Most of the focus has been on the Apple Watch. But in the online security and privacy world, the Apple Pay announcement is the most important. With the ongoing and seemingly never-ending retail point of sale (POS) data breaches, the Apple Pay announcement has the potential to do what no one else has been able to: give us a genuine and permanent solution to this problem.
It helps first to understand the problem. The reason that we’re seeing so many successful data breaches now against retail POS systems is that the infrastructure is fundamentally unsound from a security point of view. The mag stripe technology in credit cards dates from the 1960s; the POS systems that process them are using technology from the 1990s (at best). By contrast, attackers are using 2010s technology. The POS infrastructure is just outgunned and it’s now its falling.
Outside of the U.S., EMV or “chip and pin” have been widely and successfully used for years. This is a newer and more secure technology. But it’s costly to implement, slows down transactions and is viewed by many as too much of a hassle. These are reasons why you don’t see this in the US: banks and credit card companies viewed the cost and risks of loss from the new technology as outweighing the cost and risks of lost from theft.
In the wake of the retail POS data breach crisis, people have lobbied for EMV and are talking about plans to implement EMV in the US. But those hurdles are still there and we haven’t seen much more than talk.
Meanwhile, others have tried to implement mobile payment systems. But these haven’t taken off because of the classic bootstrapping problem that new platforms face. Retailers won’t invest in the new technology until customers are willing to use it. Customers won’t use the new technology unless there’s a place to use it. Mobile payment systems have been like Bitcoin acceptance: a leading-edge curiosity that’s not ready for prime time.
By including Apple Pay capabilities on all new iPhones moving forward, Apple has overnight solved one half of the bootstrapping problem. Retailers can be confident that a percentage of their customers will be able to use Apple Pay. Not only that, but it will be their early adopter customers. This gives retailers incentive to support Apple Pay with the necessary payment infrastructure.
As we’ve seen in the past, where Apple leads the rest of the world follows. The implementation of infrastructure to support Apple Pay will quickly support other mobile payment platforms as companies like Google quickly move to piggyback on that technology and infrastructure. As technology proliferates, costs will come down and ease of use and implementation will go up.
Beyond how Apple’s entrance into mobile payment brings the “network effect” into play, there’s the fact that Apple’s implementation appears so far to be a good one from a security and privacy point of view. We need to research and understand it better, but it looks like Apple has come up with a solid design that I would feel comfortable using.
With Apple Pay, Apple has jumped into the world of retail payments at a time when the current solution is unsound and broken and the main proposed solution, EMV, isn’t desirable. They’re jumping in with a solution that appears to be good from a security and privacy point of view. And by jumping in, they bring their ability to move markets to bear on this issue.
In a single day, Apple may have changed how we pay for things for good, and helped us bring the retail POS data breach crisis to a close in the long term. And in so doing, they may have also saved all of us from the hassle of “chip and pin.”
That closure won’t come quickly, but at least we can see a light at the end of the tunnel.