets step back. Oh wait, we have one. It's called CASH. Cash seems to make more and more sense these days. No overage fees for using your own money. Accepted everywhere already. It doesn't get malware and steals your data. It doesn't need charging or have bugs. Doesn't seems as easy to spend when you physically see it leaving your old school wallet.

I for one won't ever use my phone for payments nor will I be looking to work on apps trying to convince others that its fairy land for payments and makes your life better because of revolutionary Apple marketing spiels. Virtual apps on the app stores, fine, I see it makes sense. Brick and mortar, I just don't see it.

I'm a Canadian who is temporarily in the US, and it seems so backwards to me. A signature? You mean writing on a piece of paper that probably never gets looks at allows someone to take money out of my bank account? Chip+Pin at least has a semblance of technical security.

And cash? Don't get me started. Cash can be physically lost. Cash can be stolen. When you pay with cash, you get given coins as well as the thing you are buying. Coins suck. To me, cash makes less and less sense these days. In Canada, I never carry any. In California there are enough cash only places (in 2014!) that I have some at most times.

I will probably not know it when I see it, but I look forward to the last day I touch cash.

This, I'm living exactly the same situation right now.

Last time I came to the US, I realized my cards' magnetic bands weren't working. Would have never noticed otherwise, chips don't wear off. Had to prepare for new cards before my next trip. Chips came so long ago in Canada that I can't recall when. My surprise every time I remember they're still not here.

Then cash only places and having to receive coins; the worst. And then what do you do with the coins, hope that one day you'll get the chance to use them? That never happens. You must accumulate coins in your pockets. Accumulate discomfort and never dare throwing them away. And what's up with cents, what do you buy with a cent?

Back in Canada, all I carry is a debit/credit card (wink) and a health insurance card (wink).

> Chips came so long ago in Canada that I can't recall when.

I left Canada in 2008, and I don't remember chip & pin being prevalent as it is now, so it's not quite as "long ago" as you are implying.

But... you might have issues carrying just a credit card. Many places only accept debit due to there being smaller merchant fees and there are still many cash-only places (in Toronto at least).

And seriously? When I end up with cash / change in my pockets I end up using it. Your comments about "OMG! What do I do with physical money?! It's sooooo useless" are a bit hyperbolic.

Yeah the hyperbolism was on purpose. =P

And then what do you do with the coins, hope that one day you'll get the chance to use them?

You dump the coins in a change jar on top of your dresser. Then once a year or so, when you have accumulated $100 in coins, you bring the jar to a coinstar machine at your local supermarket and get the coins converted to an Amazon gift certificate.

I have an algorithm for minimizing my coin count. When I buy a soda or snack from a machine, I put the smallest denomination coins in first (nickles) and then work my way up (dimes, then quarters) until I have put enough money in to make my purchase. The machine gives me change, and as long as the item costs at least 25 cents (a practical certainty!), I'm sure to have fewer coins in my pocket afterwards.

> chips don't wear off

The chips may not, but the contact surfaces corrode. Then, when you're facing a slightly aged payment terminal with also corroded contacts, your card gets rejected no matter what you do.

So from my view, NFC in phone has two things going for it: it can be toggled on and off, effectively preventing drive-by cardjacking; and it is better protected from elements.

The fact that I have other personal reservations about contactless payments is different matter altogether.

Pencil erasers do a great job to clean these type of contacts :)

>>Would have never noticed otherwise, chips don't wear off.

Oh that's so not true. I keep my cards in my pocket and I already had to replace a few due to the fact that they wouldn't be recognized at terminals anymore. And I am a huge supported of chip+pin.

Same thing here (but in Europe). I wonder if Apple Pay will really get some momentum here.

I am optimistic. Today, I have to remove my credit card from my wallet to hold it close to the card terminal, in the future my iPhone will be sufficient …

These conclusions are surprising to me. I grew up in the states and lived in Canada for 4 years.

