Misunderstanding about the details of how Apply Pay works

Do their readers do contactless payment at all? Apple/Google Pay are just presenting your phone as a contactless payment card so it should work anywhere a physical card can be used that way.

He saying there's no difference between a standard contactless plastic card and using the phone.

"this doesn't fit my experience. For example, Home Depot doesn't accept apple pay but their chip readers work with other cards."

It must be different in the US, then. In Europe, Canada, and elsewhere, any terminal that accepts standard contactless cards (ie: pretty much 100% of them now days) will accept Apple Pay/Google Pay.

When Apple Pay first launched, there was an issue where some older terminals would apply the unauthenticated contactless payment transaction limit (£50 or whatever), instead of recognising that device-authenticated payments should have no limit. But that's long since been fixed.

actually breaking Apple Pay/Google Pay support needs a lot of destructive energy on the merchant's/PSP's side.

They do bank whitelisting, not protocol breakage.

In general, when you have this kind of bugs, it have to do with transaction amount limits which looks like they are a mixed bag of rules from the terminal and the card itself.

In the early days of mobile payments, I remember that some terminals were configured to enforce the legal limit for contactless cards (which was 30€ IIRC) even if you paid with mobile.

I haven’t encountered this issue for the last few years though, I even forgot my card PIN.

For some reason, recently Apple Pay on my phone stopped working on the local trams. It works everywhere else, and Apple Pay on my Apple Watch, using the exact same card, works fine. No idea what weird technical glitch is going on there. The tram company says Apple Pay is supported.

That’s Paypal providing proxy cards for use in Google Pay though, not the other way around. Curve does that too.

Android essentially provided bunch of interfaces over time to either load a complete payment infrastructure through hw means (usually it involved telco cooperating with banks to provide EMV secure element on the SIM card, and the NFC chip has hardware connection to the SIM card), and later and more popular there's both complete Host Card Emulation capability (so you can run EMV protocol in your app) plus Google Pay integration making it easier on issuer because now they don't have to implement EMV themselves on HCE, and also provide more convenience to users vs forcing you to open specific app when you have more than one card connected.

Honestly apples approach is pure security theater, as they're not an acquirer that process the transaction at the end.

Instead the real acquirer now reverses apples masking.

The merchants themselves aren't allowed to store the credit card information anyway, otherwise they'd lose their PCI certificate, losing the ability to process credit cards. And if they use a payment processor, then they didn't ever get in contact with the credit card information either.

No clue how/if Google does anything. I was just involved in implementing apple pay at a payment processor that was also an acquirer a few years ago. Ultimately, we've had the same information on the consumer, wherever they used Apple pay or just a regular credit card

The device card number (DPAN) is static after adding a card to a given device. It doesn’t change between transactions or merchants.

My bad. I read the article but I must have skimmed past the section about DPAN being randomized because I don't remember seeing it. The majority of my attention went the last part about personal details where I thought it was pretty obvious. Short attention span.

A couple of times that lack of signature verification tripped up a cashier, they’re obviously used to always needing it with however their terminal was configured, but with Apple Pay the receipt got printed with no signature line and after looking at it funny they’re like, “oh, well here’s you’re receipt I guess you don’t need to sign!”

Fair enough, t̶h̶e̶ ̶t̶e̶r̶m̶i̶n̶a̶l̶s̶ ̶o̶r̶ ̶b̶a̶n̶k̶s̶ ̶m̶u̶s̶t̶ ̶h̶a̶v̶e̶ ̶l̶i̶m̶i̶t̶s̶ ̶t̶h̶a̶t̶ ̶d̶e̶p̶e̶n̶d̶ ̶o̶n̶ ̶t̶h̶e̶ ̶C̶V̶M̶ ̶t̶h̶e̶n̶,̶ ̶b̶e̶c̶a̶u̶s̶e̶ ̶t̶h̶e̶r̶e̶ ̶a̶r̶e̶ ̶d̶e̶f̶i̶n̶i̶t̶e̶l̶y̶ ̶h̶i̶g̶h̶e̶r̶ ̶l̶i̶m̶i̶t̶s̶ ̶f̶o̶r̶ ̶p̶h̶o̶n̶e̶ ̶p̶a̶y̶m̶e̶n̶t̶ ̶c̶o̶m̶p̶a̶r̶e̶d̶ ̶t̶o̶ ̶c̶o̶n̶t̶a̶c̶t̶l̶e̶s̶s̶ ̶c̶a̶r̶d̶s̶

(edit: forgot cards and devices can have their own limits, best ignore this comment)

I thought apple/google only verified payments up to a limit (ever increasing) of e.g. £500/£1000 based on the biometrics? Is that right?

