48 comments

[ 3.3 ms ] story [ 96.8 ms ] thread
I have to say, just because of the privacy implications, I'm much more inclined to use Apple Pay than CurrentC.
(comment deleted)
I'm not an Apple Pay user -- is their privacy policy any good? Does it not collect metadata?

The article highlights CurrentC's brazen lack of privacy. From their policy:

> We share your information across our network of merchants and with our third party service providers. MCX may share...To third-party analytic providers and advertising partners to help us deliver, track and analyze the operations and effectiveness of our marketing campaigns, promotions or advertisements.

Apple Pay's privacy is much better. AIUI:

Apple knows nothing about your cards (they are all encrypted on-device), and nothing about your transaction except that there was A transaction (since Apple just sees a token that gets passed from you to the card provider).

The merchant doesn't see your real cc number, just a one-use token. So they can't track you unless you choose to add a loyalty card.

The card provider sees all details of the transaction. Just as now, and what you want.

And the real cc details are stored in dedicated silicon on a fingerprint-locked device.

> The merchant doesn't see your real cc number, just a one-use token

It's worth noting that the token is one-per-vendor, rather than one-per-payment. This is what allows TFL to match your tap-in to your tap-out on the London Underground, and what allows them to apply daily/weekly capping on fares.

I believe CurrentC's (Paydiant's) QR code tokenization works the same as you've described Apple Pay tokenization - the merchant POS does not see any payment info other than a one-time-use token.

This was another decent teardown of Paydiant's Subway app - but it looks like someone high up has had some of the code redacted :) http://randywestergren.com/reverse-engineering-the-subway-an...

Functionally, it looks like CurrentC only has two advantages over *Pays - loyalty integration and big box retailer backing. Not likely enough, but will be interesting to see how it plays out in the lower end market where a flagship device is not required...

The checking account number listed in the screenshot is also printed on the receipt, so they don't appear to be tokenizing from a casual inspection.
I have worked with APIs in the past that would only make masked account numbers or last 4 digits available.

Stripe is a great example - after the initial card is created, everything is tokenized, and they only allow you to pull the last 4 digits as an identifier.

As far as loyalty integration, there is some of that in Apple Pay -- it supports my local supermarket and drug store (Wegman's and Walgreen's, respectively).
Any chance you can point me to a good demo? I haven't seen a good single-scan loyalty/payment demo for ApplePay yet, and the SamsungPay demo seems to imply it but isn't very clear...
That's new with iOS 9, it wasn't possible when Apple Pay launched.

I wasn't aware anyone was using it yet. That's neat.

Loyalty integration is already being integrated into ApplePay. Walgreens went live with it today. Kohls also announced support for their house-brand credit / loyalty card.

The retailers are going to find that their "loyal" customers are much more loyal to their iPhones and Android phones then they are to the retailer's brand.

Consumers like the loyalty programs because they are a benefit to them (lower prices without clipping coupons and points programs such as .10 off a gallon of gas for every $100 purchased in store). The consumer isn't interested in helping the retailer build a database about their habits for "targeted marketing". Most people if left to think about it, find the programs creepy and would actively use any alternative if it was just as convenient as having the little card on their keychain.

That's not even to mention the ridiculous amount of barriers CurrentC will have asking for people's bank accounts from the same retailers (Target, Home Depot, etc.) that lost their credit card information. At least with the credit cards the consumer is protected. Not so much with their checking accounts.

Even if the transaction itself is tokenized, CurrentC controls the metadata and can allow MCX retailers access to that database after the fact. Apple on the other hand doesn't offer that type of access to anyone outside the company (if they store it at all).
More secure payment systems like CurrentC also employ tokenization to enhance user privacy and security throughout the payment process. This means that merchants are never given an actual bank account number, instead they are given a one-time use token that can be redeemed by a payment processor as if it was a valid bank account number.
Between the privacy concerns and the fact that it's ACH only, it sounds like it has a tremendous benefit for retailers.... and precisely none for me.
I really don't understand what the companies involved with MCX are thinking. They build an app that is going in the opposite direction of where the market is heading and limit the amount of payments they accept.

I was in line at 7-11 at my university, where an girl was trying to use the currentc app. She was 2 people ahead of me, when I went up to pay she was still trying to pay with the app. At first her screen was to dim, and the scanner would not read the QR code. Eventually she was able to pay, but I was already long gone by that time. If you look on the google play store it has a rating of 1.1 starts.

This is straight from its website,"Merchant Customer Exchange is the only merchant-owned mobile commerce network built to streamline the customer shopping experience across all major retail verticals."

With an app that rates 1.1 stars and no improvement, I don't think it cares about the shopping experience, and people will see this eventually.