Though I agree with the lack of security offered by a signature, that method of payment is basically offered everywhere in the US. Compared to Canada its uncommon to be asked for a 5 dollar minimum purchase or a 50 cent surcharge for a credit card transaction. Furthermore, the credit limits in Canada seemed downright restrictive.

Say whatever about the security of credit cards in the US but as a consumer the product is much more compelling. I can go almost anywhere, rarely pay extra fees and easily spend all of my own money. Furthermore, why would I care about a signature? Yes its antiquated but who cares if its never used, I can charge back fraudulent charges pain free in the US which has not been my experience in Canada.

Basically, I think the user experience of paying money is really important, but chip and pin doesn't solve that problem.

I've found that the places that typically charge fees or have minimums in Canada are the tiny asian restaurants run by immigrants, and the small corner stores. Similar places in the US are the ones I find that take cash only a lot of the time.

Credit limits in Canada start out restrictive, yes, though I've generally found that if you ask for a higher limit, they will generally grant it. I've had good credit though. That probably makes a difference.

I've been lucky enough to never need to do a chargeback in Canada or the US. Maybe it's not easy in Canada.

The signature is for identification after the fact. So if someone steals your card, the credit card company can look at the signature for that transaction versus 10 other signatures for valid transactions and quickly know if it was your signature or not.

That said, I don't think we will ever live in a cash-less world. There are too many merchants for whom any technology is too much. Also, a lot of merchants don't want to pay credit card processing fees (which I expect don't go away with this system) and still others like to cheat on their taxes and running a cash business makes that easier.

I used my swipe-only American Visa when I was in London, and was looked at like a neanderthal. Cards are easily stolen, signatures are easily forged, but my thumbprint is pretty much only mine (yes, it can be tricked, but you still have to get it somehow). I welcome two-form, and loathe Visa and MasterCard for holding it up as long they have in the States.

Someone hacked Target and Home Depot POS systems recently and stole millions of credit card numbers. I really don't want someone doing that to my thumbprint. I can always get a new CC# but I'm stuck with the thumbs I've got.

Is that meant to be a real reply? I'll answer it like it is, giving you the benefit of the doubt - your thumbprint is only used to unlock the data store on the device, where the credit card token is kept. Note token, not actual credit card number or CVV code. The data stolen from Target and Home Depot was the real number, where ApplePay will use a one-time token, so even if it's stolen, it's useless once the transaction is complete. But that wasn't a real reply, was it?

Thanks, I had no idea why you were talking about thumbprints.

I stopped signing a long time ago. Now I scribble, draw pictures, whatever.

Just a note on the fact you had to use Safari to watch the video, there's a technical reason behind that, it's not arbitrary lock-in on Apple's part.

Apple use HTTP Live Streaming for their live streams. This is an open technology they are trying to get adopted more widely (RFC: http://tools.ietf.org/html/draft-pantos-http-live-streaming-...). Currently, HLS is not implemented by Chrome or other browsers, in part because Google are pushing a competing standard (http://en.wikipedia.org/wiki/Dynamic_Adaptive_Streaming_over...).

I'm not sure it's clear cut if one is better than the other. I've used HLS and implemented a toy HLS server, and can say anecdotally that it was easy to use and quite a nice standard, although not brilliantly implemented by clients so far. Because of this, I understand why Apple continue to push HLS, and why Google continue to push DASH, and why neither will implement the other's technology in their browsers.

Google actually neither supports nor ignores HLS; they provide a JavaScript interface that allows sites to support HLS, MPEG-DASH and possibly other protocols. Apple's site seems to rely on "native" HLS support; this is probably why Chrome can't stream the video.


Oh, so it's not a ploy to force safari use... it's a ploy to force HLS. Thanks for the heads up.

Edit: Just to be clear, it is really interesting and appreciate your comment, but it's still silly for Apple to limit their advertisements to Apple users.

Having a credit card stolen is a lot easier to deal with then having cash stolen. For that I am thankful.

