163 comments

[ 5.5 ms ] story [ 121 ms ] thread
Thank you, Germany.

I love the EU and it's countries more and more for every news article like this.

What do you like about this regulation? What do you see being implemented in practice and how will it change the customer experience? I seriously don't see the advantage.
I like the fact that my local EU bank will actually be allowed to offer me mobile payments as opposed to now, when Apple refuses to even talk to them because my country is too small.
Do you have a source for the claim you make here?
https://support.apple.com/sl-si/HT206637#Europe

Slovenia - Missing all of the biggest ones. None of the ones I use-used are on the list:

Nova Ljubljanska Banka - the biggest one SKB banka Abanka Sparkasse

And I have never heard of any on the list.

Do have a source for the fact that the reason they aren't on the list is that "Apple refuses to even talk to them because my country is too small."

I mean in the UK, Tesco, the largest food retailer won't take Apple Pay because it doesn't give them enough data. Instead, if you want to pay with your phone over £30 you have to download their own damned app.

You don't see advantage to have an option to use e.g. Google Pay on iPhone?

Apple Pay adoption in banks (in EU at least) is much worse than Google Pay, so if I have account in bank that has only Google Pay I can't currently use iPhone to do payments.

That's what we are asking, what does this law do for us (well, for Germans). Just blindly saying "Thanks" isn't useful to the discussion.

It sounds like it forces Apple to open up the NFC stack to other applications?

In order to implement Apple Pay in a country, a bank needs to beg Apple. And it looks like Apple doesn't care about smaller banks and small countries at all. For example, in NL they allowed only a few biggest banks to implement Apple Pay.
> they allowed only a few biggest banks to implement Apple Pay.

Again, is there a statement from any of these smaller banks saying 'we'd love to have it but Apple won't let us'?

The Netherlands has Apple Pay on ABN, ING, Bunq, N26 and Rabobank. That should cover around 80% of the market.
Apple wants every bank. The discrimination comes from the payment processors — it’s likely that those payment processors who handle transactions for the local banks don’t care about the smaller banks. For example, FirstData in the US drove and facilitated adoption — it wasn’t the banks that reached out to Apple or vice versa. It’s fun to say something like “a bank needs to beg Apple,” but that is just not based in any sort of fact. Instead your comment attempts to paint a picture that big, bad Apple is mean to little banks when the truth is far more complex and has little to do with Apple and everything to do with payment processors. It’s also very likely your small bank doesn’t want to pay the 15 basis points on credit or the 3 basis points for debit.

But saying Apple doesn’t care about smaller banks — that’s just a lie. Some of the smallest banks all across the US are using Apple Pay. It’s possible and probable that your bank just does want to offer Apple Pay.

Here is an interesting article from 2015 about banks and Apple Pay: https://www.bankdirector.com/issues/technology/becoming-an-a...

Please note the lack of “begging” involved in the process discussed in the article linked above.

Of course the monopolist is warning against having to allow competition to their market. Nothing to see there.

If Apple Pay is so much better than what the banks offer (which it probably is), then there's no issue, people will continue demanding and using it. It will force Apple to improve their product over what the banks can do constantly and that's how we customers win.

One of the ways it's better is by being extremely secure, and anonymising customer data to ensure privacy. Their argument is that forcing them to allow other companies to implement parts of the system could compromise those advantages for consumers. I don't know if they're right, but then I don't know exactly what this law requires them to do, or what the implications of that would be.
The law demands that they allow non-Apple apps to use NFC to process payments.

> Their argument is that forcing them to allow other companies to implement parts of the system could compromise those advantages for consumers.

Why would that ever be the case? The demand is for Apple to extend that secure payment processing to other companies on their locked down platform, not to compromise their payment product.

> One of the ways it's better is by being extremely secure, and anonymising customer data to ensure privacy.

Can you clarify? As far as I can tell, Apple Pay looks more or less like a regular credit card, and it even has a credit card number that apparently never changes. Plenty of merchant apps will recognize Apple Pay users because they once used it at a different merchant.

Security? The day Apple Pay prompts, on the phone, “authorize $X to merchant Y?” I’ll grant them a meaningful security improvements. Other than that, it’s just a contactless card with biometric authentication.

Are you confusing Apple Card with Apple Pay? They are two different things. I can use my Chase card with Apple Pay. I can also use my Apple Card with Apple Pay.
> it even has a credit card number that apparently never changes

The credit card account number doesn't change but every time you use it, a new number token is generated and that is what the merchant sees.

This is a common misconception, but it is unfortunately not accurate.

The Device Account Number is different for every device, but it is the same for all vendors, unless reset by the issuer.

You're right! I had misread how it works.

TechCrunch describes it this way:

> Apple provides a virtual card number and confirmation code (CVV) for the card in the app. You can use this for non-Apple Pay purchases online or over the phone. This number is semi-permanent, meaning that you can keep using it as long as you want.

> But you can hit a button to regenerate the primary account number, providing you with a new credit card number at any time. This is great for situations where you’re forced to tell someone your card number but do not completely trust the recipient.

> It will force Apple to improve their product over what the banks can do constantly and that's how we customers win.

Currently, I add my bank card to the Apple Wallet, tap my phone/watch on a terminal and payment goes through.

It's not entirely clear to me how this ruling will force Apple to 'improve their product' from a consumer point of view. I'm not even sure what it will achieve, other than perhaps forcing Apple to engineer interoperability with institutions that don't want to accept ApplePay restrictions on privacy or simple UI.

For me it's pretty clear - it'll allow me to use my iPhone to pay for things since Apple won't work with my bank and my bank wants to support payments anyway.