A clue to what the companies are thinking from the article:

"Its payments are also routed from the retailer to the ACH system instead of the credit card system, which saves retailers from having to pay interchange fees (typically around 2% of the transaction amount)"

Yea I realized that when I was thinking about it. Which is a financial smart reason, but in the end it limits them.

If I only have my phone which I have android pay on and I need to get something from a drug store, I would go to CVS but they don't accept NFC. So I will have to go to Walgreen's instead which is usually near a CVS. So I don't get why they don't offer NFC, because keeping 98% of the transaction amount is better than 0.

Because what you're saying won't happen in a lot of situations. Drugs stores are interchangeable, but Target and Walmart are much less so, particularly out of urban centres.
Yea that is true, I totally forgot about towns where Walmart is the only store.
If your margin is only a few percent, 2% is a big deal.

What matters to a retailer isn't the revenue, it's the difference between costs and revenue.

Walmart is also smart about this. They algorithmically determine how many cashiers to have at certain times of the day, under the assumption that even though some people may give up and leave instead of waiting in line, its still more profitable for that to occur than to staff more cashiers for everyone to complete their purchases in a timely manner.

In the real world, its about profits, not volume.

Good point, with Walmart they will generate revenue no matter what, but to cut cost it makes sense to use it.
Isn't this the entire point of the exercise? It certainly doesn't seem to be about consumers.
They also get to offload the burden of paying for fraudulent transactions onto the user.
The Google Play rating is partially because of irate Apple Pay & (formerly Google Wallet) customers. CurrentC prevents (prevented?) a retailer from using competing contactless payment solutions.

I wouldn't be surprised if a lot of the reviews have never used the actual app, but have instead downloaded it and rated it one star in response to stories like this: https://daringfireball.net/2014/10/nfc_apple_pay

They're thinking they'd rather avoid paying credit card fees so they'd prefer to get straight at peoples money at the cost of making it a piece of shit to use.
"...retail customer's money is on the line in the event of fraud..." is a good point that may just slide by. The fact that corporations have significantly moved to evading any kind of responsibility through various means from regulatory capture to force arbitration and market monopoly; it strikes me that the factor of risk to the retail consumer aspect will play a huge role. It is a huge competitive disadvantage, to both not develop something well and with vigilance towards security like Apple Pay is, while also then setting in place a framework for conveying to customers that "if there is fraud because of our poorly designed and developed system, we are going to duck and weave like champions".

Do you want to keep away customers, i.e., revenue, because that's how you keep away customers.

In Australia retailers have supported NFC in the form of Visa's payWave and Mastercard's PayPass for years now and I've got to say, it's fantastic compared to the experience in the US.

Walk into a supermarket/retailer/cinema/restaurant in Melbourne and payment is as simple as waving your card at the terminal. If the purchase is less than ~$100 you don't need to enter a PIN and don't need to sign anything (we outlawed signatures for domestic payments mid last year). It's just done. Visa/Mastercard/banks generally cover any fraudulent purchases using the system so you don't need to worry too much about fraud.

In addition to this, since the US tech companies generally don't appear to have cared about the rest of the world until now, our banks have provided us with contactless payment apps for our phones and unlike the numerous standards being developed in the US, the banks' apps work with the existing payWave/PayPass systems that are already supported.

The reason I'm bringing this up is to show just how behind the US is when it comes to payments. I'm currently living in the Bay Area and the only places I've been able to successfully complete a purchase using a contactless payment method are Office Depot and Whole Foods. Most fast food places don't accept it, most retailers don't accept it, most businesses in general don't accept it. In Melbourne at least nearly everywhere accepts it, from coffee shops to supermarkets to tech retailers.

Even the US's move to EMV is backwards. The country has the second highest credit card fraud rate in the world yet when moving to a "more secure" system, signatures are still being retained as "authentication" or "authorization" despite being literally attached to the back of the card.

The US is fantastic when it comes to technology but when it comes to banking and payments it's incredibly dated and behind.

My sense is the superiority of the mag-stripe is a reason why commerce in the USA exceeds the rest of the world. But I would agree that the move to EMV is a step backwards.
My sense is the superiority of the mag-stripe is a reason why commerce in the USA exceeds the rest of the world

I suspect it is more closely connected to population and GDP.

Well, per capita. And I would not discount frictionless payments.
Big companies like Walmart are fighting adopting new credit card technologies since this is their opportunity to pay less fees.

In Australia, fees are typically below 1%. e.g., Visa Australia charges .275% to supermarkets and 0% to charities. http://www.visa.com.au/aboutvisa/interchange/interchange.sht...