I'm presuming cdnsteve is in the US? In the UK payment options have improved in various ways. I used to be a fan of cash as the quickest and easiest way to pay for something small like a coffee but we now have NFC where you just hold your card near and it takes like 10 seconds (mostly for the waitress to press buttons), quicker than getting change for cash. Also instant free bank transfers, chip and pin and other conveniences.

Re the iphone I think it'll use the same NFC terminal I just paid for my coffee with at Pret. Being able to wave a phone rather than my bank card is a bit ho hum. I guess for sums over £20 I could use my finger print rather than having to enter the pin as one does at the moment. The advantage seems a bit marginal.

really, cash? cash sucks in so many ways. it can get lost, it can get stolen, it takes up more room, it takes longer to pay with, you have to get coins back as change. should i go on? i thought the apple pay stuff was the best part about today's event. if they can get a high percentage of merchants to accept it it will noticeably improve my life. small things like saving time checking out will make me happy therefore improving my overall quality of life.

Cash still works when a city does not have power and ATM machines don't work. I've had a few instances of this in my life and I was caught without having much cash. Emergencies, cash still rules supreme.

The point about it getting lost is actually worse for a phone. You can also lose your smartphone. Losing your phone is a greater risk than losing the minimal amount of cash you carry on you. Think about it, if you don't have a password on your phone or you do and someone gets in, how much data are you exposing? Facebook, mass messaging all contacts, Banking, App stores, Email, the list goes on and on. Not to mention you're phones likely in a contract and you hold a few hundred dollar balance remaining on the item itself.

The problem with any technology is that even though we put our best foot forward, there will always be bugs and glitches. Cash, always, just works.

> it takes longer to pay with

Really? I've found that processing machines can tend to take a while. Some of them are also super slow for no reason (and if you don't go at their pace they force you to restart the transaction).

Yea, I use cash for a few reason, and found it liberating. If you do use cash you need to really trust the people you live with. Actually, in my family we only have one credit card and everyone uses it just for emergencies and online purchases, and we still use checks for bills.

I applaud Apple for trying to make transactions safer, but I honestly don't even trust Apple(never gave them the family credit card for ITunes). By the way; I hardly ever use ITunes anymore. I couldn't be the only one? I'm surprised ITunes doesn't have more competition by now--a good alternative?

cash wears out easily, it can be hard to have exact change.

I agree with the psychological effect of spending cash compared to a card (digits don't mean as much as handing over a bunch of paper), but things like IC cards are great for people who hate fidgeting with change (this is especially bad in places like Europe/Japan where a handful of change can end up being over $20).

And it's not like cash has disappeared. This is one more option.

The problem of capitalism is that all agents want (amongst other things) full vendor lock-in. Sadly that's been our general direction for the past 50 years in most aspects of life, and there seems to be little hope for reversing the machine in thr short term.

As against planned economies in which lock-in by a single vendor is mandatory and essentially irreversible. The answer, as Adam Smith observed, is a well regulated market.

If you're going to make negative comments like that, it would be helpful if you were to offer some kind of alternative and why it's better.

This happens when the vendor has a certain degree of control over their market; however, if the market is large enough, an overly-restricted platform becomes a liability, and customers move to better solutions.

That's not the "problem of capitalism", that's the problem with bad people that are power hungry and uninformed people that see absolution in centralized power.

I'm very hopeful that we will be able to reverse this trend as I see decentralization efforts everywhere (internet to press, 3d printing to manufacturing, bitcoin to currency, blockchain to public ledger, photovoltaics for power, etc).

Well, sometimes digital payment comes with a nice discount. That's where CASH can't compete.

Many businesses offer cash discounts, much more so than digital.

Where I am there has been one business that offered a 'cash discount' higher than what I got back from my credit card. It went out of business.

All the gas stations give 10c/gal, my credit card gives 5%. at 3$+/gal I'm at 15c/gal.

> Maybe it's just me but I'm not drinking the kool aid about Apple Pay in today's announcement.

What does this actually mean?

