Maybe it's just me but I'm not drinking the kool aid about Apple Pay in today's announcement. Aside, I really hated the fact that to watch the event you had to use a Safari browser, same with watching Swift tutorial videos on their website, using latest Chrome on a Mac...
Maybe I'm old school but I'm actually finding that payment options are getting worse, not better. This is another example of further fragmentation. Tap cards, stripe cards, chip cards - all the machines have different interfaces, some touch screen, some with pens. Not sure about you guys but I forget my credit card pin compared to my bank card pin half the time. I have a way to many accounts to remember already. What happened to just a signature?
It's like someone needs to come up with an interface for payments. That universally accepted. Think of a wall socket for power, 3 prongs, supports 2 prong interface. Works great.
Lets step back. Oh wait, we have one. It's called CASH.
Cash seems to make more and more sense these days. No overage fees for using your own money. Accepted everywhere already. It doesn't get malware and steals your data. It doesn't need charging or have bugs. Doesn't seems as easy to spend when you physically see it leaving your old school wallet.
I for one won't ever use my phone for payments nor will I be looking to work on apps trying to convince others that its fairy land for payments and makes your life better because of revolutionary Apple marketing spiels. Virtual apps on the app stores, fine, I see it makes sense. Brick and mortar, I just don't see it.
I'm a Canadian who is temporarily in the US, and it seems so backwards to me. A signature? You mean writing on a piece of paper that probably never gets looks at allows someone to take money out of my bank account? Chip+Pin at least has a semblance of technical security.
And cash? Don't get me started. Cash can be physically lost. Cash can be stolen. When you pay with cash, you get given coins as well as the thing you are buying. Coins suck. To me, cash makes less and less sense these days. In Canada, I never carry any. In California there are enough cash only places (in 2014!) that I have some at most times.
I will probably not know it when I see it, but I look forward to the last day I touch cash.
This, I'm living exactly the same situation right now.
Last time I came to the US, I realized my cards' magnetic bands weren't working. Would have never noticed otherwise, chips don't wear off. Had to prepare for new cards before my next trip. Chips came so long ago in Canada that I can't recall when. My surprise every time I remember they're still not here.
Then cash only places and having to receive coins; the worst. And then what do you do with the coins, hope that one day you'll get the chance to use them? That never happens. You must accumulate coins in your pockets. Accumulate discomfort and never dare throwing them away. And what's up with cents, what do you buy with a cent?
Back in Canada, all I carry is a debit/credit card (wink) and a health insurance card (wink).
> Chips came so long ago in Canada that I can't recall when.
I left Canada in 2008, and I don't remember chip & pin being prevalent as it is now, so it's not quite as "long ago" as you are implying.
But... you might have issues carrying just a credit card. Many places only accept debit due to there being smaller merchant fees and there are still many cash-only places (in Toronto at least).
And seriously? When I end up with cash / change in my pockets I end up using it. Your comments about "OMG! What do I do with physical money?! It's sooooo useless" are a bit hyperbolic.
And then what do you do with the coins, hope that one day you'll get the chance to use them?
You dump the coins in a change jar on top of your dresser. Then once a year or so, when you have accumulated $100 in coins, you bring the jar to a coinstar machine at your local supermarket and get the coins converted to an Amazon gift certificate.
I have an algorithm for minimizing my coin count. When I buy a soda or snack from a machine, I put the smallest denomination coins in first (nickles) and then work my way up (dimes, then quarters) until I have put enough money in to make my purchase. The machine gives me change, and as long as the item costs at least 25 cents (a practical certainty!), I'm sure to have fewer coins in my pocket afterwards.
The chips may not, but the contact surfaces corrode. Then, when you're facing a slightly aged payment terminal with also corroded contacts, your card gets rejected no matter what you do.
So from my view, NFC in phone has two things going for it: it can be toggled on and off, effectively preventing drive-by cardjacking; and it is better protected from elements.
The fact that I have other personal reservations about contactless payments is different matter altogether.
>>Would have never noticed otherwise, chips don't wear off.
Oh that's so not true. I keep my cards in my pocket and I already had to replace a few due to the fact that they wouldn't be recognized at terminals anymore. And I am a huge supported of chip+pin.
