W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2014

RE: Apple Pay

From: Andrew Bovingdon <andy@bango.com>
Date: Wed, 10 Sep 2014 08:33:49 +0000
To: Mountie Lee <mountie@paygate.net>, Adrian Hope-Bailie <adrian@hopebailie.com>
CC: Stuart Langridge <sil@kryogenix.org>, Kingsley Idehen <kidehen@openlinksw.com>, "public-webpayments@w3.org" <public-webpayments@w3.org>
Message-ID: <B4929E3FA275D64E8FB1C7DD8B3DE443770A791C@BANGO-EX1.Westbrooke.bango.net>

I presume that card holder identity is verified by the fingerprint touch authentication on the iPhone 6. Not sure how a new card added is verified as belonging to the iPhone owner?

Not sure how the Apple Watch will authenticate though - perhaps it measures the users heart rate and how much they are sweating during payment. Definitely could be used to determine risk :)

Risk is definitely different from iTunes where prices are much more controlled and deliverables are digital.


From: Mountie Lee [mailto:mountie@paygate.net]
Sent: 10 September 2014 09:04
To: Adrian Hope-Bailie
Cc: Stuart Langridge; Kingsley Idehen; public-webpayments@w3.org
Subject: Re: Apple Pay

Hi.

some more comments (question?)

who take charge of risk?
who verify customer signature(or PIN) is equivalent to card's?

maybe Apple can verify card holder identity with their internal resources,

I think the risk level is different from iTunes'



On Wed, Sep 10, 2014 at 4:05 PM, Adrian Hope-Bailie <adrian@hopebailie.com<mailto:adrian@hopebailie.com>> wrote:
So, lets do some grade A speculation:

I suspect that this is all built on standardised technology but given an Apple shine.
For the system to work at "220,000 stores that already support contactless payments" this would have to be the case.

Likely it is a combination of HCE (i.e. provision the phone's secure element over the air) and the use of the tokenisation spec already published by EMVCo (http://www.emvco.com/specifications.aspx?id=263).
I wouldn't be surprised if Apple had a hand in developing that tokenisation spec with the networks.

What is interesting is that Apple are therefore working with issuers primarily (whose cards are stored in iTunes), not acquirers.
They don't yet manage the full payment life-cycle end to end although one can assume this will come soon when payments start being made from one iOS device to another.

They haven't invented anything new (even if the US market thinks they have).
Apple very seldom do invent anything new. All of their revolutionary "inventions" have been brilliantly executed versions of something that already existed in some form or another.
However, we should not underestimate the power of the Apple brand coming into our world.
They have just made contactless and mobile payments cool, even for the folks that are completely non-technical.

Note:
This is still debit-pull card based payments but apple is providing the complicated bits like the token store (or off-loading it to the card networks).
That said, once users are used to using their phones to pay moving to a push-based mechanism becomes that much easier and will be key to P2P payments.

On 10 September 2014 05:35, Mountie Lee <mountie@paygate.net<mailto:mountie@paygate.net>> wrote:
Hi.
for the Apple Pay mechanisms,

will it be correct as following?

1. real credit card information is stored at Apple side (same to iTunes way)
2. when user try to pay at store, a token (which is generated by apple, virtual credit card format?) is pass to merchant.
3. merchant send the token to their processor/acquirer
4. the participating banks will verify the token with Apple
5. settle money to merchant.

does Apple Pay always need connected environment?

regards
mountie

On Wed, Sep 10, 2014 at 7:31 AM, Stuart Langridge <sil@kryogenix.org<mailto:sil@kryogenix.org>> wrote:
On Tuesday, 9 September 2014, Kingsley Idehen <kidehen@openlinksw.com<mailto:kidehen@openlinksw.com>> wrote:
On 9/9/14 1:57 PM, Stéphane Corlosquet wrote:
Quoting:
Our mission is to replace your wallet, starting by focusing on payments.
...
Digging for your cards is antiquated.
The magnetic stripe interface is outdated and insecure.

Yep!

Just need to take a look at their APIs and other technical details.

Apple is an important player in this space, for sure.
Bear in mind that the antiquated magnetic stripe interface has already been cast aside in most places that aren't the USA. Here in the UK we've had contactless payment for years; it is not an exciting revolution, and we should be wary of presenting something that (frankly) drags the US into the 21st century as a thing that is super-important, because everyone else already has it.



--
New Year's Day --
everything is in blossom!
I feel about average.
   -- Kobayashi Issa



--
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700<tel:%2B82%202%202140%202700>
E-Mail : mountie@paygate.net<mailto:mountie@paygate.net>




--
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net<mailto:mountie@paygate.net>
Received on Wednesday, 10 September 2014 08:34:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:39 UTC