Nothing, it's gibberish. Or, rather, a signal you can use to realize that the person who wrote it can't think critically and most likely doesn't have anything useful to say.

Or that they don't subscribe to everything The Cult of Apple feeds them.

edit: getting downvoted like a champ. The Cult is strong with HN.

But I got down voted too, though.

It's a serious question -- what does this sort of talk actually mean? What would "subscribing to The Cult of Apple" mean in this situation? Using Apple Pay? Believing it will succeed? What?

> Apple Pay marks the first time a popular operating system is making payments a platform service for real-world, non-digital-good transactions, in a broad, inclusive manner that is compatible with the mainstream payments processing industry

I'm sorry... what? How is this different from Google making Google Wallet back in 2011? They both use the same tech (PayPass, an industry standard), and both are made by an OS company.

> I'm sorry... what? How is this different from Google making Google Wallet back in 2011?

Google only partnered with MasterCard, and only released in a limited number of handsets (they were all Nexus if I remember correctly). Apple partnered with Visa, MasterCard and AmEx ahead of time, as well as a dozen or so merchants, so that anyone who gets an iPhone 6 can actually use ApplePay nearly immediately without jumping through hoops or hoping they have the right handset. At least that's what I read as "broad, inclusive."

For what it's worth, I tried using GWallet when it came to my Nexus S years ago, and got the strangest look from the guy at the convenience store when I held my phone to the reader and the register marked the transaction as complete. Just because Google was first by no means did it right or best, as evidenced through us not all walking around with Androids paying for things.

I'm always suprised at how Apple and co. can so bluntly deny the existence of prior art for what they do.

Even if they do it better, that doesn't mean they're the first.

They never say they are first. They say they are "first popular".

They say "First popular operating system."

Not even Steve Cook has a reality distortion field strong enough to pull that one off.

Google wallet was unpopular and was impeded by the cell carriers. It was a business failure, not a technical one.

"Apple Pay marks the first time a popular operating system is making payments a platform service"

Android is a popular operating system. Android made payments a platform service. Therefore, that sentence is blatantly false.

Sure, I totally agree that Google Wallet was basically a business failure.

I'd also say that the only thing that may stop Apple Pay from being a business failure is that it's Apple doing it this time (even tho, frankly, their UI looks significantly worse than Google Wallet, and has far less functionality, and Google Wallet is no longer impeded by the carriers)...

But that's not what the article section i quoted was talking about. It just made an unqualified claim "this is the first time an OS maker has made a payments product for the physical world"

I've never used Google wallet- but how could Apple's UI be worse? All you do is tap your device. How did Google Wallet work?

Yeah I found that to be mildly humorous. Not sure how the UI is terrible, it looks pretty simple and well thought out

that's the payment experience, sure, but there's all those moments before and after your payment. say, adding a card, managing which cards you want to use at which locations, etc. there was plenty of footage in the live stream this morning, or stills here: http://www.apple.com/apple-pay/

but the bigger point: you're quibbling over the first of three points i made in an aside (the other two being that google wallet has way more features, and that google wallet is now not blocked from being on Verizon et al). The larger point is that the article saying that this is the first OS to have a payments solution is... very strange.

Well, there's the second half of that sentence which qualifies it with "broad, inclusive". I'm not saying I agree, although it could be that Apple believes Google Wallet was not broad, inclusive, or both.

Apple is a hardware company. Google just releases as much software as they can and sees what catches on since any additional user spending additional time being tracked is a win for them. Apple writes software to make their hardware more appealing.

Bad android sales doesn't affect Google. Bad iPhone sales would tank Apple.

Apple Pay uses industry-standard EMV contactless protocols over NFC (and MSD contactless for backward compatibility). This makes it compatible with a wide range of contactless payment terminals in deployment today.

So if the last section of the article is correct that means ApplePay will be compatible with Mastercard PayPass terminals? If this is true it would be really easy to roll out ApplePay as for example in Switzerland most terminals are PayPass ready.