I am optimistic. Today, I have to remove my credit card from my wallet to hold it close to the card terminal, in the future my iPhone will be sufficient …
These conclusions are surprising to me. I grew up in the states and lived in Canada for 4 years.
Though I agree with the lack of security offered by a signature, that method of payment is basically offered everywhere in the US. Compared to Canada its uncommon to be asked for a 5 dollar minimum purchase or a 50 cent surcharge for a credit card transaction. Furthermore, the credit limits in Canada seemed downright restrictive.
Say whatever about the security of credit cards in the US but as a consumer the product is much more compelling. I can go almost anywhere, rarely pay extra fees and easily spend all of my own money. Furthermore, why would I care about a signature? Yes its antiquated but who cares if its never used, I can charge back fraudulent charges pain free in the US which has not been my experience in Canada.
Basically, I think the user experience of paying money is really important, but chip and pin doesn't solve that problem.
I've found that the places that typically charge fees or have minimums in Canada are the tiny asian restaurants run by immigrants, and the small corner stores. Similar places in the US are the ones I find that take cash only a lot of the time.
Credit limits in Canada start out restrictive, yes, though I've generally found that if you ask for a higher limit, they will generally grant it. I've had good credit though. That probably makes a difference.
I've been lucky enough to never need to do a chargeback in Canada or the US. Maybe it's not easy in Canada.
The signature is for identification after the fact. So if someone steals your card, the credit card company can look at the signature for that transaction versus 10 other signatures for valid transactions and quickly know if it was your signature or not.
That said, I don't think we will ever live in a cash-less world. There are too many merchants for whom any technology is too much. Also, a lot of merchants don't want to pay credit card processing fees (which I expect don't go away with this system) and still others like to cheat on their taxes and running a cash business makes that easier.
I used my swipe-only American Visa when I was in London, and was looked at like a neanderthal. Cards are easily stolen, signatures are easily forged, but my thumbprint is pretty much only mine (yes, it can be tricked, but you still have to get it somehow). I welcome two-form, and loathe Visa and MasterCard for holding it up as long they have in the States.
Someone hacked Target and Home Depot POS systems recently and stole millions of credit card numbers. I really don't want someone doing that to my thumbprint. I can always get a new CC# but I'm stuck with the thumbs I've got.
Is that meant to be a real reply? I'll answer it like it is, giving you the benefit of the doubt - your thumbprint is only used to unlock the data store on the device, where the credit card token is kept. Note token, not actual credit card number or CVV code. The data stolen from Target and Home Depot was the real number, where ApplePay will use a one-time token, so even if it's stolen, it's useless once the transaction is complete. But that wasn't a real reply, was it?
I'm not sure it's clear cut if one is better than the other. I've used HLS and implemented a toy HLS server, and can say anecdotally that it was easy to use and quite a nice standard, although not brilliantly implemented by clients so far. Because of this, I understand why Apple continue to push HLS, and why Google continue to push DASH, and why neither will implement the other's technology in their browsers.
Google actually neither supports nor ignores HLS; they provide a JavaScript interface that allows sites to support HLS, MPEG-DASH and possibly other protocols. Apple's site seems to rely on "native" HLS support; this is probably why Chrome can't stream the video.
Oh, so it's not a ploy to force safari use... it's a ploy to force HLS. Thanks for the heads up.
Edit: Just to be clear, it is really interesting and appreciate your comment, but it's still silly for Apple to limit their advertisements to Apple users.
I'm presuming cdnsteve is in the US? In the UK payment options have improved in various ways. I used to be a fan of cash as the quickest and easiest way to pay for something small like a coffee but we now have NFC where you just hold your card near and it takes like 10 seconds (mostly for the waitress to press buttons), quicker than getting change for cash. Also instant free bank transfers, chip and pin and other conveniences.
Re the iphone I think it'll use the same NFC terminal I just paid for my coffee with at Pret. Being able to wave a phone rather than my bank card is a bit ho hum. I guess for sums over £20 I could use my finger print rather than having to enter the pin as one does at the moment. The advantage seems a bit marginal.
really, cash? cash sucks in so many ways. it can get lost, it can get stolen, it takes up more room, it takes longer to pay with, you have to get coins back as change. should i go on? i thought the apple pay stuff was the best part about today's event. if they can get a high percentage of merchants to accept it it will noticeably improve my life. small things like saving time checking out will make me happy therefore improving my overall quality of life.
Cash still works when a city does not have power and ATM machines don't work. I've had a few instances of this in my life and I was caught without having much cash. Emergencies, cash still rules supreme.
The point about it getting lost is actually worse for a phone. You can also lose your smartphone. Losing your phone is a greater risk than losing the minimal amount of cash you carry on you. Think about it, if you don't have a password on your phone or you do and someone gets in, how much data are you exposing? Facebook, mass messaging all contacts, Banking, App stores, Email, the list goes on and on.
Not to mention you're phones likely in a contract and you hold a few hundred dollar balance remaining on the item itself.
The problem with any technology is that even though we put our best foot forward, there will always be bugs and glitches. Cash, always, just works.
Really? I've found that processing machines can tend to take a while. Some of them are also super slow for no reason (and if you don't go at their pace they force you to restart the transaction).
Yea, I use cash for a few reason, and found it liberating.
If you do use cash you need to really trust the people you
live with. Actually, in my family we only have one credit
card and everyone uses it just for emergencies and online
purchases, and we still use checks for bills.
I applaud Apple for trying to make transactions safer, but
I honestly don't even trust Apple(never gave them the family
credit card for ITunes). By the way; I hardly ever use ITunes anymore. I couldn't be the only one? I'm surprised
ITunes doesn't have more competition by now--a good alternative?
cash wears out easily, it can be hard to have exact change.
I agree with the psychological effect of spending cash compared to a card (digits don't mean as much as handing over a bunch of paper), but things like IC cards are great for people who hate fidgeting with change (this is especially bad in places like Europe/Japan where a handful of change can end up being over $20).
And it's not like cash has disappeared. This is one more option.
The problem of capitalism is that all agents want (amongst other things) full vendor lock-in. Sadly that's been our general direction for the past 50 years in most aspects of life, and there seems to be little hope for reversing the machine in thr short term.
As against planned economies in which lock-in by a single vendor is mandatory and essentially irreversible. The answer, as Adam Smith observed, is a well regulated market.
If you're going to make negative comments like that, it would be helpful if you were to offer some kind of alternative and why it's better.
This happens when the vendor has a certain degree of control over their market; however, if the market is large enough, an overly-restricted platform becomes a liability, and customers move to better solutions.
That's not the "problem of capitalism", that's the problem with bad people that are power hungry and uninformed people that see absolution in centralized power.
I'm very hopeful that we will be able to reverse this trend as I see decentralization efforts everywhere (internet to press, 3d printing to manufacturing, bitcoin to currency, blockchain to public ledger, photovoltaics for power, etc).
Nothing, it's gibberish. Or, rather, a signal you can use to realize that the person who wrote it can't think critically and most likely doesn't have anything useful to say.
It's a serious question -- what does this sort of talk actually mean? What would "subscribing to The Cult of Apple" mean in this situation? Using Apple Pay? Believing it will succeed? What?
> Apple Pay marks the first time a popular operating system is making payments a platform service for real-world, non-digital-good transactions, in a broad, inclusive manner that is compatible with the mainstream payments processing industry
I'm sorry... what? How is this different from Google making Google Wallet back in 2011? They both use the same tech (PayPass, an industry standard), and both are made by an OS company.
> I'm sorry... what? How is this different from Google making Google Wallet back in 2011?
Google only partnered with MasterCard, and only released in a limited number of handsets (they were all Nexus if I remember correctly). Apple partnered with Visa, MasterCard and AmEx ahead of time, as well as a dozen or so merchants, so that anyone who gets an iPhone 6 can actually use ApplePay nearly immediately without jumping through hoops or hoping they have the right handset. At least that's what I read as "broad, inclusive."
For what it's worth, I tried using GWallet when it came to my Nexus S years ago, and got the strangest look from the guy at the convenience store when I held my phone to the reader and the register marked the transaction as complete. Just because Google was first by no means did it right or best, as evidenced through us not all walking around with Androids paying for things.
Sure, I totally agree that Google Wallet was basically a business failure.
I'd also say that the only thing that may stop Apple Pay from being a business failure is that it's Apple doing it this time (even tho, frankly, their UI looks significantly worse than Google Wallet, and has far less functionality, and Google Wallet is no longer impeded by the carriers)...
But that's not what the article section i quoted was talking about. It just made an unqualified claim "this is the first time an OS maker has made a payments product for the physical world"
that's the payment experience, sure, but there's all those moments before and after your payment. say, adding a card, managing which cards you want to use at which locations, etc. there was plenty of footage in the live stream this morning, or stills here: http://www.apple.com/apple-pay/
but the bigger point: you're quibbling over the first of three points i made in an aside (the other two being that google wallet has way more features, and that google wallet is now not blocked from being on Verizon et al). The larger point is that the article saying that this is the first OS to have a payments solution is... very strange.
Well, there's the second half of that sentence which qualifies it with "broad, inclusive". I'm not saying I agree, although it could be that Apple believes Google Wallet was not broad, inclusive, or both.
Apple is a hardware company. Google just releases as much software as they can and sees what catches on since any additional user spending additional time being tracked is a win for them. Apple writes software to make their hardware more appealing.
Bad android sales doesn't affect Google. Bad iPhone sales would tank Apple.
Apple Pay uses industry-standard EMV contactless protocols over NFC (and MSD contactless for backward compatibility). This makes it compatible with a wide range of contactless payment terminals in deployment today.
So if the last section of the article is correct that means ApplePay will be compatible with Mastercard PayPass terminals?
If this is true it would be really easy to roll out ApplePay as for example in Switzerland most terminals are PayPass ready.
As far as hardware goes, yes - the same antenna you use for talking with a MasterCard can get used for talking to a smartphone.
However, POS software is not at all standardized. You'd likely end up rolling out support for one POS platform at a time. They'll have the hardware you need to support ApplePay, but the rest of the work is probably tricky.
tl;dr POS software systems that accept PayPass can change their software to accept ApplePay.
That sounds different than Google Wallet. With an NFC Android phone you can pay at any PayPass terminal, without them needing to change their software.
I will admit that I might be completely wrong about the technical requirements for this. I'm sure that at least the hardware will support it, and from what I understand there may be a difference in how the terminal goes from talking with a payment method to a verified payment.
"Once authorized by the user with Touch ID, your app receives a payment token from PassKit.
The payment token encapsulates the information needed to complete a payment transaction. It
includes a cryptogram, unique to the specific purchase, that can be decrypted with your private
key or when the payment information is transmitted to a payment processor’s server that has
your private key.
Figure 2 illustrates a typical payment flow. First the app checks that it can offer Apple Pay as a
payment method. In this example, the app needs the postal code from the selected shipping
address to calculate shipping cost and update the total amount due. When the user authorizes
payment, your app receives a payment token from the Secure Element, via PassKit.
Finally the app calls appropriate APIs in the payment processor SDK to pass the payment
information to the payment processor, they process the transaction. "
Pg 4. - The payment flow. You are asking about the payment provider. They need an SDK or API from Apple whether it's a POS terminal, or mobile device. Once they implement it they can theoretically accept payments. But will Apple allow this?
Another interesting question: If a vendor adds support specifically so that they can accept Apple Pay, will my Android phone start working for NFC payments there?
Perhaps this is why Apple never embarrassed NFC. Doing NFC based payments requires terminal upgrades while credit card companies are already rolling out their own version of no-touch payments.
From the merchant's perspective it should be more or less compatible with existing deployments. The problem's with the customer's side - unless their bank has done a deal with Apple they can't use it, and so far I don't think any banks outside of the US have.
In theory (at least that part of) the process should work internationally. It is worth noting though that Google Wallet, which has worked with MasterCard PayPass terminals since 2011, is still only available for US devices with US SIM cards.
It sounds like the acquirer needs to be ready to support network-level tokenization. I have no idea how an acquirer can detect what kind of card it is an compute interchange when everything is in the same BIN.
The Tokenisation FAQ by EMVCo suggests that the BINs could be selected from the card network's existing ranges, which would allow merchants and acquirers to simply pass them through to the network (where the de-tokenisation is performed):
http://www.emvco.com/faq.aspx?id=264#13
One reason Apple Pay matters for developers and startups is it erodes a key advantage of leaders and incumbents. By dramatically reducing the friction around account creation and payments, Apple Pay makes it much, much easier for consumers to try new services. Ride sharing services, for example, could benefit from this. Of course, it will take a while for the effects to be felt, but increased competition in commerce is a positive long term implication of Apple Pay.
It really doesn't do this. Apple Pay is not the solution to moving money between parties who aren't registered merchants, with the relevant banking setup.
Anyone can be become a merchant with a PayPass reader today. Apple Pay is not changing that, nor can it since that sector is entirely dependent on local commerce/finance laws and payment processor anti-fraud costs.
Apple Pay is focused on easing consumer pain and friction, leading to more competition among service providers and retailers since trying new services will become easier for users.
Ok now I'm not sure which aspect you're talking about.
Because in the physical world the friction is not "oh I need a card" it's physically getting the customer in the door. Otherwise, what's involved is needing merchants to have NFC readers. This might be an exciting new thing in the US, but certainly in my neck of the woods NFC has near universal penetration.
In the virtual world...this problem has been solved over and over and over. I'd argue it would be very surprising to see Apple displace Paypal. Everyone has Paypal - very few people (relatively) will have ApplePay.
> Everyone has Paypal - very few people (relatively) will have ApplePay.
Today Paypal has something like 150 million users worldwide while there are 72 million iPhone users in the United States alone. Presumably all of these people will eventually upgrade to an iPhone supporting ApplePay.
Having first-class OS support for the payment method (and the fact that a huge amount of people have been forced to register a credit card through iTunes at one point or another) means that the consumer barrier to entry is super low.
I'll never forget the day they held a gun to my head and made me buy my first iPod.
Just so I get the terminology right though, when you register a card within itunes Apple is forcing you to do so, but when you register it with Google Play, Google is reluctantly allowing you to do it. Did I get that right?
In some countries there have been periods where the only way to make an iTunes account (and thus get access to app store) was through registering a credit card or buying an itunes gift card.
Google Play does not ask for a credit card unless you actually make a purchase.
I'm curious how much, if anything, Apple makes off of this. It's pretty clear they're not displacing anyone in the existing merchant payment value chain (which is the mistake most other companies have made) but it's not clear how Apple makes any money off of this.
I have a hunch that Apple might not be making any money at all off of Apple Pay. Apple operates their business very differently than many tech companies. The vast majority of Apple's profit comes from the ridiculously high margins on their hardware. They develop services to increase the capability of the hardware platform; and any money resulting from the operation of those services is secondary.
When Apple initially released the iTunes store, they operated it at a loss. The entire iTunes store and all the payment systems, etc. that go along with it were built in order to sell iPods.
There's a very real possibility that Apple looked at the mobile payment market and said "Shit, there are way too many entrenched interests for us to insert ourselves in the value chain and take a cut. But having a superior mobile payment system will help us sell more iPhones, so we'll do it anyway." Those entrenched interests are what have kept every other mobile payment company from making a real dent in the overall payments ecosystem. Unlike with iTunes where Apple made demands about how the store had to function, they placated the industry while coming up with a solution that worked for both end users and the industry players. We'll see if it catches on, but I expect it will.
>>The vast majority of Apple's profit comes from the ridiculously high margins on their hardware.
I am not saying you are wrong, but could we see a source for that please? I always assumed that no matter what they do, the profit margin on hardware cannot be THAT large, because the costs of R&D and marketing for apple devices must be huge(they ship with their own in-house developed operating system,after all), so I always assumed that Apple makes most money off platforms like iTunes, not hardware profits. I would be very happy to be proven wrong though.
I don't have an explicit source; but we can back into the numbers. Apple only breaks out COGS for the entire company; not by division. But regardless, the iTunes division is dwarfed by the iPhone/iPad/Mac divisions. Apple's gross margins are right around 37.5% -- which is very high. The average for the computer/electronics industry is closer to 20%. If you look at historical trends through their past SEC filings, you'll see that margins have actually been declining, and that iTunes was only a significant percentage of revenue for the last couple of years. It was less than 1% of revenue before 2007, so it operated as a very small part of the company for the first 10 years of its existence. Online media direct sales are actually not as big of a business as you might think -- for example, Steam alone did more revenue than the entire online movie sales/rental business (not counting subscription services).
As a percentage of revenue, Apple's operating expenses (which include R&D and the operation of the Apple stores, servers, etc.) are pretty low -- less than 10%.
How does Apple pay differ from Google's ecosystem and whatever it provides? There, the smartphone app (Google Wallet vs passbook) and the hardware is not made by the same people (Samsung vs Apple) - so does this pose any problems?
Apple Pay gets a token from your card issuer and uses that to pay. Google Wallet pays with their own card and charges your card the same amount. Only difference I see is that Google knows about every transaction you make. Apple doesn't.
That data is fed into their Google Now servers, so that it can predict your buying patterns, hence offer you contextual adverts just as you're planning to buy something. /joking
A few counterpoints to having your phone used as a payment device :
- it breaks more easily and wears out quicker than a card
- you can't lend it to a friend to have him buy stuff for you ( i don't have a pass id iphone so maybe i'm wrong on this one)
- it gets stolen more often because it has intrisic value ( and a big one for the iphone)
- if it gets stolen, how are you going to call your bank to disable it ?
Plus, retrieving fingerprints from a stolen iphone was demonstrated last year and seems pretty easy. Now that iphones will be used to pay, you can expect criminals to get very familiar with the technic very fast.
>- it breaks more easily and wears out quicker than a card
I don't know about you, but personally I use my phone far more all of my credit cards combined on a daily basis. Is pulling out my phone to process a transaction going to add additional ware to it? Probably not. It's most likely out already from me using it while waiting in line.
It would be great if the HN crowd would stop critiquing things before learning how they work.
- If your iPhone gets stolen then you deactivate it via Apple's existing Find My Phone feature. Deactivating your device will block payments but you won't have to talk to your bank nor will you have to get the cards themselves replaced.
- You can use a password instead of the thumbprint to pay. So you could indeed lend your phone and password to somebody for them to buy things for you. Or you could just reimburse your friend for whatever they purchased.
- People already have a working smartphone on their person at nearly all times, I don't see how "wearing out more easily" is much of a critique. Nobody is suggesting that once somebody starts using ApplePay they destroy the corresponding physical card.
1) Hasn't been my experience, and when it does break a) I can get it replaced in hours not days, and b) I still have my card as a backup
2) that's not allowed by your existing cardholder agreements anyway, but if you need to do so, just give your friend your actual card
3) Demonstrably false - my CC has been replaced by my bank multiple times due to large data breaches, but my iPhone has never been stolen
4) you don't - you use Find My iPhone to disable it and your original card still works because your phone has been using tokens and one-time crypto for transactions.
#2) You can attach multiple tokens to a card. If you want to go through with it I supposed you could attach it to your friends phone... or just give them your card because you will still have that.
#4) You call your bank and they don't allow that token to be used anymore, pretty simple really.
You don't even have to change cards because all they got was the token, which can only be used where you authorized it, once. So if someone gets the token it's pretty useless.
The part I'm not quite following is when the tokenization takes place.
If it takes place per transaction then the PAN must be saved in the phone somewhere and the phone would have to be online to do the tokenization in real-time.
If it is a one-time tokenization that happens when the card is added isn't that token just as valulable as the PAN since the token can be used across merchants? Maybe the 3-D secure piece of the puzzle protects the token but I think this still means the phone has to be on-line to use the NFC payment feature.
My understanding is that this operates on basically the same principle as RSA SecureID. You have an unlimited-use token stored in a dedicated chip, that for all practical purposes is impossible to access, short of, let's say, a scanning electron microscope.
That chip, with its unlimited-use token then generates one-time tokens which are sent over the payment network.
In theory the chip could issue an arbitrary number of tokens if criminals got ahold of it. But in practice, it stores a little bit of the data it needs to make a token in the neighboring TouchID chip, which operates on essentially the same principle (stores fingerprint data and missing payment data in secure hardware location, only lets it out if fingerprint sensor looks good).
To summarize you have to steal both the phone (or both chips anyway) plus the fingerprint information so the chips are useful. But wait, you say--I did steal the fingerprint data! The user left fingerprints on the back of the phone!
Well, you've got me there. But hopefully by the time your very sophisticated gang of gloved thieves has bagged and dusted your phone for prints, you've made your way to iCloud.com and revoked the phone's forever-time token, so all future one-time tokens will be considered invalid.
Keep in mind, the standard being replaced here is one where you carry all your payment information around in your pocket in plaintext. This scheme is a massive improvement on that. There's an old saying that seems relevant here: I don't have to outrun the bear, I have to outrun you. There's tremendous amount of value in being marginally safer than the next guy.
I would think compromise of the token, while bad, is way less bad than compromise of the PAN. I would think it's much easier to regenerate the one-time token than to create a new PAN.
I don't think that is quite correct. There is per-transaction stuff going on but it isn't being tokenized for every transaction.
The token is stored in the secure element but is generated by the Token Service Provider (for example Visa Token Service).
After reading the EVM token spec linked in the post[1] and the developer guide I think I'm able to answer my own question.
The card is only tokenized once (or at least not per-transaction). For in-app purchases it is using 3-D Secure and for NFC is it using EMV, both of which provide some per-transaction security. Unlike a standard card the token will only work with 3-D Secure or EMV. For example a standard Chip&Pin card could still have it's mag-strip data extracted by a malicious POS system and used at a merchant that only uses magstripe terminals. With Apple Pay (and any other network token based system) a copied token would be worthless because it can't be used at a magstripe terminal.
Basically the phone is acting both as an automated 3-D secure checkout (it is processed by the processors just like 3-D secure but the authentication process is automated) and as a contactless EMV card without the downside of also having a magstrip with the PAN on it.
I'm very curious about the business side of ApplePay. Is Apple going to get some (miniscule) cut of every transaction performed? I.e. is this a new revenue stream for Apple?
they said in their faq that they won't be taking a cut. Either this is purely for improving the ecosystem, or they're getting a cut from banks for cutting down fraud.
One thing I am not clear on: Will Apple make ApplePay available to Android users?
If they do, they would get more sales. More people wielding compatible phones would also drive adoption. (Think of how Discover used to be made fun of on Family Guy, but now almost everywhere will take it)
I personally think that will be the tipping point to getting a critical mass of users - making sure it's cross platform.
The 3DSecure stuff gets a bit weird, do you still get redirected to you banks 3DSecure page? If so I don't see that working to well in at least some countries (I know Apple Pay is US only for now).
In Denmark a large number of banks would present you with a Java applet on the 3DSecure page, that's not really going to work on the iPhone.
So we want to make payments via our phones. My first thought would be to create a protocol for this. Instead we get ApplePay and GoogleWallet and whatnot.
If the internet was invented today, we would have AppleMail instead of email and GoogleTrans instead of http.
Maybe I'm old school but I'm actually finding that payment options are getting worse, not better. This is another example of further fragmentation. Tap cards, stripe cards, chip cards - all the machines have different interfaces, some touch screen, some with pens. Not sure about you guys but I forget my credit card pin compared to my bank card pin half the time. I have a way to many accounts to remember already. What happened to just a signature?
It's like someone needs to come up with an interface for payments. That universally accepted. Think of a wall socket for power, 3 prongs, supports 2 prong interface. Works great.
Lets step back. Oh wait, we have one. It's called CASH. Cash seems to make more and more sense these days. No overage fees for using your own money. Accepted everywhere already. It doesn't get malware and steals your data. It doesn't need charging or have bugs. Doesn't seems as easy to spend when you physically see it leaving your old school wallet.
I for one won't ever use my phone for payments nor will I be looking to work on apps trying to convince others that its fairy land for payments and makes your life better because of revolutionary Apple marketing spiels. Virtual apps on the app stores, fine, I see it makes sense. Brick and mortar, I just don't see it.