In the USA, it's typically over 1% (see page 7) https://usa.visa.com/dam/VCOM/download/merchants/Visa-USA-In...

On the other hand, this is why Australia hasn't yet adopted Apple Pay. Apple want the same cut of the total transaction, (I think it's 0.15%) which is more than half of the total fees charged in Australia in most cases.

I don't understand why you praise NFC but condemn EMV on the basis of fraud. In both cases, the possession of some physical item is considered sufficient for authorization. Copying that physical item is sufficiently difficult that it's probably not an avenue for fraud, so you have to actually steal somebody's card.

If physical card theft is actually a big deal, then NFC would be just as bad. If it's not a problem and fraud comes from copying the information, then EMV is just as good. No?

Yes, now that you point it out it does seem odd. The physical presence of the card and lack of authentication are common to both methods but:

- NFC reduces risk by limiting transactions to $100.

- EMV is slower (much slower) and more cumbersome due to the requirement that a signature still be collected and the card be inserted into the terminal. This takes a minimum of 15-20s while exchanging receipts etc compared to NFC's ~1s.

NFC has the same level of security while reducing risk and increasing convenience.

It's pretty common not to require a signature on smaller purchases. It depends on the merchant and the card, but most purchases under $50 are just swipe and go. Presumably they'll change to be insert and go.

I totally agree with you that NFC wins for convenience and speed. I just don't see much of a security advantage, and it looks to me like EMV should substantially reduce in-person fraud, since you won't be able to copy them the way you can copy magnetic stripes. The card companies seem to think this way, at least: the way they're pushing EMV isn't to require it, but simply to say that if you don't have it and you participate in a fraudulent transaction, you're liable for it.

That's true but it's still possible to make a completely unauthenticated $4000 purchase with a physically stolen US credit card.

I didn't mention this earlier but NFC payments over $100 generally only require a PIN be entered but this is a relatively (to signatures) painless process and comes with the benefit of requiring something not printed on the credit card.

For small payments, NFC is faster. For large payments, NFC (at least as implemented in Australia, with PIN), is significantly more secure.

That certainly does sound better for fraud, but that's just a policy choice, not anything inherent to NFC or EMV. NFC could be without limits (I think that's how it is in the US) and EMV could require a PIN (as is typically the case in Europe).

It would be interesting to see the breakdown of different types of credit card fraud. How much fraud is physically stolen card versus copied card versus online purchases? I have no real idea myself.

NFC they just need my stolen card

Apple Pay they need to steal my phone, hope I haven't remotely wiped Apple Pay, and know my long passcode or have my fingerprint

Most fast food places don't accept it

Perhaps adoption varies by region, or perhaps you haven't tried many places. In the Portland Oregon area, McDonalds, Panera, Subway, and Jamba Juice accept Apple Pay.[1]

signatures are still being retained as "authentication"

Yeah, that's way beyond stupid.

[1] Edit: couldn't resist, thought of this too late. Googling seems non-definitive about whether a certain other fast food place accepts Apple Pay. So I'll steal a line from Vincent Vega and say: "I dunno, I didn't go into Burger King."

The article seem to suggest that your phone requires a working internet connection in order to make a payment. This seems like a huge limitation compared to Apple Pay (and presumably Android Pay?), which does not.
Just the name ("CurrentC") seems like it's going to lead to numerous Who's-On-First kinds of interactions...

A: "Do you take CurrentC?"

B: "Of course we take currency."

A: [Pulls out CurrentC app.]

B: "Oh, no. We don't do that."

Might do better if it sounded distinct when spoken. Like "Apple Pay."

A: "Do you take Apple Pay?"

B: "No, we only accept payments in currency, not in fruit."

A: [Pulls out CurrentC app.]

B: "We don't take that, either."

[Audience laughter, applause, and scene.]

First time I tried Apple Pay in a McDonald's drive thru I ended up with an apple pie added to my order.
Did more research - it seems like this article is wrong about fraud liability (in addition to QR tokenization). There are plenty of things wrong with CurrentC, no need to make stuff up...

To further protect CurrentC™ consumers, our zero-liability policy protects consumers in the event unauthorized or fraudulent charges are made to their checking account as a result of unauthorized ACH transactions processed through BIM.

http://finance.yahoo.com/news/mcx-adds-bim-guaranteed-ach-17...

Even with a zero-liability policy, the money is coming directly out of your bank account, and will be put back in eventually, after investigation.

Since the only person that's out money is you, no one has financial incentive to speed the process.

Their policy, not the credit card companies policy. I'd much rather be protected by visa/mastercard.
> 3 security questions

Why are these still a thing? Is it regulations or something?