This article originally appeared in TidBITS on 2014-10-26 at 4:32 p.m.
The permanent URL for this article is: http://tidbits.com/article/15192
Include images: Off

The Real Reason Some Merchants Are Blocking Apple Pay… for Now

by Rich Mogull

Over the past few days, news emerged that some retailers, most notably Rite Aid, CVS, and Best Buy, started actively blocking Apple Pay at their cash registers [1], even though the hardware and software actually supported it. This didn’t just block Apple Pay, but also all other near-field communication (NFC) payments systems, such as Google Wallet. The point-of-sale (POS) terminals — that’s the technical name for credit card–capable cash registers — fully support all NFC payment options that meet industry standards, so to block Apple Pay the retailers had to completely disable NFC, in either hardware or software.

It rapidly emerged that these retailers are all members of the Merchant Customer Exchange [2] (MCX), which backs a competing mobile payments system known as CurrentC [3], which doesn’t use NFC. CurrentC isn’t available yet, and it won’t be released until next year.

As someone who has followed the payments industry and its tension with merchants for years, I’m not surprised. It’s a fight the retailers will lose in the long run, and their short-term goals have nearly nothing to do with Apple, and everything to do with years of mistreatment (real or perceived) by the credit card brands.

Customers are merely an afterthought in this battle, as they are being pushed toward using a system that is less convenient than either cash or credit card, never mind Apple Pay or Google Wallet. Worse, the companies doing the pushing are the same ones who have suffered massive security failures over the past few years. And now they want direct access to our bank accounts.

A Dish Best Served Cold -- Credit cards may be a convenience for consumers (though arguably one that keeps us spending beyond our means in a state of perpetual debt), but they are often a bane for retailers. Card-issuing banks and the card brands themselves charge a percentage on every transaction, which can sometimes exceed 5 percent. Even with more standard costs closer to 2–3 percent, keep in mind that retail margins are extremely low, so accepting credit card payments makes earning a profit all the more difficult for retailers. This interchange fee has never declined, and has even sparked lawsuits. The fee covers transaction and risk costs, but some of it also goes to fund reward programs.

Aside from the interchange fee, the card brands also enforce a set of security requirements known as the Payment Card Industry (PCI) Data Security Standard. PCI pushes liability back onto retailers and processors, who can be fined for not meeting the security requirements or for suffering a breach.

That level of accountability might be viewed as beneficial, except that when a company is breached, even if it has previously passed its PCI assessments, it is always found retroactively non-compliant. The council that manages the PCI program has said, on the record, that no PCI-compliant organization has ever been breached. Yet nearly every breach you read about these days was of an organization that passed its PCI assessment.

It’s a bit of a racket, and one that’s well known in the security industry. Plus, when there is credit card fraud, those costs are often pushed back to the merchants, depending on the origin.

As a result, you can see how the retailers would be unhappy. They feel that they’re paying excessive fees without seeing significant benefits, they were required to increase their security spending dramatically in recent years, and they’re hung out to dry if (or when) something goes wrong.

Not that retailers are completely innocent. Credit cards outside of the United States generally use secure payment systems, which are just beginning to roll out here. One major reason for the delay, according to my industry sources, is direct pushback from retailers unwilling to pay for the hardware upgrades.

And despite the high-profile security breaches that seem to happen every few weeks, many merchants continue to turn a blind eye to security risks (based on my direct experience). While I empathize with the difficulties of protecting a weak transaction system in the first place, quite a few executives willfully ignore security and fail to support even basic precautions that will still be required by more modern systems.

It’s no exaggeration to say that most merchants hate the credit card brands and the banks that support them, but consumer demand forces them to accept credit cards anyway. Retailers have been looking for a way out for decades.

Rock, Meet Hard Place -- One problem merchants have is that they lack good alternatives to credit cards. They can’t get a foothold on mobile devices since they don’t have relationships with manufacturers, and the wireless carriers would likely block them to support their own mobile payment systems (as many did with Google Wallet).

Merchants do issue their own credit cards, but that isn’t a cross-merchant solution and most customers will have only so many cards at one time.

They can accept debit cards, but that system is full of risks to consumers since accounts don’t have the same protection, and despite years of support, adoption is still low.

Really, the only option available to retailers, as they see it, is to build their own app and payments system, which is precisely what they’re doing.

Enter CurrentC -- When you get down to it, CurrentC is a bit of a hack. Here’s how it works. You as a shopper download the app, sign up for the service, and connect the service directly to your bank account. When you want to make a payment at a participating retailer, the POS terminal displays a QR code that you scan with your phone. That act generates the tokens and payment transaction details (see my Macworld article on Apple Pay [4] to understand the role of payment tokens). The cloud service then reconciles the transaction and transfers the funds from your account.

CurrentC provides two advantages to the merchants. They completely avoid the credit card system, and they’re able to track transactions and tie them directly to loyalty programs or marketing initiatives. But it faces three huge hurdles: security, usability, and consumer risk.

I don’t have enough details to evaluate the CurrentC system fully from a security perspective, but it could be relatively secure at the technical level. I do worry about CurrentC on Android phones, which have proven susceptible to malware.

In general, NFC can be more secure that CurrentC’s app-based approach since there are ways to design the hardware that largely circumvent the operating system when making transactions. Without hardware security support, I don’t see any way CurrentC can be as secure as Apple Pay or some other NFC systems. And some of the retailers behind CurrentC don’t have the best security reputations.

Worse, usability of CurrentC is a mess, thanks to the need to pull out your phone, open an app, and scan a QR code. It takes more effort than using cash or a credit card. The primary reason I predict Apple Pay will succeed is because it’s easier to use than nearly any alternate payment option.

The final elephant in the room is consumer risk. In the United States, we have zero liability when using credit cards. Fraud is covered by the banks and merchants. In contrast, CurrentC requires direct access to your bank account, which doesn’t have anything close to the fraud protections offered by credit cards. That’s why I never use my PIN-based ATM card for debit transactions, even when it’s supported. If something bad happens, I am far more likely to be on the hook for fraud if someone steals my card number and PIN.

MCX will have to cover this risk if CurrentC is to have any chance of success. Without such guarantees against fraudulent usage, you would be foolish to use the system.

Wrong Motivations -- By refusing to use Apple Pay and focusing on CurrentC, merchants are acting more out of a sense of revenge, with a nod toward profits, than in the interests of their customers. (Were CurrentC to be wildly successful and kill off credit cards entirely, I’d be shocked to see merchants pass the savings on to customers by lowering all prices by 2–3 percent.)

CurrentC may be more secure than current magnetic-swipe credit cards, but it’s less usable and less secure than Apple Pay. There really aren’t many benefits to customers, unless merchants force everyone to use CurrentC instead of existing loyalty cards.

It’s also hard to build consumer trust when we see near-weekly reports of massive merchant credit card breaches in the headlines. Unfair or not, these losses make us much less trusting of a merchant system with direct access to our bank accounts.

The merchants aren’t primarily dismissing Apple, they’re taking on the entire credit card system. Their main chance of success would be to partner with Apple and Google directly, but it’s hard to see that happening any time soon — Apple isn’t about to hamstring its new product by angering its partners. Consumers like credit cards, for better or worse. CurrentC isn’t even close to what would be necessary to take down such an entrenched system.

Merchants aren’t blocking Apple Pay to collect data on us. They aren’t doing it to spite Apple, or to pressure Apple into giving them a split of the profits. While those might be factors, the real reason is a deep-seated, and possibly well-deserved, hatred of credit cards.

Unfortunately, none of this has anything to do with improving the customer experience. That’s why it’s hard to see these retailers sticking to their guns in the long run, and I anticipate that I’ll eventually be able to use Apple Pay in their stores.

[1]: http://mashable.com/2014/10/25/apple-pay-blocked-at-rite-aid-and-cvs-reports-say/
[2]: http://www.mcx.com/
[3]: http://currentc.com/
[4]: http://www.macworld.com/article/2607181/why-apple-pay-could-be-the-mobile-payment-system-youll-actually-use.html