Apple Pay is very standards compliant and the networks are very global. So I wouldn't be surprised.

This is also great for us Android/GWallet/Isis/Softcard users, as more merchants will want EMV and have it implemented.

As far as hardware goes, yes - the same antenna you use for talking with a MasterCard can get used for talking to a smartphone.

However, POS software is not at all standardized. You'd likely end up rolling out support for one POS platform at a time. They'll have the hardware you need to support ApplePay, but the rest of the work is probably tricky.

tl;dr POS software systems that accept PayPass can change their software to accept ApplePay.

That sounds different than Google Wallet. With an NFC Android phone you can pay at any PayPass terminal, without them needing to change their software.

I will admit that I might be completely wrong about the technical requirements for this. I'm sure that at least the hardware will support it, and from what I understand there may be a difference in how the terminal goes from talking with a payment method to a verified payment.

See here: https://developer.apple.com/apple-pay/Getting-Started-with-A...

"Once authorized by the user with Touch ID, your app receives a payment token from PassKit. The payment token encapsulates the information needed to complete a payment transaction. It includes a cryptogram, unique to the specific purchase, that can be decrypted with your private key or when the payment information is transmitted to a payment processor’s server that has your private key. Figure 2 illustrates a typical payment flow. First the app checks that it can offer Apple Pay as a payment method. In this example, the app needs the postal code from the selected shipping address to calculate shipping cost and update the total amount due. When the user authorizes payment, your app receives a payment token from the Secure Element, via PassKit. Finally the app calls appropriate APIs in the payment processor SDK to pass the payment information to the payment processor, they process the transaction. "

Pg 4. - The payment flow. You are asking about the payment provider. They need an SDK or API from Apple whether it's a POS terminal, or mobile device. Once they implement it they can theoretically accept payments. But will Apple allow this?

Another interesting question: If a vendor adds support specifically so that they can accept Apple Pay, will my Android phone start working for NFC payments there?

If they implement whatever transaction API is required by your wallet..

Perhaps this is why Apple never embarrassed NFC. Doing NFC based payments requires terminal upgrades while credit card companies are already rolling out their own version of no-touch payments.

Did you mean "embraced"?

From the merchant's perspective it should be more or less compatible with existing deployments. The problem's with the customer's side - unless their bank has done a deal with Apple they can't use it, and so far I don't think any banks outside of the US have.

In theory (at least that part of) the process should work internationally. It is worth noting though that Google Wallet, which has worked with MasterCard PayPass terminals since 2011, is still only available for US devices with US SIM cards.

It sounds like the acquirer needs to be ready to support network-level tokenization. I have no idea how an acquirer can detect what kind of card it is an compute interchange when everything is in the same BIN.

The Tokenisation FAQ by EMVCo suggests that the BINs could be selected from the card network's existing ranges, which would allow merchants and acquirers to simply pass them through to the network (where the de-tokenisation is performed): http://www.emvco.com/faq.aspx?id=264#13

One reason Apple Pay matters for developers and startups is it erodes a key advantage of leaders and incumbents. By dramatically reducing the friction around account creation and payments, Apple Pay makes it much, much easier for consumers to try new services. Ride sharing services, for example, could benefit from this. Of course, it will take a while for the effects to be felt, but increased competition in commerce is a positive long term implication of Apple Pay.

It really doesn't do this. Apple Pay is not the solution to moving money between parties who aren't registered merchants, with the relevant banking setup.

Anyone can be become a merchant with a PayPass reader today. Apple Pay is not changing that, nor can it since that sector is entirely dependent on local commerce/finance laws and payment processor anti-fraud costs.

Apple Pay makes developers able to pay merchants on behalf of their customers without becoming a credit card processing middleman.

Apple Pay is focused on easing consumer pain and friction, leading to more competition among service providers and retailers since trying new services will become easier for users.

Ok now I'm not sure which aspect you're talking about.

Because in the physical world the friction is not "oh I need a card" it's physically getting the customer in the door. Otherwise, what's involved is needing merchants to have NFC readers. This might be an exciting new thing in the US, but certainly in my neck of the woods NFC has near universal penetration.

In the virtual world...this problem has been solved over and over and over. I'd argue it would be very surprising to see Apple displace Paypal. Everyone has Paypal - very few people (relatively) will have ApplePay.

> Everyone has Paypal - very few people (relatively) will have ApplePay.

Today Paypal has something like 150 million users worldwide while there are 72 million iPhone users in the United States alone. Presumably all of these people will eventually upgrade to an iPhone supporting ApplePay.

That is a big assumption. Phones have been getting a longer and longer tail.

Moreover, there's almost certainly >50% overlap between iPhone user/Paypal user/other service user.

Having first-class OS support for the payment method (and the fact that a huge amount of people have been forced to register a credit card through iTunes at one point or another) means that the consumer barrier to entry is super low.

> forced to register a credit card through iTunes

I'll never forget the day they held a gun to my head and made me buy my first iPod.

Just so I get the terminology right though, when you register a card within itunes Apple is forcing you to do so, but when you register it with Google Play, Google is reluctantly allowing you to do it. Did I get that right?

In some countries there have been periods where the only way to make an iTunes account (and thus get access to app store) was through registering a credit card or buying an itunes gift card.

Google Play does not ask for a credit card unless you actually make a purchase.

> com.apple.WebKit.Networking.xpc wants to sign using key "Apple ID Authentication …" in your keychain. Do you want to allow access to this item?


What is this? I've never seen this before. Loading (and reloading) pages from this domain prompts this popup.

That would be SSL Client Certificates!

I'm curious how much, if anything, Apple makes off of this. It's pretty clear they're not displacing anyone in the existing merchant payment value chain (which is the mistake most other companies have made) but it's not clear how Apple makes any money off of this.

I have a hunch that Apple might not be making any money at all off of Apple Pay. Apple operates their business very differently than many tech companies. The vast majority of Apple's profit comes from the ridiculously high margins on their hardware. They develop services to increase the capability of the hardware platform; and any money resulting from the operation of those services is secondary.

When Apple initially released the iTunes store, they operated it at a loss. The entire iTunes store and all the payment systems, etc. that go along with it were built in order to sell iPods.

There's a very real possibility that Apple looked at the mobile payment market and said "Shit, there are way too many entrenched interests for us to insert ourselves in the value chain and take a cut. But having a superior mobile payment system will help us sell more iPhones, so we'll do it anyway." Those entrenched interests are what have kept every other mobile payment company from making a real dent in the overall payments ecosystem. Unlike with iTunes where Apple made demands about how the store had to function, they placated the industry while coming up with a solution that worked for both end users and the industry players. We'll see if it catches on, but I expect it will.

>>The vast majority of Apple's profit comes from the ridiculously high margins on their hardware.

I am not saying you are wrong, but could we see a source for that please? I always assumed that no matter what they do, the profit margin on hardware cannot be THAT large, because the costs of R&D and marketing for apple devices must be huge(they ship with their own in-house developed operating system,after all), so I always assumed that Apple makes most money off platforms like iTunes, not hardware profits. I would be very happy to be proven wrong though.

I don't have an explicit source; but we can back into the numbers. Apple only breaks out COGS for the entire company; not by division. But regardless, the iTunes division is dwarfed by the iPhone/iPad/Mac divisions. Apple's gross margins are right around 37.5% -- which is very high. The average for the computer/electronics industry is closer to 20%. If you look at historical trends through their past SEC filings, you'll see that margins have actually been declining, and that iTunes was only a significant percentage of revenue for the last couple of years. It was less than 1% of revenue before 2007, so it operated as a very small part of the company for the first 10 years of its existence. Online media direct sales are actually not as big of a business as you might think -- for example, Steam alone did more revenue than the entire online movie sales/rental business (not counting subscription services).

