After a baker's dozen purchases facilitated by Apple Pay, I have to say it's pretty magical. And the most touted feature, the near-instant one-handed payments, do not impress me the most. The little details really make a difference, like instant push alerts whenever a connected card fires somewhere in payment space. In a month, you can audit every recurring -- and perhaps forgotten -- auto payment on a card.
Apple Pay is so convenient, in fact, that several major retail chains began blocking it at their registers days after it went live. The reason was simple: Retailers got a glimpse of Apple Pay adoption rates and crippled it to support their homegrown alternative CurrentC instead. Network administrators and security teams then recoiled in horror when, days later, CurrentC was breached, and customer data was stolen.
Bank battles threaten network security
First, here's some background. Apple Pay is not merely a convenience feature from a vendor extending its considerable expertise in online transactions into point of sale (PoS). It's actually a play by the credit card clearinghouses and card issuers (banks) to turn back the tide of debit card adoption by US consumers. With more than $4 trillion in card-based transitions in 2013, one might think the credit card industry would be pretty happy scraping 2-3% off every sale.
But you'd be wrong. Debit card volume surpassed credit in 2004 and is now nearly double the volume of credit cards. That's because retailers are doing everything possible to promote debit over credit to cut out the fees charged by clearinghouses and banks. Banks are none too thrilled to see years of multibillion-dollar revenue declines, to the point that they're willing to give Apple 0.15% of every transaction to get back in the game.
The problem with the march to debit cards is a forming consensus that retailers basically stink at network security. Target, Home Depot, Dairy Queen, and even JPMorgan Chase have all fallen victim to attack. Debit card data is a particularly juicy target because of its direct association with individual bank accounts. Unfortunately, that increasing public consensus isn't necessarily fairly earned.
As admins, we've toiled long into the night untangling firewall security management policy reports, looking for vulnerabilities, and supporting PCI compliance auditing. But the prospect of 50 million-plus account hauls from single brands has driven attackers into the dark corners of our networks -- third-party vendors. When enabling something as basic as HVAC optimization can cost your company $400 million, the better solution might be, remarkably, to let customers drive security with their payment choices, even if less evolved brands suffer in the process.
Success through customer trust
Google Wallet never really scared the retailers backing CurrentC, so they held their noses and let the experiment continue. But the way Apply Pay came roaring out of the gate with a potential for wide adoption and impact on margins caused them to actually spend money to disable it at the PoS. This, in turn, removed customer choice from the ecosystem -- and that's shortsighted.
When customers in open markets select technology, they tend to associate brand loyalty with trust. In the end, it doesn't really matter, because the only effect will be a boon to competitors, which will strengthen the relationship between Apple Pay users and their brands. It's really security administrators who suffer, because reduced competition slows the development of improved security products. More on this in a minute.
Consumers value convenience over everything else, so long as it doesn't result in ruined credit at the hands of identity thieves. They don't even stop to ask why they don't see at least a little discount from the 2-3% the store saves on debit versus credit cards. Apple Pay is incredibly convenient. People will use it if given a choice, and they will select stores that accept it over stores that don't. Walgreens accepts Apple Pay, while Rite Aid and CVS actively shut it off. Where will a customer go with a warm Starbucks cup and a recent happy Apple Pay experience in hand? Where they can do it again.
What got me thinking about this in the first place was deconstructing the service delivery mechanism the first time I used iOS NFC. There are so many moving parts, SLAs over multiple links, and dozens of services flying in formation that it truly seems like magic. And whenever there is technology magic, there are awesome network administrators. What makes these new services different -- whether we're talking about Apple Pay or simply ever more mobile device-friendly infrastructures, SSD storage, virtualization of every variety, and the cloud -- is that there is an order of magnitude jump in complexity and new security challenges.
I don't blame the CurrentC members for wanting to cut out clearinghouse fees. Heck, even American Express and Visa must know they made a deal with the "Devil of Cupertino," who may eventually gain leverage to negotiate less attractive fee sharing. But encouraging yet another attack vector by artificially blocking competition, rather than allowing consumers to drive innovation, is a move in the wrong direction.
If customers prefer the experience of Apple Pay versus the barcode-based approach of CurrentC, then improve the experience (and security) of CurrentC. Then customers win at what they want (convenience), retail wins at what it wants (decreased fees), and network admins win where it really matters (improved security for all). And fewer audits. Oh, how we love high-scoring audits.