On Android my bank released their own app to process contactless payments. It works well and it's secure by all legal standards required here in EU. Even though Google doesn't support my region, payments work fine. This is an option that I want Apple platform to offer as well. Not that it's an OPTION - Apple Pay is still there and can still be supported and used by whoever. Noone is interfering with that.

Apple does not prevent banks to release their own payment apps. There are several on the app store in my country.
Although you are correct. Apple does deny access to the NFC contactless for payment applications.
> Apple won't work with my bank

More likely your bank won’t work with Apple because they don’t want to pay Apple a cut of the fees.

> Note that it's an OPTION - Apple Pay is still there and can still be supported and used by whoever.

It’s highly likely that if Apple opens up NFC access to bank apps, they’ll stop supporting Apple Pay and force you to use their app, so there won’t be an option.

Exactly, here in the Netherlands I know at least two bank support ApplePay and that works great. All the other banks are not supported because they don't want to make the effort.
I think your information is out of date. The biggest banks like ABN-AMRO and Rabobank now support Apple pay along with the few that have supported it for months.
> More likely your bank won’t work with Apple because they don’t want to pay Apple a cut of the fees.

So now it'll work because they can choose another processor which doesn't demand Apple's fees. That's how free market should work. If Apple provides value, then they'll keep using Apple Pay.

There already is a free market: buy an Android. You’re not required to buy an iPhone.
With the alternative, Google Pay, you pay with your privacy.
To be fair, isn't this the case with most credit cards as well? Any record of purchases you create is a privacy risk because somewhere there's at least one entity involved in authorizing and processing transactions.

If anything, wouldn't being able to use an app specific to your bank remove one more middleman (Apple, Google, whoever) from the process?

I've never used credit cards; only debit cards and bank cards. I'm not so sure they sell my data, given GDPR. They might've in past though.
I guess my point is that there's a lot to "privacy" when used generally. Direct selling data is one thing, but not the only thing of concern. There's also the issue of data breaches and other malfeasance like that.

Even if the bank itself doesn't sell data do Visa or Mastercard (or whatever company handles processing?) How about other entities, like retailers? Bank/debit cards can still be used to build a profile, no?

I don't mean to criticize your personal usage policies because I've largely come to accept that we can't avoid all risk of data theft or misuse as long as we're using electronic payment. I just think it's more complicated than "but Google, therefore selling data".

For my part, I try to limit the number of hands in the pot, so to speak. If my bank and the card processor and the seller get info, do I benefit from adding my device's OS maker to the mix? On Android I can choose to use my bank's app rather than Google's service if I want to avoid yet another potential for leaks or profile building.

I look at skipping Apple or Google Pay the way I look at skipping "loyalty cards" which offer some minor discount or convenience in exchange for another hand in the pot.

So you still need a payment card? Most payment cards can do this without a phone, you just touch the screen with the card.
AFAIK Apple ID doesn't expose your actual card number, so using it over a card has two benefits: 1) no need to grab a card from the wallet, just tap the phone I probably already have in hand 2) privacy
It may not expose it to the employee at the register, but the card number (actually, there are two numbers) is still sent to their merchant bank.
I don't think this is accurate. I'm fairly sure Apple Pay uses tokenization, so the merchant/merchant bank never sees the actual card details. The only party in the transaction who knows the actual card details is the issuing bank.
(comment deleted)
You are right, I was mistaken. The DPAN is the tokenized card number, and that is the only account number an acquirer will have. My experience seeing both in the auth system log was from the issuer side.
You need a payment card and it still clears through Visa/Mastercard just like any other credit or debit card. In the US we don't have contact-less payment cards though, you have to insert the chip.
Chase has had contact-less payments for the better part of a year now. I haven't used Apply Pay since the change
Pretty sure I've seen Amex and other Visa cards with contactless.
I think the problem here is that Apple wants payments on the iPhone to be secure, easy and private. If they gave banks full access to the api, they would do what’s in their best interest (reusing CCs numbers accross vendors, making it harder to use more beneficial cards, less transparency). This would mean that paying on iPhone would be considered harder or more inconvenient then using a card because many consumers don’t know the difference between Apple Pay and their bank app’s payment system. It would also mean that fewer banks adopt Apple Pay, which is already not that great in many countries.

I’m honest not sure if opening up the system would be a net benefit. There are certainly advantages to keeping it closed but we also miss many great opportunities with NFC because of that. I would expect Apple to open it up eventually, when users become used to using Apple Pay and expecting the same convinces from their bank app

> Apple wants payments on the iPhone to be secure, easy and private.

I don't trust apple for that more than I trust my bank anyway.

> I don't trust apple for that more than I trust my bank anyway.

Having worked for many banks, I’d advise you to reconsider that position.

It is a simple matter of competition.

As a customer, if I consider Apple Pay so much more convenient, I'll choose a bank which supports it. So banks are under pressure to either support Apple Pay, or create an equally customer-friendly offer.

If I consider another offer better for me, I will use their App instead of Apple Pay. So Apple can't just enjoy their monopoly, but is under pressure to be the best option for customers.

> It is a simple matter of competition.

It’s most certainly not that simple. Anybody who wants to is free to compete with Apple, and many, many companies already do. But this is legislators dictating what 3rd party software Apple must support in its operating systems. Why stop there? Why not force Apple to support 3rd party providers as an alternative to iCloud? Why not mandate a 3rd party App Store? Why should Apple be allowed any control over which operating system or hardware features it exposes to 3rd parties at all? Why should Amazon be allowed to ship a kindle that only supports their book store?

It is certainly that simple. You might not like it, because it limits the ability of Apple to exploit their ecosystem for rent-seeking. But it is just opening up an area for competition.

And indeed, why not doing this for other closed ecosystems as well, if this is beneficial for the public?

Because by doing so you’re making an enormous amount of software illegal, and compelling software developers by law to support anything any other developer may want to do. According to your logic, Apps should have full access to ring 0 too.

If public benefit is your only concern, then why don’t you consider the benefit of closed ecosystems, or at least of consumers having the option to choose one? I don’t see any public benefit in removing options for consumers. If open ecosystems offer such a superior benefit to consumers, then surely they would be able to out compete closed ones.

No, according to my logic, ecosystems should be forced to open up where it is beneficial to the public. This pretty obviously excludes access to ring 0.

Also, it needs to be balanced with the interests of the companies owning the ecosystem.

You can only ever judge where that is true according to whatever opinions you personally have.
I agree that you cannot easily assess if such a legislation is beneficial for the public or not. That is the case for many government decisions. It still is not a matter of personal opinions/taste, it is a matter of arguments.

So it would be your turn now to argue why this specific law is harmful for the public. (We agree that it is harmful for Apple.)

> This pretty obviously excludes access to ring 0.

How is it obvious? One could easily argue that because some hardware manufacturers make shitty drivers, opening up access will allow 3rd party developers to create better drivers, or something like that.

I’m not sure how this is beneficial to the public. Honestly, I’d argue that ring 0 access is probably more beneficial than this; see the jailbreaking exemptions we already have in place.
> reusing CCs numbers accross vendors

Apple Pay does exactly this. It’s called the Device Account Number.

Why is it that the definition of a “monopoly” on HN is “any company that does something I don’t like”?

Have you seen the marketshare of the iPhone in Germany?

Exactly - Apple has about 20% market share in Germany (https://www.statista.com/statistics/461900/android-vs-ios-ma...).

When 80% of people are using a competitor to your product, it’s hardly a monopoly.

It seems like people are misinformed and think that "monopoly" means someone who has the all the market share. That's not how it works.

A monopoly is the control or advantage obtained by an entity over the commercial market in a certain area, who uses that advantage (willfully) to fix prices or exclude competitors. Granted, control or advantage of the market is a component, but what really makes a monopoly a monopoly is the intent behind the actions of the entity. If a memo, or meeting minutes were to come out showing that Apple was signing exclusivity agreements, or disabling payment apps on the iPhone (NFC) to specifically put competition out of business, well then that would be monopolistic.

By the way, even when this sort of behavior can skirt the law, it's still unethical. I'm not saying businesses need to actively support their competition, but seeking to put them out of business through backroom deals and price fixing is wrong. It's the antithesis of a free market and unfortunately is rampant in the tech industry.

>If a memo, or meeting minutes were to come out showing that Apple was signing exclusivity agreements, or disabling payment apps on the iPhone (NFC) to specifically put competition out of business, well then that would be monopolistic.

I think people get confused because the way APIs work on Apple's platforms, effectively open to all subject to you agreeing to their license, that people don't realize there's no obligation for Apple to create APIs for anything. Literally every app or feature could be the result of one-on-one business development agreements.

Exactly. For instance I don’t know of any other company that has access to Apple’s iTunes movie library to add movies that are considered as “purchased” when the movie is purchased from a competitor except for Movies Anywhere. Yet there is a setting for allowing access to your iTunes library for it.
Germany just created that obligation for Apple.
Not necessarily. The law will be challenged in the courts and they'll have a strong case that it infringes their intellectual property rights.
What court would this law be challenged at when its... a law built by lawmakers?
Lawmakers can make illegal laws. Not sure how it’d work in Germany, but in the US, for example, it’d be challenged on the basis of constitutionality.
So that still goes back to my other response and their is a reason that neither the US nor EU has ever defined “monopoly” as broadly as HN not-lawyers do.

Every platform has certain technologies it doesn’t allow competitors to access and have exclusive deals.

Should Apple be scrutinized because it harmed potential suppliers for its cameras and screens by making “exclusive deals” with Sony, LG, or Samsung for their respective components?

Apple is not “price fixing”. Price fixing is when competitors get together to “fix prices” not when one company gives another company a good deal to be the “exclusive provider of X”.

Here the market is "things that can be installed on iOS" or "NFC payment providers that can be installed on iOS", where I don't think you can deny Apple has 100% market dominance.

You could argue that the market should be "things that can be installed on smartphones" but that ignores that people with iPhones really need things that work on their devices. It's akin to saying that if one company had a monopoly on car tyres, it'd be okay because people could just replace their car and buy a tractor with tractor tyres instead.

So now that’s how we carve out “monopoly”? So in that case are the console makers monopolies? Does Apple also have a “monopoly” on music services that work on HomePods? Phones that take complete advantage of AirPods Pro? Should that be regulated too? Should we go after Apple because Google’s and Amazon’s voice assistants don’t work on the Apple Watch and the AirPods since Apple has a “monopoly on voice assistants that work on those devices?”
To the extent that many of those conditions result from anticompetitive behavior (eg preventing interoperability), rather than a lack of outside development interest, probably.
So now you’re saying that the government should tell every company that they must inter operate with third parties? Would you like that every piece of software you write to have features forced on it for interoperability before you can release it?

Should every website and every web service also have a publicly accessible API? Do you want a government committee to decide when your service or software is interoperable enough before you can release it?

You're strawmanning with an ominous "government committee", implying the situation requires deep analysis. But really, vendors are deliberately preventing interoperability with competing products through technical means such as digital restrictions management. If they stopped doing that, there would be no argument.

After an item is sold to a user, that item shouldn't be working to undermine the interests of its owner. Those interests include being a market participant for other products to use with it. If giving a user the option to eg change a data source or trust authority would be too much of a mandate for specific development, then manufacturers can just fall back to releasing the basic documentation that would allow straightforward re-implementation.

> Should every website and every web service also have a publicly accessible API?

Sure, why not? Anything a user can do, a program representing the user should be able to do. The alternative is computational disenfranchisement.

That is your personal definition of monopoly, not what we in European law have as definition.
> Here the market is "things that can be installed on iOS“

So McDonalds has a monopoly on hamburgers sold at McDonalds?

> Of course the monopolist is warning against having to allow competition to their market.

What market is Apple monopolizing here?

The market for payments using Apple devices. The anti-Apple brigade desperately wants iOS to be Android, yet many of us buy Apple specifically because it’s not Android. We use Apple Pay because they know more about privacy and security than “John’s Community Bank” who would love to force their customers to use their own bank payment app that they had some Infosys guys in Bangalore write for them. Then the credit card companies will all make their equivalently shitty app that we then have to use.. so payments becomes a mass of disparate apps instead of the flawless Apple Wallet experience we have now that works on all your devices, including Mac.

The critics of Apple Pay almost certainly haven’t used it on Mac, or Watch, because it’s pretty darned magical.

Those Bangalore guys might have a hand in UPI. Transfer to anyone anytime. it's more then magical!!!
The market of iOS devices.
By this logic we can assume that every company in existence is a monopoly, by being the only company that makes their products and services?
Can we stop misusing words? A ‘monopolist’ does not have a market share of 20%. It makes any argument you have farcical.

Competition? If we leave it to the banks we will have a slow, anti-privacy, insecure mess. I deal with banks in the cyber-resilience world, and these institutions do not have a clue.

I'm not against a law like this in principle, at least I don't have an instinctive aversion, but it seems a mistake to ram it through without any consultation or a proper review by technical and financial experts. And by that I don't just mean industry insiders, but security researchers, etc.
> without any consultation or a proper review by technical and financial experts

Nah, that would just have opened the door for more lobbyism. Apple seems to have strongly worked against this law, seems like even the US ambassador was involved [0, about half way on the first page]. Looks like somebody hit a very sweet spot and an easy cash cow for Apple.

We need more open markets for processes like this. It's just fine that Apple has to open up.

[0]: https://www.heise.de/newsticker/meldung/Lex-Apple-Pay-Bundes...

So you can guarantee there are no security or privacy compromises in doing this?
What Apple is forced to allow now is already practice with Android phones. So we are really not talking about something new and risky, this is well-established technology.
We don't know how NFC is implemented on iOS. It could be tightly bound with the iOS Secure Enclave and then it's NOT "well-established technology" since Android uses different architecture(s).
The law has a provision for this case, but I highly doubt there is a technical reason for not opening NFC on iOS.
Yeah, this would definitely be a "show your work" situation if Apple said it wasn't possible.
Biometric authentication is tied to the Secure Enclave as well. There’s no technical reason that Apple couldn’t provide APIs to access it like they have for other sensitive operations.
Who said anything about new and risky? Credit cards are privacy nightmares and they're well established.

I'm going to go out on a limb here and say the android alternative to apple pay has all the privacy costs of just using credit cards.

Germany has a pretty good legislation track record, so you can safely assume that technical and financial experts have reviewed that law. It just so happened that Apple was not given an opportunity to lobby for their monopoly on iPhone.
There has also been terrible legislation in Germany though, that had to be revoked in lengthy process by the courts, take the Vorratsdatenspeicherung(https://en.wikipedia.org/wiki/Data_retention#Germany):

"The law became valid on 1 January 2008. Any communications data had to be retained for six months. On 2 March 2010, the Federal Constitutional Court of Germany ruled the law unconstitutional as a violation of the guarantee of the secrecy of correspondence.[41] On 16 October 2015, a second law for shorter, up to 10 weeks long, data retention excluding email communication was passed by parliament.[42][43][44] However, this act was ruled incompatible with German and European laws by an injunction of the Higher Administrative Court of North Rhine-Westphalia."

Or the planned road toll that is incompatible with EU law: https://www.bbc.com/news/world-europe-48674703

Yeah, those are some serious things, caused by the problem we call "Bavaria". It will fix itself over time.
Having sat in on some PSD2 fintech 'opportunity' presentations, I'm without doubt that, while well intentioned, the brave new world of 'open banking' regulation will be hell for consumers and a windfall for the least scrupulous in the fintech sector.
Due to an anti-money laundering law? This sounds exactly like PSD2...
I'm not sure I understand this law. My Apple Pay already hooks up to my finance company's Mastercard and my bank's Visa. Who is getting access to compete for service under this law? The banks? Some other payment processors? Would it just be somebody else hooking up my credit card instead of Apple?
Apple takes quite a huge amount from each payment (~10% I heard) so if you could hook up the same credit card using e.g. Google Pay, the bank would pay only e.g. 5% (I made that number up) per transaction.

Consumers don't see it, so this competition on iOS would benefit mostly banks if you think only about costs, but there is another side to this.

If my bank doesn't support Apple Pay, but supports Google Pay, then I can't use my iPhone to do payments because Apple prohibits Google Pay to access NFC.

> 10% per payment

that'd be ludicrous. I found a source that says 0.15% which is way more reasonable: https://www.macrumors.com/2014/09/12/more-apple-pay-details/

I'm amazed when people assert stuff that is ludicrous on the face of it. Places that have signs that say "no Amex" because it's 1% more fees are also implementing Apple Pay ...
This is very reasonable, given that the bank only needs to maintain an integration with Apple Pay and that they don't have to support and maintain an app and all kinds of devices. Apple does that for them.
It forces Apple to provide others with access to the NFC chip, so your bank can provide a mobile payment app that works without Apple Pay.
Got it. I firmly agree in principle but I could see technical issues if Apple implemented NFC by tightly binding it to their Secure Enclave and couldn't safely open that up to third parties. We'll just have to see.
The EU has been making some good moves in opening up the payment services industry through regulation. The biggest example is the PSD2 regulations passed in 2015[1]. Among many other things, this law requires banks in the EU to expose APIs into their systems, that allow third parties to make transfers to and from the bank's accounts, only subject to proper customer authentication and AML compliance. This essentially lets third parties build universal payment services on top of existing banking infrastructure.

> The law highlights the growing desire in Germany for tighter regulation of U.S. technology companies.

No, this highlights that the EU is willing and able to regulate markets to keep them open to all participants.

Looking forward to laws opening up this sector even more.

[1] https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...

I agree, this is a great development. Hope to see the same in other EU countries.
PSD2 is great, but as far as I remember, it doesn't make banks have a common basic API, every bank can implement it wildly differently.

Next step is something like OpenBanking in the UK which does ask for common APIs.

The next step is unfortunately not coming up anytime soon. They made account information and payment initiation service provider (AISP and PISP respectively) licensing mandatory to connect with banks, but most banks don't even have their APIs production-ready in time!

Rabobank (Dutch) quoted to us the end of 2020 for their 'official' connection platform, but the requirements have been made legally binding in September...

I was thinking about how much I would love it here in the US if I could have a one stop banking app for all my balances that isnt selling them to Facebook or something sketchy. I think open APIs would be the only way I would trust it. If I had the app source it would work for me. Even if I only have it for bigger banks I just want less apps and more uniformity.
I am an Indian in US & I love my UPI app for Indian banking needs.

Before that, I had to use multiple banks' apps. Many of those would randomly want to verify me by sending an SMS to Indian 1800 number, impossible from my Indian Sim card while in roaming in US.

Now I just use PhonePe. Two banks, One Credit Card. Inter transfers, Card Payment, Bill Payments, Phone Recharges, Sending money to others, all from within one app.

*No affiliation, just a happy customer.

The PSD2 is extremely user hostile. In fact, it's so universally hated that Switzerland's banks (not in the EU) have called it an "experiment at the customer's cost, creating dangerous confusion while undermining the security of customer's data" (https://www.swissbanking.org/de/themen/digitalisierung/open-...).

As a EU citizen myself that now has to live with an incredibly disrupting online banking experience, I am more than unhappy with the EU's regulations.

Do you have any concrete criticisms? How is the online banking experience "incredibly disrupting"?
The current PSD2 implementation at most banks is just terribly annoying.

On things which require authentication every 90 days (like checking the balance via api), almost all banks require one after every attempt/api call.

Even worse: Many banks don't support their app's 2FA for the api calls, but instead the old tan lists. (ING does this AFAIK)

> As a EU citizen myself that now has to live with an incredibly disrupting online banking experience

How so? For most people PSD2 means 2F auth not just for money transfers but also for login, which is quite good for security in general, although of course won't help in all cases (like SIM swap).

Because some banks (Consorsbank for example), take this to an extreme and ask you to 2FA all the time for every login.

I used to refresh several bank accounts several times per day through a third party app (MoneyMoney) on the Mac. This worked pretty flawlessly until September.

Now, I have to take out my phone and 2FA all the things in three different apps.

Of course, partially, Consorsbank is to blame here, because they fucked this up. Other banks have more customer-friendly interpretations on how often you have to 2FA (like once per month).

Only thing I noticed: I used to automatically fetch transactions through a HBCI interface with the open source software AqBanking on a VPS. This doesn't work anymore, because you need to register this software somewhere. So not sure how this is connected to PSD2 exactly. I assume the requirements for HBCI got tightened.

Definitely a problem with your bank(s).

SCA is only required for high risk activities, such as payments (and even then, only if amount is over €30 or if you have transacted over €100 since last SCA). Balances and recent transactions are considered low-risk, so you shouldnt need to enter 2FA for "refreshing" your account balances, etc.

The directive also states that a balance must be made between security and user experience. It seems your bank(s) ignored that part.

But which bank doesn't? I have N26, DKB, 1822direkt and they all have gotten much worse.

If I could, I would opt out.

I have also used N26, ING and DKB, which are mostly the best/most modern banking experiences in Germany and can only confirm what you said.
No, SCA also applies for account access. Banks are allowed (but not required!) to only require SCA once every 90 days.

This is something where the technical regulation falls short, though. They (i.e. the EBA, which I believe specified the technical part of PSD2) could have specified some minimum usability requirements for delegated account access APIs.

Having to do SMS-based 2FA every single time when using a third party client compared to being able to use Face ID for the bank's native app is probably not really the intended outcome, but the reality for my two main bank accounts.

Yes, I am aware that you need to re-authenticate every 90 days.

My comment was specifically in response to GP being requested for SCA multiple times per day to refresh their accounts.

Ah just like the changes to merchant card fees worked so well for the citizens (cost me about (£15 -£20 a month)

And the card companies just invented new fees for merchants so they don't see much of an advantage.

Yes, PSD2 is good, but I'm wondering why they didn't go further and mandate something like UK's Open Banking.

The difference is that currently in EU banks are forced to expose a banking API, but every bank can have their own API. While in UK there is one API standard that banks are supposed to allow to be used.

So writing an app for EU one has to deal with tens (if not hundreds) of bank-specific implementations while in UK one is all that's needed.

Thank you for pointing this out. Recently I've been talking to many different banks and payment service providers in the Netherlands, and it's absolutely crazy how little specification there is to the technical end of things. It's effectively an auditorium of hundreds of banks and PSPs across Europe, shouting at each other over how they want to (or not want to) do this one specific thing.

It has not helped by any means with the ton of technical debt they had, because now everybody's just winging it and being minimally PSD2 compliant. We still don't have a standardised OAuth (or OAuth-styled) access to banks, and it doesn't look like PSD2 is helping anybody out beyond the "yeah, like, just make the data accessible without scraping, thanks!"

there are two sides of that coin. while a standard API is nice, it also prevents evolution and improving APIs.

you don't really want to lock in a specific API by law. that will work well for a few years, but then it will more likely hinder innovation, rather than support it.

The real result of this is aggregators appearing, which present a unified interface to all banks, hiding the implementation details under their own interface. i.e https://www.neonomics.io/
Having banks have an API is far different than telling Apple to share access to how the interface with those APIs. If anything it probably is a push by state actors who hope their intelligence services can use the hooks to circumvent the security Apple and even Android users have from their devices. Apple is not preventing you from using a bank or accessing your funds in that bank, they are just offering up a new secure means to do so. Your bank still has to play along. Now if Apple was exclusive then we would have an issue

So by this logic, anyone who has a device which supports NFC payments and can load an app from a third party must allow access to methods the hardware performs the handshake/connection? So why not just say all parts of the phone must be fully exposed, why not demand that apps can make the phone calls?

I have two major issues with these demands. First being it simply is more likely a means for state actors to have more opportunities for back doors violating the trust people put into their devices.

the second is what is to prevent every damn bank and store from demanding you only use their app because you know that will happen.

>If anything it probably is a push by state actors who hope their intelligence services can use the hooks to circumvent the security Apple and even Android users have from their devices.

It's not anything cloak-and-dagger like that. It's really just politicians leaning in on the side of their banks in a commercial negotiation with Apple.

It’s the question whether the device “is” the wallet or the bank’s app “is” the wallet.

I think for reasons similar to what grandparent mentions, I prefer it be the device, like the hardware btc wallets.

Regulations shouldn’t crack open a toaster, and shouldn’t crack open a PDA.

> No, this highlights that the EU is willing and able to regulate markets to keep them open to all participants.

Exactly. I find it absurd that credit card companies can charge between 1.5% and 3.5% in merchant fees. Some 2%+ of the retail volume goes to credit card companies! (Who then turn around and give a small fraction of it back to their more savvy and rich customers via miles or points, while charging their poorer or less organised customers horrendous late fees and interest.)

The German Girocard debit card system charges merchants at most 0.2%, an order of magnitude less. That's the way it should be.

Well, on the other hand if such a system was implemented in the US, prices would stay the same. For me as an end user I don’t care if Wal-Mart eats those fees or Visa does, except I get a credit card where, as you say, I get points and whatnot to keep using.

There is also nothing stopping companies in the US from either implementing a super low-cost system, or just only accepting cash. I think CC have critical adoption in the US, and nothing but legislation would remove them - it’s a zero sum game. If I stop using a card I don’t get points and pay the same price for products.

I don’t know all of the details of the German Girocard, seems like it’s a good product potentially, but would need some more info. In the US, if someone scams my debit card I am out of cash until it’s recovered. How does it work in this case for this card?

I would also like to challenge the notion that prices should be X, just because someone is perceived as a middleman. Prices should be (excluding healthcare) whatever people are willing to pay. It’s equivalent to someone complaining about mobile app developers costing a certain amount of money and just saying that’s the way it should be. Companies put a lot of money, time, and development into building the infrastructure and products, so they should be free to charge what the market will bear for these types of products.

> Well, on the other hand if such a system was implemented in the US, prices would stay the same. For me as an end user I don’t care if Wal-Mart eats those fees or Visa does, except I get a credit card where, as you say, I get points and whatnot to keep using.

There is no reason prices would stay the same, unless there was collusion between all the retailers. And neither Walmart nor Visa eat the fees. Anyone not earning credit card rewards eat the fees.

Also, money transfer infrastructure is just as important as healthcare. As is water, electricity, and transportation. I’m assuming you wouldn’t want the electric or gas company to charge what the market will bear when it’s -10C outside for a few weeks.

Why would they lower prices? Wal-Mart could lower prices now for cash or debit card purchases but they don’t.

> Wal-Mart/Visa don’t eat the fees

Well, in Wal-Mart’s case either they pay the fees, or they raise prices to compensate. If we assume that they raise prices to compensate for transaction costs, then anyone who doesn’t use a rewards debit/credit card eats the fees in the sense that they don’t get any sort of reimbursement yet pay the same price.

> Also, money transfer infrastructure is just as important as healthcare. As is water, electricity, and transportation. I’m assuming you wouldn’t want the electric or gas company to charge what the market will bear when it’s -10C outside for a few weeks.

Eh I don’t think it’s as important as those items. But that’s besides the point, unless you want to nationalize money transfer or something. It’s not a necessary service, it’s just very convenient and good for the economy. When someone creates Venmo you want to legislate the prices they can charge per-transaction?

> Why would they lower prices? Wal-Mart could lower prices now for cash or debit card purchases but they don’t.

That’s a good point, and I can see two options for it. One is that it’s more costly to maintain two sets of prices, or that it’s better for retailers to encourage purchases with credit cards as people using credit cards are likelier to spend more.

> When someone creates Venmo you want to legislate the prices they can charge per-transaction?

No, I’d rather the government already have setup a system. It’s the reason why payments and transferring money still involves paper in the US. Northern Europe has been able to enjoy the convenience of instant, secure, and cheap money transfers for decades that people in the US are just starting to get.

Certain types of infrastructure in society is best handled as a society. Roads, water, energy, payment networks. I don’t see the point in duplicating them.

> Why would they lower prices? Wal-Mart could lower prices now for cash or debit card purchases but they don’t.

You're from the US, right? Then you should be familiar with gas stations which have two sets of prices: an expensive one for credit card customers, and a cheaper one for cash customers. Last time I road-tripped through the California/Oregon area, those were a thing and quite common.

Why doesn't Walmart do the same? Probably because they have 50k prices to consider, while a gas station has like 3 or 4. But the gas stations demonstrate that there obviously is a possibility for reduced payment costs to end up at the customer in the form of reduced prices.

Now imagine taking away the burden of having Walmart (and any other retailer for that matter) add 50k additional prices to their inventory by simply capping all CC fees at 0,3%. If you don't see the likelihood for a reduction in prices for customers in the long run, you either don't have much trust in free markets, or you must assume that the market in question is not free at all, but burdened by collusion.

> Exactly. I find it absurd that credit card companies can charge between 1.5% and 3.5% in merchant fees.

They can't anymore in the EU. It's capped to exactly the 0.2% you mention for debit and 0.3% for credit cards.

This is also the reason why you don't see rewards on consumer cards anymore around here.

Note that 0.3% is the cap on interchange fees, i.e. what the card circuit (Visa, MasterCard) charges. The actual cost to merchants is about 1%. Moreover, AMEX somehow is not subject to this regulation.
>Moreover, AMEX somehow is not subject to this regulation.

NAL. It is somewhat complex and involved Amex exploiting a 'loophole' in the EU law, which capped the fees. It revolves around how three party and four party arrangements were structured and implemented. Nonetheless, it was challenged and Amex lost it's appeal and currently open for interpretation, notwithstanding the fees that it has to continue swallowing as a result.

Excerpt: What is more complex is that American Express doesn’t even charge interchange fees because there is no intermediary. There are no interchange fees to cap. Instead, it has to cap its general fee charged to retailers. This will presumably need to be set at a level similar to the total fees now charged to retailers for accepting Visa or Mastercard.

https://www.headforpoints.com/2018/02/08/american-express-eu...

The reason for that is that as a merchant, you don't get to choose your customer's issuing bank, but you do get to negotiate with your PSP/merchant acquirer (and switch – there is quite some competition in that space).

Scheme fees are still unregulated, though, and I assume that these will be the next focus area of the EU regulator(s).

Apple could've probably easily prevented this if they had allowed banking payment apps from the beginning, like Google did.

Without an exclusive payment system, they would just be a payment alternative that would be way more user friendly than their competitors and everything would be dandy. I'd even consider it to be a reason to buy an iPhone, given their super simple UX flow compared to even the most user friendly bank apps.

I hope not just Germany, but also the EU will take action against companies like Apple. These exclusive networks that serve no purpose other than vendor lock-in are a lose-lose scenario for customers and even the most rabid Apple fans should see how shitty their behaviour is.

They've made their bed and now they will have to lie in it. Good on Germany for taking action.

I've seen the mess that banking apps on Android made. Not supporting certain phone models despite having NFC, needing a special SIM-card for the secure element, horrible UX. Multi-bank support meant switching between apps before payment. It's better now but far from perfect.

The benefit of the Apple Wallet for customers is having all your cards in one app, available from the lock screen. The benefit to the bank is that they don't have to make an app, they just need the back-end integration with Apple Pay.

Of course some banks are shit. In some countries you can't log in to your bank without ActiveX. Most banks I've seen (in Europe, at least) are quite with the times and support basically any device with NFC. For Apple this is especially easy because there's only 6 models of phone to support with a single API. There's no way a bank app would drop support on a maintained iOS device.

In my country, every bank has supported contactless payments for at least 3-4 years. My bank has a pretty nice UX, as do many of its competitors. Some other apps are more focused on security than user experience, which manifests itself in an irritating slow mess, but that's just another factor to take into account when picking a bank.

A few months ago, the first bank in my country announced Apple pay support. Up till then, Apple customers have been behind the curve on simple features that even the cheapest Chinese phone had. Now that banks started supporting Apple Pay, every single customer, including me, is paying Apple for the extra fees that banks need to pay to Apple for integration (because they're not allowed to charge Apple customers directly). I don't have any Apple decides whatsoever and so do most households I know of, yet we're all funding Apple's little money making scheme.

The benefit of Apple wallet is the same as the benefit for Google Pay and people still use that despite bank apps existing on Android. If Apple Pay is better, customers wouldn't install separate bank apps and banks still wouldn't have to make apps. The result: customers have more choice, but now the responsibility for not bringing features to users lies with the bank instead of Apple.

The real difference here is that Apple doesn't allow banks to compete on iOS devices because Apple wants a portion of all payments their customers make on their phones. No matter how fancy Apple's solution is, there's no excusing their anticompetitive restrictions on their app store from a consumer standpoint.

The only defences I can think of are "I don't use bank apps so I don't care", "I don't trust my bank to make software but I don't care enough to switch" or "It's technically not illegal in most countries", all of which are pretty bad excuses in my opinion.

6 models? From the Apple website:

  * All iPhones with Face ID (23 models)
  * All iPhones with Touch ID, except for iPhone 5s (33 models)
  * iPad Pro (18), iPad Air (6), iPad (7), and iPad mini (8) models with Touch ID or Face ID
  * Apple Watch Series 1 and 2 and later (20 models)
  * Apple Watch (1st generation) (3 models)
  * Mac models with Touch ID
  * Mac models introduced in 2012 or later with an Apple Pay-enabled iPhone or Apple Watch
I count 118 SKUs just for mobile devices. That is without the difference in storage capacity. And then you have all the country specific stuff. For Japan you need an iPhone 8 or later or the Apple Watch Series 3 or later. The iPhone 7, 7 plus or Apple Watch Series 2 work but only if purchased in Japan. In the Netherlands you can use Apple Pay on the web only on a compatible iPhone or iPad.
Yes, if this results in one of my banks/card issuers dropping Apple Pay in favor of their own app, I’m going to be switching banks/cards. I have zero patience for companies that try to corral me into whatever their custom solution is. They have to either work with the system standard stuff or lose my business entirely.
>The benefit of the Apple Wallet for customers is having all your cards in one app, available from the lock screen. The benefit to the bank is that they don't have to make an app, they just need the back-end integration with Apple Pay.

I don't understand this. If you can just add a credit card or a bank account via direct debit then why does Apple Pay require cooperation from banks at all? The primary reason why those banks want their own app is because Apple doesn't want to integrate them into Apple Pay.

How exactly could Apple Pay work without the bank's cooperation?
There are additional privacy layers in the system, such that every time you make a purchase, a temporary card number is generated and used, rather than your actual card number. This is beneficial as it prevents the retailer from tracking your purchases, but requires interactive participation from the bank, which needs to map that number to your actual card number in real time. As part of the onboarding process when you enroll a card, your bank must confirm the enrollment to ensure this process can take place.

It seems to be part of a multi-step key exchange mechanism [0] mediated by Apple but stored locally at either end, ensuring that Apple does not retain your card details at any step of the process. Of course, without bank participation, there aren't two parties to actually mediate between.

[0]: https://support.apple.com/en-us/HT203027

“Every time you make a purchase, a temporary card number is generated and used”

This is a common misconception. Every device receives a unique DAN, but when multiple transactions happen across time using the same device, the merchant will receive the same DAN.

This allows individual devices to easily be invalidated by the issuer, but it doesn’t really provide much privacy benefit from, say, merchants aggregating personal information based on your purchasing patterns.

Does anyone know which law it is and can post an English translations? Feels like this HN thread will be too vacuous if we don't know what we're discussing.
(comment deleted)
http://dip21.bundestag.de/dip21/btd/19/151/1915163.pdf from page 77, § 58a. IANAL but it looks like it matches the summary from the article pretty well. There are some exceptions, like if you can prove that opening it up would weaken the security. But it's rather clearly tailored to apply to Apple Pay.

Here's a lightly touched-up translation courtesy of deepl.com -- not sure if the references made it intact (and pretty sure the legalese didn't), but it's using "clause" to refer to the numbered sub-paragraph things:

§ 58a: Access to technical infrastructure services in connection with the provision of payment services or the conduct of electronic money business

(1) An enterprise which contributes to the provision of payment services or the operation of electronic money business in Germany through technical infrastructure services (system enterprise) shall be obliged, upon request of a payment service provider within the meaning of § 1 Clause 1 sentence 1 numbers 1 to 3 or of an electronic money issuer within the meaning of § 1 Clause 2 sentence 1 numbers 1 or 2, to make these technical infrastructure services available without delay and subject to reasonable fees and reasonable conditions of access. The provision within the meaning of sentence 1 must be designed in such a way that the requesting enterprise can provide or operate its payment services or electronic money transactions without hindrance.

(2) Clause 1 shall not apply if, at the time of the request, the system operator is not a company whose technical infrastructure services are used by more than 10 payment service providers within the meaning of § 1 Clause 1 Sentence 1 Nos. 1 to 3 or e-money issuers within the meaning of § 1 Clause 2 Sentence 1 Nos. 1 or 2 or which has more than 2 million registered users.

(3) In exceptional cases, the system operator shall not be obligated in accordance with Clause 1 if there are objectively justified reasons for refusing to make the service available. These are particularly present if the system enterprise can prove that the security and integrity of the technical infrastructure services is specifically endangered by the provision. The rejection must be comprehensibly justified.

(4) If a system enterprise culpably infringes clause 1, it shall be obliged to compensate the inquiring enterprise for the resulting damage. The ordinary legal process is given.

(5) The duties and responsibilities of the cartel authorities under the Act against Restraints of Competition shall remain unaffected.

>> We are surprised at how suddenly this legislation was introduced,

Meanwhile we, the Apple clients are surprised why it took so long to pass this legislation. I still wonder why nothing is done against the appstore/google lock-in.

Sounds like this is just the Payment Service Directive ? Someone at APPLE must have slept while on the wheel for years.
"...could hurt data protection and the security of financial information. "

Hahahahahaha, best joke I heard this month.

What would stop Apple from disabling NFC inside the German borders? Germans use cash for most payments, so they wouldn't lose too many customers.
A motion Passed quickly late at night that doesn't seem at all odd.

Given that Angle Merkal wanted it pulled (for good reasons) sounds like this was bounced though by either the greens or maybe by conservatives with input from the German backing sector

Apple's complaints were predictable. If we let them, they'll also argue that hair loss or bad weather endanger the security of financial transactions.
I don't see anything good coming out of this law, honestly. I've read some other commenters saying that Apple doesn't want to talk to small banks, but I find that to be the complete opposite of my experience.

Here in Portugal, only one bank supports Apple Pay, and it's a small one (apart from N26/Revolut, the online ones). None of the bigger banks support it. Instead, they all support a national app that uses QR codes on iOS and NFC/QR on Android for payments (but its UX is much worse, even on Android where it uses NFC, and has a load of other problems - since it's properietary it doesn't work internationally, etc.). Of course, there is no Google Pay support at all here, and I blame the fact that NFC payments are supported on their own app. There's even less incentive for them to support Google Pay at all, and that's exactly what happened. I'm afraid that Apple Pay would be dropped if Apple was forced to open up NFC for payments.

If Apple has to open their infrastructure then there needs to be reciprocity. I want Apple Pay. I don’t want Wal-Mart pay, Starbucks pay, CurrentC, ...
I would not be surprised if instead of complying, Apple would just disable ApplePay for Germany altogether.