How safe is it to use Apple Pay?

    0
    1433

    Apple Pay launch
    Apple’s Tim Cook first revealed its physical wallet-replacement service last September

    For those who find carrying around and safeguarding their credit and debit cards a hassle, a hi-tech, easier-to-use alternative is at hand – or so Apple would have us believe.

    The world’s most valuable company has extended its mobile wallet service Apple Pay to the UK, making it the first country outside the US to get the facility.

    The scheme has the potential to further enrich the tech giant. But, of course, it’s far from being the first to try to popularise a digital wallet, and other rival services are on their way.

    So, how do you use Apple Pay?

    Apple Pay does not require users to open a special app to make a purchase

    Once a user has added their payment card details to the platform, they can buy things in high street stores, restaurants and other real-world locations by using just their iPhone.

    To trigger a payment the shopper brings their phone close to one of the contactless readers already used for tap-and-go sales in the UK, and use the handset’s fingerprint sensor to confirm their identity.

    There is no need to launch a special app, but the consumer will need to select a different card from the screen before entering their fingerprint if they do not want to use the default option.

    Alternatively, if they own an Apple Watch, they can make purchases by holding the wearable up to a reader and double-clicking its side button.

    In addition, iPads join the watch and iPhone in being able to buy products from online shops, apps and adverts served up via Apple’s iAd platform.

    Are there any restrictions?

    Apple Pay is restricted to the firm’s latest smartphones, tablets and smartwatches

    Yes. Shoppers require at least one of Apple’s newest devices to get going.

    Only the iPhone 6, iPhone 6 Plus and Watch contain near-field communication (NFC) chips, which are required to make contactless payments.

    And the iPad Air 2 and iPad Mini 3 are the firm’s only tablets fitted with fingerprint readers, which are needed for online sales.

    According to research firm KantarWorldPanel, there are currently 2.9 million Apple Pay compatible devices in use in the UK, although it should be recognised that older handsets can be used if paired with the smartwatch.

    Another restriction is that just as tap-and-go card transactions are limited to £20 – rising to £30 in September – the same will be true of Apple Pay at many retailers.

    Stores can, however, upgrade their back-end software systems to recognise fingerprint readings as an ID-check alternative to pin codes in order to remove that cap.

    Finally, the service is only offered to those aged 13 and above.

    Who is going to support it?

    Existing contactless payment terminals will start accepting Apple Pay without needing an upgrade

    The UK’s leading credit card providers – Visa, Mastercard and American Express – have all signed up, and the initial wave of banks and building societies includes HSBC, Ulster Bank, Nationwide, NatWest, Santander, First Direct and the Royal Bank of Scotland.

    Halifax, Lloyds, Bank of Scotland and TSB say they will join “soon”.

    But that still leaves some hold-outs.

    Barclays says it is in talks to join, but has yet to commit. The lender recently launched its own alternative bPay family of contactless devices – including a wristband, key ring fob and smartphone case sticker – and may want to see how they fare first.

    And the Co-operative Bank says it is still “actively looking into our future participation”.

    As far as participating outlets are concerned, Boots, Lidl, Transport for London and M&S are all being promoted as big-name participants.

    But, in truth any organisation – large or small – already using one of the UK’s 410,000 contactless pay terminals should be able to offer it.

    What if someone steals or hacks one of your devices?

    Apple Pay users can disable the service and/or remove cards from it if they lose their smart devices

    In theory, your details should still be safe because of the way the system is designed.

    Rather than save the original card details on a device, Apple Pay requires each of the banks and payment networks involved to create two new elements:

    • a 16-digital token – called a Device Account Number – unique to each piece of kit
    • an encryption key, which creates one-use “signatures” called cryptograms. A fresh one is generated for every transaction after a fingerprint is provided

    The token and encryption key are installed into a dedicated chip on the devices, which their operating systems cannot access.

    To authorise an in-store sale, the device’s token and an associated cryptogram are transmitted via the contactless terminal to the payment provider, who checks they belong together.

    Even if a thief did manage to intercept the information, they could not re-use the token without knowing a way to make new matching cryptograms, nor could they reverse-engineer it to reveal the original payment card’s details.

    This should protect users – but there are caveats:

    • Apple warns users not to “jailbreak” or otherwise modify its iOS operating system
    • The card companies are urging users not to let family members or others add their fingerprints to the devices
    • Although consumers can put the machines into “lost mode” to suspend Apple Pay, some of the payment firms are insisting they be notified as soon as a device is thought to be missing if the user wants to avoid becoming liable for unauthorised purchases

    Does this mean Apple can start tracking people’s payments?

    Apple says its scheme has been designed to protect its members’ privacy

    No – or at least not in a way that they can be linked to individual shoppers.

    The firm’s privacy statement promises: “Apple Pay doesn’t collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant, and your bank.”

    So, while the iPhone’s Passbook app can be used to display the last 10 transactions per card, this information is provided by the payment providers themselves rather than recorded on Apple’s servers.

    That does not mean, however, that Apple collects no data at all.

    If the user has the “location services” option switched on, the tech firm can anonymously track the time and place a real-world purchase is made.

    Similarly, if Apple Pay is used to buy something within an app, the company retains data about the sum spent, when the service was bought and who the merchant was – but not the shopper’s identity.

    And if Apple Pay is used to buy something from an iAd promotion, details of the purchase “that can’t be tied” to a specific user are shared with the advertiser.

    All of this is potentially commercially useful to Apple.

    How else might it benefit?

    Apple is reported to have struck a deal to take a cut of US banks’ transaction fees

    Once a user has registered with Apple Pay, there have an added incentive to stay within Apple’s ecosystem, helping it sell them more phones, smartwatches and tablets.

    Last year, the Financial Times also reported that Apple had convinced the US banks to let it keep a 0.15% cut of each transaction, which comes out of the lenders’ fees. It is not known if it has struck the same deal in the UK.

    And a recently published patent suggests Apple is also exploring extending the service to let users send payments to each other, for which it could charge a fee.

    But more people use Android than iOS. What about them?

    Samsung has said its proprietary digital wallet initiative will launch later this year

    Samsung has announced its top-end handsets will soon offer Samsung Pay in South Korea, the US and Europe.

    In addition to using similar NFC-based tech, the facility can also mimic the swipe of a magnetic strip card.

    That may prove popular in the US where terminals that accept contactless and chip-and-pin payments are relative rare.

    Meanwhile, Google intends to revamp and rebrand its US-only Google Wallet mobile service as Android Pay.

    The new version will support the use of fingerprint scanners and also support typed-in passwords or drawn patterns as alternative ID checks.

    Both Samsung Pay and Android Pay will adopt similar token-based security system to Apple’s.

    Are there other mobile wallet schemes?

    Zapp lets shoppers use NFC-based contactless payment terminals and QR codes to complete payments

    Lots.

    In the UK alone, shoppers can use Barclays’ Pingit and PayM to send and receive money by using mobile numbers.

    PayPal – already popular for online money transfers – has also been trialled in-store and in-restaurant payments with Gourmet Burger Kitchen and Wagamama among others.

    Visa’s V.Me service allows users to store a range of credit card details securely online to help speed up internet purchases.

    And on the horizon, a new service called Zapp promises to let older smartphones make bank debit payments in stores belonging to Asda, Sainsbury’s, House of Fraser and Clarks among others.