In our series of mobile landscape articles, such as App Security Tips, we will be discussing Apple Pay today. How does it work and why is it different from Google Wallet and other NFC-based m-wallets/mobile payment systems?
First of all, some background information about NFC payments:
- For security purposes, a method called tokenization is used in NFC payments.
- Instead of the card information, everything is done with a secure token generated per device.
- The de-tokenization (translation to payment information) is done at the upper levels of the payment chain, either at the bank or payment network level so none of the intermediaries has any information about the card or the card owner.
- However, the token itself still needs to be secured and NFC standards require the use of a “secure element” inside the device. This can be established on a chip on the device or on an external element like a SIM card or a cloud-based solution as long as it is encrypted and protected from tampering.
Payment process can be divided into three steps:
- To make a payment, the user gets authenticated with the payment device in the first step.
- Then the NFC reader communicates with the “secure element” of this device.
- As the final step, token is sent along with accompanying information.
As Google does not have the full control over the hardware, it needed to rely on network operators to use the secure element. However, network operators in the US was offering a competing payment product (formerly ISIS, now known as Softcard), so they disallowed Google’s use of secure element.
To overcome this limitation, Google started supporting software based secure element solutions (Host Card Emulation, HCE in short) with Android 4.4, but with the current fragmentation of Android devices, this is not expected to jumpstart the use of Google Wallet in the short term.
Taking lessons from the problems surrounding Google Wallet, Apple positions itself in a different spot than other payment providers.
- Unlike Google Wallet or PayPal, Apple Pay itself is not a fully-fledged payment platform.
- Apple just converts your physical wallet to a digital one; the customers still rely on other financial institutions.
- Therefore, Apple is not considered as a competitor and can cooperate/co-exist with other players. (Yes, Apple took the blessing of the network operators who opposed Google Wallet.)
Moreover, the advantage of Apple’s insistence on a closed hardware ecosystem shows itself here. As the sole provider of hardware, Apple provides its own secure element in iPhone 6, iPhone 6 Plus and Apple Watch, so if the things go sideways, Apple is not dependent on third parties for the secure element and Apple already has full control of the operating system, iOS 8.
Both Apple’s and Google’s approaches come with certain advantages and disadvantages.
For Apple Pay to accept different credit cards, Apple must deal one-by-one with all parties in the payment ecosystem:
- Issuers (banks)
- Credit card networks
- Payment intermediaries
Even though Apple can provide novel ways to overcome the inconveniences of the currently available solutions, it will take time to negotiate with all stakeholders for the widespread use of Apple Pay, especially outside the US. Apple Pay is not expected to launch in Europe sometime in 2015 and maybe even later for the rest of the world. On the other hand, Google deals with this issue in the backend and can unify all credit cards into one.
For Apple, this is translated to an advantage by simplifying the payment method addition process:
- Users take a photo of their “supported” cards,
- The card is automatically converted into a token,
- It can instantly be used for payment because Apple deals with issuers directly.
For Google however:
- The users enter their card information manually into Google Wallet app/website
- When they use NFC, they actually pay with the Google Wallet card, not their own credit card
- Google charges it back to the actual card.
It may not matter for users that much, but it is a complex process for Google as repeated layers of processing is required. Google must take the roles of an issuer, processor and other intermediaries just for a simple transaction, which makes it a direct competitor.
An additional effect of Apple’s approach is that there is no need to store transaction information and the transaction can be viewed like a regular one on the statement of the credit card. Apple emphasizes this as a security feature, but it is a bit subjective, as people may prefer to have a record of their mobile transactions in one place as Google Wallet offers.
The real difference of Apple Pay from other payment solutions comes in play at the actual payment stage:
- For Google Wallet, the user must launch the app first and then enter their PIN to pay.
- Being the sole provider of hardware, software and the payment platform, Apple eliminates the middle steps. Once the device is near the NFC reader, the user just authenticates by using Touch ID, without any apps or PINs.
In summary, it comes down to a comparison similar to iOS and Android:
- Apple Pay focuses on design and ease of use
- Google Wallet focuses on convenience and flexibility
Apple is not the first entrant in the market, but it has the power to disrupt it. Yet, for the reasons specified, both Google Wallet and Apple Pay may have a hard time getting widely adopted.
Last but not the least, while everybody is paying attention to the long-awaited contactless payment feature, Apple silently took another step to control everything inside the Apple ecosystem. With new Apple Pay APIs, payments from mobile apps and from iTunes can be done with Apple Pay.
Physical payments may be the luring factor but it is not the single objective in the grand scheme of things, especially considering the fact that Apple prefers to have control over everything. Now, Apple has the access to real life in-app transactions such as commodity (e.g. Target) or service (e.g. Uber) transactions. Considering the total size of such transactions on a global scale, physical payments would just be icing on the cake.
One thing to note is that Apple Pay still requires developers to work with a payment provider and the developers must use Apple Pay SDK along with the provider’s SDK, making Apple Pay seem not a competitor but a facilitator instead.
However, the competition is already heating up as Apple disallows the use of NFC chip for anything else than Apple Pay and PayPal is not one of the initial payment provider partners of Apple.
Everything aside, time will tell if Apple Pay will become another Apple service present for the sake of confinement like Apple Maps, or a mandatory-ish service like iCloud or naturally adopted service like Siri.