Yes, that is still true – AmEx own their own payment processing network, and they do not allow outsiders into it, even banks they have the brand sharing agreements with, hence a separate retailer relationship.

They are usually “No Cardholder Verification Method” transactions, though they can do ask for PIN entry in some circumstances.

In Turkey, contactless transactions are "Special Cardholder Verification Required, no PIN" or "Cardholder Present, PIN required" depending on the amount. And they are legally required to be performed online with immediate confirmation.

I think it's just different math.

The 15 basis points Apple supposedly charges for with card payments from Apple Pay is meant to come from the fraud budget; that a biometric-based authentication is consider both more secure and easier to counter payment disputes. The rest comes from the convenience and hope that actually results in more card payments.

In the US where there's no PIN, fraud is high. Parts of the country are still heavily cash based, so there's a good margin to gain if added convenience results in more card payments.

For heavily credit card based markets with chip-and-pin, you have less fraud concerns and less to gain from convenience.

My take though is that even if apple opens up the NFC chip, they aren't opening up the Secure Enclave. So even if a bank app can take over the NFC chip, they still will have secrets in memory at some point without a new P-256 based payment protocol.

Unless this is a new app backed by a bank cartel, you'll also go from being able to use multiple cards to just one first-party card.

This all leads to my opinion of a pretty wonky situation - opening NFC up probably increases the value of Apple Pay, since it can now be compared to other software-based wallets by users, and Apple Pay support again becomes a differentiator for the payment card.

Apple should buy a bank and compete on their own turf

Canada has essentially 6 big banks, instant transfers using Interac has been the most common way of transferring money for years (it launched in 2003) and payment using NFC has been the norm for a decade.

[…] we have essentially 4 big ones and they already are pretty cutting edge […]

The Big Four are not the cutting edge, it is a delusion. Out of four, only the Commonwealth Wank has transitioned onto a modern core banking platform for retail banking. Business accounts still run on the legacy core banking platform, if my understanding is current and accurate.

The remaining ones are as backward (from the technology POV) as they have always been. Westpac acquired St George Bank in 2008 trumpeting their core banking platform as the reason for the acquisition and the intention to transition onto it. To the best of my knowledge, that has not happened as of 2024, and Westpac contunues to use its own legacy core banking platform disjointly from that of St George's. Moreover, banking is not even integrated between the two even today, and the St George core banking has fell into a state of disrepair – EFT's can take a few days to reach the receipient's account depending on the receipient's bank.

The actual – pretty much only – innovator is Macquarie Bank that has invested a lot into revamping their banking platform from the ground up, plus neo-banks – newcomers to the banking market albeit niche ones.

The Big Four (or, most banks in general) loathe technology and IT as they see both as a liability, not a competitive advantage, due to tech not being their core business and due to being run by old farts with ossified brains. And that was the reason why they started rapidly losing millenials, Gen Z and other young customers to neobanks. It was a wake-up call for them.

[…] instant transfers are normalized […]

… and it has nothing to do with the Big Four. The Big Four, in fact, sabotaged instant payments for many years due to a lack of interest to advance the payment technology, and the instant payments in Australia only succeeded at the third (or at the fourth – I have lost the count) attempt after the Reserve Bank held the Big Four at a gunpoint and threatened them with severe penalties if they pull out again, as they had done every single time before. Instant payments in Australia are done via NPP/Osco, an independent company set up by the RBA, a BPAY subsidiary, and the Big Four as well as other local banks are mere users of it. None of the four control NPP/Osco payments, and that is a very good thing.

If the NFC chips were opened up through regulation I have zero doubt Australian banks would just say "we support contactless with our first party app" […]

… and users would be left with the atrocious quality banking apps and with banks tracking the users all the way down into the customer's colons.

User tracking was the actual reason behind the spat between the Big Four and Apple – the former wanted to get a way into users' smartphones and all sorts of device and chip ID's – to track the user behaviour to which Apple said no. As a customer, Apple's stance suits me way more.

Of course, banks have found other ways to track the iPhone users courtesy of advances in the big data science, although the attempt has been somewhat hampered. The Big Four are the largest employers of data scientists and for a reason.

You can't be naive and look at the Big Four through the rose tinted glasses – they are in the business of making very big money and treat their customers as acquisition assets and cows to milk. Commonwealth Wank has been onselling the transaction information to Equifax (other than reporting the credit history), and Equifax has been onselling that transaction information to some pretty shady loan shark companies.

When all your banks suck and Apple seems to be the only people with their shit together, sure but Australia doesn't live in that world.

ANZ was too busy charging dead people to bother implementing it. God only knows what westpac was up too, NAB had an implementation on Android, and having used it a bunch, it was _awful_ and I was glad when they gave up and just accepted the alternative. Combank did their own thing, and seemed the furthest along, but support seemed patchy and they ended up junking their solution anyways and going to Android/Apple pay anyways IIRC.

These places can hardly manage to maintain their own apps, I have about zero confidence in them deciding to wander off into the wilderness and trying again.

Not to mention, all the non-big-4, and all the smaller banks probably won’t bother with reimplementing NFC pay as they either don’t have the resources, or can’t rely on institutional-inertia to foist useless changes onto their customers.

customers end up paying in the end.

Not in a transparent way, generally speaking. And at least in Canada you couldn't even (as a business) add a credit card surcharge to a purchase price. Now you can, so long as you're simultaneously complying with the legislation (https://www.canada.ca/en/financial-consumer-agency/services/...) and your contract with your payment processor (e.g. https://www.visa.ca/content/dam/VCOM/regional/na/canada/Supp...).

Apparently, too, merchants aren't actually charged for Apple Pay, it's the banks themselves that are. Merchants apparently pay the regular charge to their payment processor whether I use my Visa-through-Apple Pay or my Visa as a physical card. https://paymentdepot.com/blog/apple-pay-fees-for-merchants/

At any rate, Apple Pay is ridiculously convenient compared to anything my bank has ever come up with. The last time there was a Pay With Bank $X thing on a website that I tried, I ended up getting directed through some kind of Verified by Visa thing where they were asking for some kind of security code that I don't recall ever setting up. Or... I can double-tap the power button on my phone to verify a payment I'm making on my laptop. If the banks are unhappy about giving a cut to Apple, my recommendation to them would be: Suck Less.

I don't pay anything extra for using Apple Pay, as a customer, how could it be cheaper?

The Apple Pay take is 15 bps, which is not a difference customers care about enough to change behavior even slightly.

I don’t get charged for using Apple Pay, I get charged for the processing fee for the card I used (which is an entirely separate discussion), and given the option between “just continue using Apple Pay” or “download several janky apps just because the bank wants its own wallet impl”, I’m going to stick with Apple Pay.

I use Samsung Pay in Spain. I like it because it's better integrated on my phone and more importantly I don't need a Google account for it. I don't even have one set up on my phone.

Of course Samsung does see my data this way but they have less info to correlate with. Also I don't use many of their services.

I do wish there was a truly open payment solution though that doesn't require me to trust a big tech party.

Samsung isn't even interested in Samsung Pay. I work at an FI, and have submitted an application repeatedly to integrate the SDK. We have yet to receive a response.

I had an Android when the banks were doing this before Google pay took off. The banks are capable of jankiness all by themselves.

Yes I have. But that’s completely irrelevant because I’m not a lawyer.

Ben Thompson and Gruber are not lawyers.

Lawyers I’ve followed have not found any mistakes though they do think some stuff is pushing it, but that’s completely normal and how all such cases work.

You have a core case on which you add a bunch of stuff. Because, one, you expect stuff to get thrown out, but more importantly these cases are rarely litigated to the end. They’re settled. So you put more in, even the slightly weaker stuff, so you can compromise on it during negotiations.

I wouldn’t have know this stuff, which is why I don’t pretend to know this stuff. Unlike Gruber and Thomson. Instead I follow lawyers online and speak to friends who are lawyers who have a better idea of what’s going on.

The ridiculous part of Gruber’s assertions is because he hears about these things only when Apple is involved he seems to think they are unique or new. That’s why his insinuations in a couple of posts that the EU actions were to punish American companies and protect European ones. If he had half a clue about this area he would have known that the EU has fined way more European companies than it has companies from the rest of the world put together.

The EU is poor. It has been mismanaging itself for years: they should be doing better than they are. Is this caused by outside vectors or the leadership, or maybe the structure (too many cooks in EU kitchen)?

Is the vision of the world the EU wants 15-25 years out strong?

Is the world the EU would create good for the EU - 30 years out? I’d argue it’d be a comfortable one. But a poor and weaker one.

The EU vision isn't just about economy and making money. This is something that the US will never understand because money and unrestricted capitalism is the only thing that counts there. The US truly doesn't understand that any other model can work, because the only way they measure success is $$$.

Whereas we in Europe care more about quality of life, a safety net etc. Our bank accounts are a means to that end but not a goal in themselves.

Of course Europe is quite different depending on the area with Netherlands and the UK also very neoliberal but most of the other countries are way more moderate.

I often get this disconnect even with my Dutch friends. They don't understand why I won't move back to Holland as I could make twice as much there in the same role. But the cost of living is also higher and more importantly the quality of life is much lower. People in Spain truly enjoy life much more.

For example during lunch a Dutch person would have a quick sandwich at the canteen so they can head off home early and beat the traffic jam. They always want to have the prettiest house and the fanciest car and work hard for it. So hard they lose time to enjoy those things. In Spain we go for lunch to a restaurant to have a three course meal with a glass of wine and after work we often grab a beer or two and sit in the sun. Most of my colleagues don't even own a car.

Life feels way more real to me here.

I don't know what "ruling" you're talking about. The DMA is a law, and it will be enforced despite Apple pretending to comply with it. There's nothing like a judicial proceeding as yet, much less a ruling.

This really underscores the point, and it's not just Gruber and random internet commenters opining on EU law while having zero clue about it, it's also Apple fans I respect like John Siracusa and Jason Snell who have a lot of opinions without familiarizing themselves with the facts.

I don't think I've seen him do opposition to workers rights / unions? He hasn't been constantly yelling about supporting them either, but that's different.

E.g. a quick google for "daring fireball unions" turned up mostly articles like this one which were pro union-demands: https://daringfireball.net/linked/2021/11/24/wirecutter-unio...

Closest to a negative I found in that quick search was him making fun of the Maryland Apple Store union that was asking to be allowed to request tips from Apple Store customers... while also saying that the rest of their demands sounded like good things to ask for.

Gruber has always been an Apple fanboy, but in the past few months it's taken a turn into ragebait territory, and i'm this close to stopping reading it

Yeah, Gruber is one of the most enthusiastic cheerleaders for Apple outside of Cupertino itself. It comes from a place of deep and abiding love, but he seems to see Apple kind of the way its internal culture also does — as a plucky upstart who has to fight for its very survival against all the big bad industry leaders (IBM and MS, originally). That viewpoint has become more and more absurd the larger and more dominant that Apple has got, leading us to this point where they want to argue that they should be able to simultaneously be an iron-fisted gatekeeper, and a purveyor of apps that “compete” with less-privileged apps on that same platform.

Brand fellatio has just become my new favorite concept :D

Gruber is wrong.

Many bank-specific wallets also use device account numbers. Storing full credit card numbers and the associated cryptographic keys on a device's application processor (like many wallets on Android do, both Google Pay and others) is a big no-go, and even for secure element based solutions like e.g. Apple Pay it's a big advantage being able to lock the number for a lost/stolen device server side without having to reissue the associated physical card and vice versa.

do card issuers actually have payment apps? my bank doesn't

They've been somewhat popular regionally, especially in countries where Google took their time with rolling out Google Pay support in, or for regional payment schemes that aren't supported in Google Pay. (They're only possible on Android; iOS hasn't traditionally supported the necessary APIs, until very recently when the EU forced them, and still only offers them there).

I don't think they ever were a big thing in the US.

Contactless credit card payment limits in Australia (from my experience) are configurable.

I bumped my contactless limit from $100 -> $500 years ago through my bank's app. Leaves friends confused every time I cover a group dinner out

I believe when using apple pay with an apple watch, there's no longer a threshold where you need to use a PIN/passcode as the watch is using 'biometric authentication'.

That makes sense, thanks!

For context, MST or magnetic secure transmission, allows a phone to transmit an EM signal that emulates the physical action of swiping a magstripe based card. As in, it works with all the legacy "card swipe" terminals. Samsung phones up to like the S20(?) supported this, allowing them to technically work basically everywhere with no integration needed.

They did but that’s a bit different as while it’s not your real card number it’s not a tokenized payment in the background. It’s still just a PAN and security code.

Depends on country, and how contactless cards being the norm in many places meant there was less push among people for payment with phones, compared to USA where it seems it no modern bits for card payments happened between introduction of magnetic strip and phone-based EMV2 NFC payments.

I remember changing card ~2012, in Poland, because my ancient Visa Electron with magstripe-only was confusing to new cashiers who thought lack of chip meant it's contactless. Around that time phone-based "cards" were also widely promoted though the tech wasn't exactly ready yet so you needed cooperation between banks and telcos to provide secure element.

I had the same experience as you on a trip to the Netherlands. Ironically, the only place where it didn't work was the Apple store in Amsterdam. I don't know if that was an actual technical limitation, or they were aware that it was not yet available in the Netherlands and so didn't even let me try with my phone and its US credit card.

I had a similar experience traveling in Europe! More than one merchant thought I had “hacked” them initially.

I haven't been able to find a detailed explanation of how it works. Somehow it emits a magnetic pulse that simulates the card being swiped, without having to physically swipe the card. Best guess is that it uses some kind of magnetic induction to induce a current in the reader the same way that a swipe would.

I never had a Samsung phone so I can't comment on how it worked in practice or the reliability. Can't find any mention of having to hold your phone a particular way so presumably it's direction-independent, although apparently sometimes it might not be possible to hold your phone close enough for the reader to pick it up.

https://en.wikipedia.org/wiki/Magnetic_secure_transmission

The difference is that you can be reasonably sure that an email will be delivered to the user's address that they specified, and there is a common understanding that sharing your email credentials will result in immediate financial loss. The communication is out-of-band, as SMTP is not an authentication protocol, so the user must perform some affirmative action (such as clicking a link in the email) to authenticate the request.

With SSO, the claim that a user is authentic lies completely with the provider. If there is a bug in the implementation, a user could be authenticated when they should not be, and the actual account owner may never even be notified that such an authentication occurred.

like deduct that amount from an offline transaction balance, replenishing that balance the next time it gets to talk to the issuer during a chip-dipped payment (assuming the card is still in good standing)

That deserves its own article. Where/why in the world would you need that!?

I believe there is a button you can press to have the number changed.

That's for the Apple Card's virtual card number, which is just a regular old PAN. There is no such button for the DPAN, to my knowledge.

Credit theft affects the banks and merchants. They are out of the money not me. Its for their benefit. I just suffer the inconvenience of getting a new card.

Never once had that in my life.

They can but they generally won’t. Use of the chip on the card shifts fraud liability from merchant to issuer. Burner card numbers are for card not present transactions.

I have never convinced a cashier to use digits provided by me or off my phone screen. That is fundamentally different from getting them to manually enter a card.

But I understand you’re making irrelevant bad faith comments, because you’re too weak to admit that you were wrong about something unimportant.

kibwen, learn to take an L.

Sketchiness aside, the fee a merchant pays is different based on the capture method to incentivize using more secure methods. The bank, payment processor, and the merchant know how a PAN was processed.

Yes, Apple Pay supports them, and they're ephemeral and easily recreated, and semi-anonymous

…so what I said, yes.

but Apple Pay over here absolutely still supports "regular" cards here

But you don't have to use em.

Strange interaction here: you can refill Suica with a foreign credit card, there is no transaction fee for it, and it means you can turn anything you can purchase via IC card into 5x travel spending with the right card.

I guess it could vary by location. My local Walmart is the only place I go to regularly where I have to insert my card instead of tapping.

No, the readers they install actually have NFC in them, believe it or not. So even the hardware in the POS at the store supports it

You'll get every time the same card number, with said card being specific to the device. So they will be able to track that the same buyer is doing the purchase, which is what most POS-based analytics are interested in.

Way more important is the (sometimes filtered) dump of everything on your bill that is passed on to various corporations (Nielsen, sometimes direct to suppliers), and how in-store analytics then build data at neighbourhood or per-store level.

Store analytics need not know that specifically "WirelessGigabit" bought something, store analytics is more interested in "we have repeated customers with such and such spending and purchases" and "in this zip code we have this kind of population with associated types of buyers" and "This is how much people are buying certain products and when, so that suppliers can plan campaigns and production"