How EMV Ruined Apple Pay

Posted by Kirhat | Friday, June 24, 2016 | | 0 comments »

Apple Pay and EMV
Everyone who experienced transactions through the Apple Pay knew that the process was fairly simple and elegant. There are no network connection needed. No need to find an app, launch an app or log in.

Customers need only to hold their phone at the end of the transaction, place their fingers ever so briefly on the button for a split second, and a comforting "Done" icon says they are finished. Everything took only a few minutes to finish until a few days ago, when several major chains in the United Sates made their official EMV move.

EMV is a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them. EMV (Europay, MasterCard and Visa) cards are smart cards (also called chip cards or IC cards) which store their data on integrated circuits rather than magnetic stripes, although many EMV cards also have stripes for backward compatibility.

Trader Joe's and Whole Foods were among the major retailers that switched on EMV, which instantly made the quick Apple Pay experience decidedly less so. Instead of the shopper being done when Apple Pay confirmed all that it needed to confirm (which is pretty much the purchase amount and that their fingerprint matches the one they are supposed to have), a series of new messages pop out on the POS screen.

The first message displays — again — the amount of the purchase and asks that the shopper confirm acceptance of that amount. The problem is that the shopper already saw that amount before paying with Apple Pay. Ah, but EMV rules require confirmation of the amount, not mere knowledge of it. One could argue that the fact that the shopper offered a payment device after seeing the amount was a pretty good indication of acceptance.

The second message insists on a signature. Note that this shopper has already provided a finger scan — which is a few billion orders of magnitude more secure than a signature — so it's a rather pointless request.

Why is this all happening? The answer lies deep inside the details of how retail payment transactions work. The problem here is that although POS systems know that an NFC transaction is contactless, those systems often do not know much or even anything beyond that. The POS has no idea if a biometric authentication was completed, so it needs to ask for the signature. The POS has no idea whether the shopper was shown an amount — and certainly not whether the shopper really thought about it — so it must show it again and demand a confirmation.

Unfortunately, those explanations are quite irrelevant. The only relevant detail here is that Apple Pay, Android Pay, Samsung Pay and other secure NFC payment wallets are going to have their customer experiences seriously degraded because of EMV rules and visibility limits within today's payments systems.

It's entirely possible that future versions of NFC wallets may be able to do a better job at shouting at POS systems what they are and what they are doing, but that doesn't help shoppers (or retailers) today.


Post a Comment