As a percentage of revenue, Apple's operating expenses (which include R&D and the operation of the Apple stores, servers, etc.) are pretty low -- less than 10%.

All of this info comes from Apple's 10-K: http://investor.apple.com/secfiling.cfm?filingID=1193125-13-...

How does Apple pay differ from Google's ecosystem and whatever it provides? There, the smartphone app (Google Wallet vs passbook) and the hardware is not made by the same people (Samsung vs Apple) - so does this pose any problems?

Apple Pay gets a token from your card issuer and uses that to pay. Google Wallet pays with their own card and charges your card the same amount. Only difference I see is that Google knows about every transaction you make. Apple doesn't.

Well...TIL. Is there any good resource to learn about the technical side of how payments are processed, and this new tokenization/network-level tokenization effort (http://clover-developers.blogspot.com/2014/09/apple-pay.html)?

Wow that's creepy and yet completely unsurprising from google..

That data is fed into their Google Now servers, so that it can predict your buying patterns, hence offer you contextual adverts just as you're planning to buy something. /joking

A few counterpoints to having your phone used as a payment device :

- it breaks more easily and wears out quicker than a card

- you can't lend it to a friend to have him buy stuff for you ( i don't have a pass id iphone so maybe i'm wrong on this one)

- it gets stolen more often because it has intrisic value ( and a big one for the iphone)

- if it gets stolen, how are you going to call your bank to disable it ?

Plus, retrieving fingerprints from a stolen iphone was demonstrated last year and seems pretty easy. Now that iphones will be used to pay, you can expect criminals to get very familiar with the technic very fast.

>- it breaks more easily and wears out quicker than a card

I don't know about you, but personally I use my phone far more all of my credit cards combined on a daily basis. Is pulling out my phone to process a transaction going to add additional ware to it? Probably not. It's most likely out already from me using it while waiting in line.

It would be great if the HN crowd would stop critiquing things before learning how they work.

- If your iPhone gets stolen then you deactivate it via Apple's existing Find My Phone feature. Deactivating your device will block payments but you won't have to talk to your bank nor will you have to get the cards themselves replaced.

- You can use a password instead of the thumbprint to pay. So you could indeed lend your phone and password to somebody for them to buy things for you. Or you could just reimburse your friend for whatever they purchased.

- People already have a working smartphone on their person at nearly all times, I don't see how "wearing out more easily" is much of a critique. Nobody is suggesting that once somebody starts using ApplePay they destroy the corresponding physical card.

> - it gets stolen more often because it has intrisic value ( and a big one for the iphone)

Not really, if you can't activate it.

- if it gets stolen, how are you going to call your bank to disable it ?

You'll go to icloud.com and deactivate it yourself.

1) Hasn't been my experience, and when it does break a) I can get it replaced in hours not days, and b) I still have my card as a backup

2) that's not allowed by your existing cardholder agreements anyway, but if you need to do so, just give your friend your actual card

3) Demonstrably false - my CC has been replaced by my bank multiple times due to large data breaches, but my iPhone has never been stolen

4) you don't - you use Find My iPhone to disable it and your original card still works because your phone has been using tokens and one-time crypto for transactions.

#2) You can attach multiple tokens to a card. If you want to go through with it I supposed you could attach it to your friends phone... or just give them your card because you will still have that.

#4) You call your bank and they don't allow that token to be used anymore, pretty simple really.

You don't even have to change cards because all they got was the token, which can only be used where you authorized it, once. So if someone gets the token it's pretty useless.

The part I'm not quite following is when the tokenization takes place.

If it takes place per transaction then the PAN must be saved in the phone somewhere and the phone would have to be online to do the tokenization in real-time.

If it is a one-time tokenization that happens when the card is added isn't that token just as valulable as the PAN since the token can be used across merchants? Maybe the 3-D secure piece of the puzzle protects the token but I think this still means the phone has to be on-line to use the NFC payment feature.

My understanding is that this operates on basically the same principle as RSA SecureID. You have an unlimited-use token stored in a dedicated chip, that for all practical purposes is impossible to access, short of, let's say, a scanning electron microscope.

That chip, with its unlimited-use token then generates one-time tokens which are sent over the payment network.

In theory the chip could issue an arbitrary number of tokens if criminals got ahold of it. But in practice, it stores a little bit of the data it needs to make a token in the neighboring TouchID chip, which operates on essentially the same principle (stores fingerprint data and missing payment data in secure hardware location, only lets it out if fingerprint sensor looks good).

To summarize you have to steal both the phone (or both chips anyway) plus the fingerprint information so the chips are useful. But wait, you say--I did steal the fingerprint data! The user left fingerprints on the back of the phone!

Well, you've got me there. But hopefully by the time your very sophisticated gang of gloved thieves has bagged and dusted your phone for prints, you've made your way to iCloud.com and revoked the phone's forever-time token, so all future one-time tokens will be considered invalid.

Keep in mind, the standard being replaced here is one where you carry all your payment information around in your pocket in plaintext. This scheme is a massive improvement on that. There's an old saying that seems relevant here: I don't have to outrun the bear, I have to outrun you. There's tremendous amount of value in being marginally safer than the next guy.

I would think compromise of the token, while bad, is way less bad than compromise of the PAN. I would think it's much easier to regenerate the one-time token than to create a new PAN.

The token seems to be generated randomly (per transaction) in the Secure Element. See my above post.

I don't think that is quite correct. There is per-transaction stuff going on but it isn't being tokenized for every transaction.

The token is stored in the secure element but is generated by the Token Service Provider (for example Visa Token Service).

After reading the EVM token spec linked in the post[1] and the developer guide I think I'm able to answer my own question.

The card is only tokenized once (or at least not per-transaction). For in-app purchases it is using 3-D Secure and for NFC is it using EMV, both of which provide some per-transaction security. Unlike a standard card the token will only work with 3-D Secure or EMV. For example a standard Chip&Pin card could still have it's mag-strip data extracted by a malicious POS system and used at a merchant that only uses magstripe terminals. With Apple Pay (and any other network token based system) a copied token would be worthless because it can't be used at a magstripe terminal.

Basically the phone is acting both as an automated 3-D secure checkout (it is processed by the processors just like 3-D secure but the authentication process is automated) and as a contactless EMV card without the downside of also having a magstrip with the PAN on it.


I'm very curious about the business side of ApplePay. Is Apple going to get some (miniscule) cut of every transaction performed? I.e. is this a new revenue stream for Apple?

they said in their faq that they won't be taking a cut. Either this is purely for improving the ecosystem, or they're getting a cut from banks for cutting down fraud.

The latter is most likely

One thing I am not clear on: Will Apple make ApplePay available to Android users?

If they do, they would get more sales. More people wielding compatible phones would also drive adoption. (Think of how Discover used to be made fun of on Family Guy, but now almost everywhere will take it)

I personally think that will be the tipping point to getting a critical mass of users - making sure it's cross platform.

The 3DSecure stuff gets a bit weird, do you still get redirected to you banks 3DSecure page? If so I don't see that working to well in at least some countries (I know Apple Pay is US only for now).

In Denmark a large number of banks would present you with a Java applet on the 3DSecure page, that's not really going to work on the iPhone.

I haven't seen yet how (or if) recurring payments are supported. Anyone know?

See page 5 of this document for evidence that recurring payments are indeed supported. https://developer.apple.com/apple-pay/Getting-Started-with-A...

The future of payments is Bitcoin.

eBay should have spun off PayPal when they had the chance. With this year's double blow of Amazon Payments and Apple Pay, their end seems near.

I assumed from the headline this would be about Apple's wage-suppressing scam.

So we want to make payments via our phones. My first thought would be to create a protocol for this. Instead we get ApplePay and GoogleWallet and whatnot.

If the internet was invented today, we would have AppleMail instead of email and GoogleTrans instead of http.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact