It is significant that among the recent much-anticipated and ballyhooed products unveiled by Apple, a nondevice—Apple Pay—received as much if not more attention as the new iPhones and the newer Apple Watch.
Apple Pay essentially turns the newest iPhones into digital wallets. It uses a secure element incorporated in the device along with near-field communication to provide contactless payment capability at point of sale. Fine, but nothing new there.
The difference is that this is Apple, and people in the hundreds of millions not only already like Apple but have provided the company their credit and debit accounts through iTunes.
And Apple is a very smart company. Eden Zoller, analyst for Ovum, observes: “It makes total sense for Apple to launch a payments service with the release of the iPhone 6, a move that will have a positive but also a disruptive effect on the mobile payments market, particularly for mobile operators. Apple has been putting the pieces in place for a fully-fledged mpayments service for some time: Passbook, Touch ID biometrics, the iBeacon feature in iOS 7, the EasyPay feature in the Apple App Store application.” (If you've been on the dark side of moon for the last week or so, check out our earlier coverage, "Apple enters mobile transactions with Apple Pay.")
So that’s the upside of Apple Pay. The downside is that Apple is struggling with the perception that it is lax in security, specifically with the recent disclosures that compromising pictures of famous people were hacked from Apple’s iCloud. Apple said iCloud wasn’t breached, but that the users’ passwords were. Even so, the event, along with recent but unassociated massive payments breaches at major retailers, has put Apple on the defensive regarding its security awareness.
So, in the Apple Pay announcement, it took great pains to describe how secure it is. As described in the product release: actual card numbers are not stored in devices or servers; unique “Digital Account Numbers” are assigned, encrypted, and securely stored in the device; each transaction is authorized with a one-time unique number; and dynamic security codes validate each transaction. On top of this, should users activate their Touch ID function on their new devices, transactions are authorized only when the user’s fingerprint matches the one stored in the device, as the transaction occurs.
Trustwave, which specializes in payments security, takes a wait-and-see approach to Apple Pay’s security. “In general, we cannot say with certainty that mobile payment systems are more secure than payment cards; only time will tell. However, as with any new addition or feature to a platform, even ones meant to enhance security, this expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit,” said Mike Park, managing consultant at Trustwave, in a statement. “As businesses use mobile payment system applications, they need to make sure they are performing automated vulnerability scanning across all of their applications followed by in-depth penetration testing for their most critical applications.”
Nevertheless, it’s plain that Apple convinced many major players to clamber aboard Apple Pay. For example, Jim Smith, head of Virtual Channels for Wells Fargo—one of the service’s original partners—says: “When we review mobile wallet providers, we look for payment safety, quality of service, and ease of use for our customers. Apple Pay is a strong offering in those areas and we know our customers want and need this option as they live their increasingly digital lives.”
That brings it full circle then. People not only will want but eventually need something like this, as long as they are convinced it is safe. Apple appears for the moment to have taken the initiative in the effort to cross that want-to-need divide. Maybe the most significant aspect of Apple Pay is that it lends greater legitimacy to contactless, mobile payments than existed before—booting it out of a niche area into the mainstream, a stream where competing mobile payments providers might find benefit. Here are what some industry observers say:
• “Though users may have reservations about security and privacy, it seems like this is the moment when mobile payments will finally catch on. Faith in the security of the current payment system has been eroded, plus the idea of mobile payment isn’t that new anymore. And many services similar to Apple Pay already exist. The difference is that Apple Pay taps into Apple’s extensive existing ecosystem and feels like an extension of the Apple services people already use rather than something new to learn,” says Lily Hay Newman, writing in a blog for Slate.
• “Juniper has argued that the impact of an Apple digital wallet…regardless of interface technology, would create a halo effect toward contactless payment in general. We still believe that in most markets this will primarily be driven by contactless card transactions, but that the greater awareness of handset contactless payments that Apple will generate will, in turn, result in an uplift in adoption and usage,” says Windsor Holden, analyst for Juniper Research.
• “The decision to release an Apple Pay API (application programming interface, or a set of routines, protocols, and tools for building software applications) to developers will likely prove the biggest revolution over time as it allows merchants, and indeed other third-party payment providers, to develop new payment services revolving around that core Apple payment service. Opening up its service in this way will help to potentially cement Apple at the center of a broader payments ecosystem by enabling a broader range of services,” says Gilles Ubaghs, another analyst at Ovum.
Zoller, the other Ovum analyst, probably sums it up as well as any: “Apple reckons its new Apple Pay service will be the one that makes traditional wallets a thing of the past. Rhetoric to this effect is nothing new in the mpayments space but so far it has left consumers cold. But if anyone can help make this happen then it is probably Apple.”
Sources for this article include: