Android Pay, Samsung Pay, Apple Pay, Google Wallet...

[ControlD]

Well they aren't labelled as Apple Pay or Google Wallet typically. If it just says accepts paypass then 90% of the time Google Wallet will work. Once exception is CVS and Rite Aid because they specifically block it.

Aha. That explains it. I was expecting to see some type of Apple or Google branding involved. For me it's all academic anyhow as my phone is too old to support it. Would be neat to try though. I have a feeling I would be "that guy" holding up the line while something didn't work though.

 

[sweenish]

You can save a step with Google Wallet by pre-emptively opening Wallet and PIN'ing in before you tap.

It's no different than swiping your card while they're still scanning.

 

[leilah]

Remembering the tap and pay debit card, looks like it's gonna be the same. You either wave your phone on a terminal and then the payment goes through

 

[basslover1]

I like the idea as an option. It allows me to lighten my wallet a bit if I can visualize less used cards. However I dislike the idea of having to hand over my phone to pay for things. Make it combine with things like loyalty cards, membership cards, etc,etc.

For example I have a costco amex that I only ever use there. Its also my membership card to get in. Not having to carry that around for the few times I use it would be nice.

Wallet can store loyalty cards, though I don't know if it'll work with Costco. It stores my winn-dixie card and I just have to pull it up at the register.

I wish it would work at all with more than just credit/debit cards. When I was visiting my Sister in Seattle I borrowed her ORCA card which uses NFC, but I couldn't read it from my phone. It would be cool to put stuff like that into Google Wallet.

 

[quikah]

Much more secure. That's why banks are willing to give a portion of their fees to Apple. Lowers their fraud risk.

Meh, I am not convinced they care. Chip and pin has been around for 10+ years and is very secure. They JUST now are starting to issue chip and signature cards.

 

[lopri]

Well they aren't labelled as Apple Pay or Google Wallet typically. If it just says accepts paypass then 90% of the time Google Wallet will work. Once exception is CVS and Rite Aid because they specifically block it.

I've used Google Wallet at a local CVS..? Are you sure about it being blocked?

 

[cpacini]

That was a recent change, happened after the Apple pay launch

 

[soccerballtux]

honestly, what did google think was going to happen? They're terrific at dropping the ball simply because the other team isn't playing. Then, they make a half hearted effort to respond and it's only 90% complete.

They should have been pushing this from the beginning.

 

[soccerballtux]

It simulates the magnetic field, basically tricking the card reader that you swiped your card.

wow that's a cool idea.

 

[imported_ats]

I don't get the necessity of having all these different mobile wallets. I actually don't get mobile wallets at all. Swiping my CC is much faster than digging my phone out, waiting for NFC to connect, verifying the purchase....

Swiping your credit card is basically giving a copy of your CC to every retailer, waiter, or salesperson you hand it to.

I also look at it from the backend of things. This just adds at least 3 more points for data to be breached: your phone, the mobile payment processor and the provider (Apple, Samsung, Google). If I understand this correctly, the transaction goes: phone > POS terminal > mobile payment server > provider > mobile payment server > customer bank > mobile payment server > POS terminal. With all the large data breaches lately, why would you want to risk your data being with more companies and going through so many different servers?

So what is the appeal here? Do we need every phone maker, service provider and guy on the corner offering mobile wallets? Do we need mobile wallets?

For Apple Pay, the credit card number is only ever stored at the issuing bank. Once they authorize access, they send a per device/card master token (key/hmac/etc) to the phone where it is stored securely and never externally visible again. Whenever you conduct a transaction with that "card", the security processor generates a 1 time signed token that contains no personally identifiable information to anyone except the issuing bank.

The retailer is left with no personally identifiable information nor any reusable transaction record. Apple has no knowledge as well, as they are effectively out of the loop once the card authorization takes place nor do they store the card information. The payment processor has a transaction forwarding record but generally no personally identifiable information. The only entity with a permanent record tied to your account is the issuer, which always had it anyways.

The main appeal for the Issuers and payment processor is that the retailer no longer can be a source of a leak for any apple pay transactions. That significantly cuts down on fraud. The only weak point in the system left is the initial authorization of the card to be used in the system.

 

[imported_ats]

It'd be nice to not have to carry my health insurance card, or AAA card. I already don't and rely on photos of those stored on Drive. Its a risk, but I figure if I'm paralyzed in the hospital, they would give me some time to figure out my insurance.

Several transit systems are adding NFC. I've been using digital versions of health insurance and AAA cards for years. The AAA app actually has a card screen. For health insurance, they have never needed the actual card, just the requisite numbers/plan.

 

[imported_ats]

Maybe it will be much more secure once the bugs are worked out. I'm not sure I'd be all that keen to be an early adopter however:

http://appleinsider.com/articles/15/03/02/banks-scrambling-to-combat-apple-pay-identity-fraud---report

That's the initial authorization issue. The primary problem is the process that banks have been using for yellow/red flagged authorizations. Green flag (aka automatic) auths have apparently not really had any issue (green flagged cards basically have inherently strong link-ability back to the device purchase et al). Yellow and red flag authorizations are where the aren't sure they should authorize. The issue that they've run into is that the secondary authorization steps are basically on the bad side of modern stupid ways to check accounts. Most banks have been using things like last 4 SSN which is simply non-viable for fraud prevention. If someone has your credit card numbers, its highly likely they also have all your other personal numbers. They need to go to a system of either in person authorization for yellow/red flags or at the very least, snail mail based pin codes.

There are no known vulnerabilities in the actual payment processes themselves however. Which is good, cause anything that would render Apple Pay insecure would also render any other NFC insecure along with chip+pin.

I have seen exactly zero terminals where either Apple Pay or Google Wallet can be used in my area. I'm guessing that isn't going to change anytime soon. Sounds like something "big city folks" will get to enjoy for a few years before it makes it down to lower population areas.

2016 is the magic year. After 2016, anyone accepting credit cards has to be able to accept Chip+Pin and/or NFC. Payment processors will be shutting down mag stripe authorization in 2016.

 

[rudeguy]

Swiping your credit card is basically giving a copy of your CC to every retailer, waiter, or salesperson you hand it to.



For Apple Pay, the credit card number is only ever stored at the issuing bank. Once they authorize access, they send a per device/card master token (key/hmac/etc) to the phone where it is stored securely and never externally visible again. Whenever you conduct a transaction with that "card", the security processor generates a 1 time signed token that contains no personally identifiable information to anyone except the issuing bank.

The retailer is left with no personally identifiable information nor any reusable transaction record. Apple has no knowledge as well, as they are effectively out of the loop once the card authorization takes place nor do they store the card information. The payment processor has a transaction forwarding record but generally no personally identifiable information. The only entity with a permanent record tied to your account is the issuer, which always had it anyways.

The main appeal for the Issuers and payment processor is that the retailer no longer can be a source of a leak for any apple pay transactions. That significantly cuts down on fraud. The only weak point in the system left is the initial authorization of the card to be used in the system.

Thanks for explaining that.

 

[Dulanic]

Props imported. I have direct inside knowledge of these things and you explained it better than I would have

 

[rudeguy]

Props imported. I have direct inside knowledge of these things and you explained it better than I would have

Mind me asking what you do?

 

[dawheat]

Swiping your credit card is basically giving a copy of your CC to every retailer, waiter, or salesperson you hand it to.



For Apple Pay, the credit card number is only ever stored at the issuing bank. Once they authorize access, they send a per device/card master token (key/hmac/etc) to the phone where it is stored securely and never externally visible again. Whenever you conduct a transaction with that "card", the security processor generates a 1 time signed token that contains no personally identifiable information to anyone except the issuing bank.

The retailer is left with no personally identifiable information nor any reusable transaction record. Apple has no knowledge as well, as they are effectively out of the loop once the card authorization takes place nor do they store the card information. The payment processor has a transaction forwarding record but generally no personally identifiable information. The only entity with a permanent record tied to your account is the issuer, which always had it anyways.

The main appeal for the Issuers and payment processor is that the retailer no longer can be a source of a leak for any apple pay transactions. That significantly cuts down on fraud. The only weak point in the system left is the initial authorization of the card to be used in the system.

It's really the same as the previous mobile NFC wallets with a couple big advancements :

- instead of having a special bank app for each card, Apple has gotten most major banks to agree to let their cards be in Apple's wallet
- the payment networks, with Apple, have created scalable systems so every bank doesn't have to do it themselves. The upside is others can use the same systems
- Apple and Touch ID has substantially improved the user experience

 

[sm625]

Google wallet is a scam. I bought something on there, and it shipped to some address other than mine. And they refused to do anything about it, even though the documents clearly show that the address was wrong. I had to go directly to the CC the google wallet was tied to and dispute the transaction there. No one should use these sorts of stupid scam pay systems. They offer nothing in way of convenience. All it takes is one botched transaction to undo all of the time saved by the convenience of such pay scam systems. I will not use google pay for anything other than a microtransactions and only when there is no alternative.

They are indeed scams. All the points made by the OP are valid. NFC takes longer and is less convenenient. They are pointless. Nothing but financial FUD, access points for fraud.

 

[Dulanic]

Mind me asking what you do?

I work for a big bad financial company. Business analyst, majority of it SQL reporting. The majority of my role is reporting creation and alteration so lot's of SQL coding.

 

[Dulanic]

Google wallet is a scam. I bought something on there, and it shipped to some address other than mine. And they refused to do anything about it, even though the documents clearly show that the address was wrong. I had to go directly to the CC the google wallet was tied to and dispute the transaction there. No one should use these sorts of stupid scam pay systems. They offer nothing in way of convenience. All it takes is one botched transaction to undo all of the time saved by the convenience of such pay scam systems. I will not use google pay for anything other than a microtransactions and only when there is no alternative.

They are indeed scams. All the points made by the OP are valid. NFC takes longer and is less convenenient. They are pointless. Nothing but financial FUD, access points for fraud.

Overall Google is just the middle man, why wouldn't you have gone to your bank up front? I don't know if they were to blame or the merchant, but I still would have disputed it with your credit card it was tired to in the first place. It's very similar to paypal in that aspect, you can dispute /w PayPal but it very rarely is in your favor. Better off going to the source.

 

[rudeguy]

I work for a big bad financial company. Business analyst, majority of it SQL reporting. The majority of my role is reporting creation and alteration so lot's of SQL coding.

NERD!


The company I work for is looking to get into payment processing. Was hoping I could pick your brain.

 

[Dulanic]

NERD!


The company I work for is looking to get into payment processing. Was hoping I could pick your brain.

I used to work /w Visa/MC transactions & disputes, but not directly anymore but that is the most I did with that portion.

 

[imported_ats]

Not completely accurate AFAIK - I believe the card number is tokenized by say Mastercard when Apple requests to provision the card. The SE then generates a cryptogram with every transaction. The issuer authenticates the tokenized card and cryptogram for every transaction. A new tokenized number is not used for each transaction.

WRT Token per transaction, the reality is that we don't know and those that know can't talk. It certainly is possible to do token per transaction, generic token, etc.

It's really the same as the previous mobile NFC wallets with a couple big advancements :

- instead of having a special bank app for each card, Apple has gotten most major banks to agree to let their cards be in Apple's wallet
- the payment networks, with Apple, have created scalable tokenization and detokenization systems so every bank doesn't have to do it themselves. The upside is others can use the same systems
- Apple and Touch ID has substantially improved the user experience

IIRC, Apple Pay is the first implementation of EMV Contactless + Tokens. As far as the actual tokenization, that is being done both by the networks and the banks. The networks will provide it as a service, but the preferred way is that the issuer do it. And the issuer has to do the authorization anyways, the networks as far as I'm aware will not do the authorization though will provide tools/sdks.

What's great about the second item is that not too far in the future, merchants will be able to request that cards they store get tokenized with the payment networks, with the token restricted to their store. So even in a merchant breach, the number can't be used anywhere else.

There were already systems in place/available for tokenized response. The major change with Apple Pay is that the token is used everywhere even for auth which the previous token systems didn't support.

 

[imported_ats]

Google wallet is a scam. I bought something on there, and it shipped to some address other than mine. And they refused to do anything about it, even though the documents clearly show that the address was wrong. I had to go directly to the CC the google wallet was tied to and dispute the transaction there. No one should use these sorts of stupid scam pay systems. They offer nothing in way of convenience. All it takes is one botched transaction to undo all of the time saved by the convenience of such pay scam systems. I will not use google pay for anything other than a microtransactions and only when there is no alternative.

They are indeed scams. All the points made by the OP are valid. NFC takes longer and is less convenenient. They are pointless. Nothing but financial FUD, access points for fraud.

Apple Pay certainly isn't a scam. The whole goal of Apple Pay was to have the device issuer have as little to do with the whole thing as possible. The only thing apple is responsible for is the Secure Element function and routing of encrypted authorization requests. And the auth routing is in a walled off enclave of Apple disconnected from the rest.

Once the card has been authorized into the SE, Apple is not involved in the payment transaction. Neither the payment transaction nor payment clearing goes through Apple at all.

 

[imported_ats]

Overall Google is just the middle man, why wouldn't you have gone to your bank up front? I don't know if they were to blame or the merchant, but I still would have disputed it with your credit card it was tired to in the first place. It's very similar to paypal in that aspect, you can dispute /w PayPal but it very rarely is in your favor. Better off going to the source.

IIRC, Google Pay acts as a middle man issuer. They create a Google Visa/MC number that is stored on device. The payment path is Merchant->Payment Network->Google->Card Conversion->Payment Network->Actual Issuer. In contrast Apple Pay is Merchant->Payment Network->Actual Issuer.

 

[vigilant007]

I don't get the necessity of having all these different mobile wallets. I actually don't get mobile wallets at all. Swiping my CC is much faster than digging my phone out, waiting for NFC to connect, verifying the purchase....

I also look at it from the backend of things. This just adds at least 3 more points for data to be breached: your phone, the mobile payment processor and the provider (Apple, Samsung, Google). If I understand this correctly, the transaction goes: phone > POS terminal > mobile payment server > provider > mobile payment server > customer bank > mobile payment server > POS terminal. With all the large data breaches lately, why would you want to risk your data being with more companies and going through so many different servers?

So what is the appeal here? Do we need every phone maker, service provider and guy on the corner offering mobile wallets? Do we need mobile wallets?

Can't speak for Samsung Pay but Apple Pay is notably faster and easier then a credit card. At most places I put my phone up to the reader, and my phone will ask me to authenticate with TouchID. Thats it. On Apple Pay the number being sent to the vendor isn't the actual card number. Each card on each Apple Pay device gets an Apple Pay ID that doesn't match your credit card. When you authenticate it's basically a "token" that gets passed off with no personal information attached. The only information I believe that is actually stored on the phone is the last 4 digit of each individual card and the device number for that card. If your phone gets stolen you can log in to Find My iPhone and immediately revoke that device from using Apple Pay.

Google Wallet I believe works in a very very similar way. From what I understand Google Wallet as it works today wants you to authenticate and it sends what is basically a gift card credit card number to the terminal. The security and validation and the like that it has as oppose to Apple Pay isn't something I'm familiar with though. The advantage of Apple Pay from what I can tell is that it requires biometric authentication, and the ability to do a remote wipe of the device from being able to do transactions.

Samsung Pay seems like Google Wallet, with a way to send credit card information using a magnetic field with the same information on your credit card. This seems much more troubling. I expect for stores to see someone waving their phone around a reader the way displayed, and it receiving the magnetic field on the reader as insecure.

As far as why there are so many systems theres really only 2. Theres the NFC method supported by Apple Pay, Samsung Pay, and Google Wallet. Apple Pay and Samsung appear to have a couple different ways of using it but they both fall into that standard.

There is one standard that seems incredibly horrible called Curren-C or something like that. That requires a single vendor to have a ton of personal information including your credit card numbers. When you get to the point of sale terminal you scan a QR code and a response QR code shows up on your screen that the cashier then scans. This is being pushed by Wal-Mart and Best Buy.

I'm loving these new payment methods. Apple Pay for me at least has been incredibly easy, with many ways to lock it down if needed. Considering that Apple Pay is so heavily based off of the NFC standard I'd imagine that Google Wallet and Samsung Pay (using NFC) probably share the same benefits. Until more information comes out about how Samsung Pay's magnetic field method works I'd stay away from it though. My concern being that those credit card readers magnetic head needs a good read to process the payment. If Samsung is just sending the credit card information in the clear to support legacy devices then this could be very bad. I'd imagine it would be a few months till someone comes up with a device that can read the pure magnetic field at high power from a bag if it's not secure.