Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

The Real Reason Some Merchants Are Blocking Apple Pay… for Now

Over the past few days, news emerged that some retailers, most notably Rite Aid, CVS, and Best Buy, started actively blocking Apple Pay at their cash registers, even though the hardware and software actually supported it. This didn’t just block Apple Pay, but also all other near-field communication (NFC) payments systems, such as Google Wallet. The point-of-sale (POS) terminals — that’s the technical name for credit card–capable cash registers — fully support all NFC payment options that meet industry standards, so to block Apple Pay the retailers had to completely disable NFC, in either hardware or software.

It rapidly emerged that these retailers are all members of the Merchant Customer Exchange (MCX), which backs a competing mobile payments system known as CurrentC, which doesn’t use NFC. CurrentC isn’t available yet, and it won’t be released until next year.

As someone who has followed the payments industry and its tension with merchants for years, I’m not surprised. It’s a fight the retailers will lose in the long run, and their short-term goals have nearly nothing to do with Apple, and everything to do with years of mistreatment (real or perceived) by the credit card brands.

Customers are merely an afterthought in this battle, as they are being pushed toward using a system that is less convenient than either cash or credit card, never mind Apple Pay or Google Wallet. Worse, the companies doing the pushing are the same ones who have suffered massive security failures over the past few years. And now they want direct access to our bank accounts.

A Dish Best Served Cold -- Credit cards may be a convenience for consumers (though arguably one that keeps us spending beyond our means in a state of perpetual debt), but they are often a bane for retailers. Card-issuing banks and the card brands themselves charge a percentage on every transaction, which can sometimes exceed 5 percent. Even with more standard costs closer to 2–3 percent, keep in mind that retail margins are extremely low, so accepting credit card payments makes earning a profit all the more difficult for retailers. This interchange fee has never declined, and has even sparked lawsuits. The fee covers transaction and risk costs, but some of it also goes to fund reward programs.

Aside from the interchange fee, the card brands also enforce a set of security requirements known as the Payment Card Industry (PCI) Data Security Standard. PCI pushes liability back onto retailers and processors, who can be fined for not meeting the security requirements or for suffering a breach.

That level of accountability might be viewed as beneficial, except that when a company is breached, even if it has previously passed its PCI assessments, it is always found retroactively non-compliant. The council that manages the PCI program has said, on the record, that no PCI-compliant organization has ever been breached. Yet nearly every breach you read about these days was of an organization that passed its PCI assessment.

It’s a bit of a racket, and one that’s well known in the security industry. Plus, when there is credit card fraud, those costs are often pushed back to the merchants, depending on the origin.

As a result, you can see how the retailers would be unhappy. They feel that they’re paying excessive fees without seeing significant benefits, they were required to increase their security spending dramatically in recent years, and they’re hung out to dry if (or when) something goes wrong.

Not that retailers are completely innocent. Credit cards outside of the United States generally use secure payment systems, which are just beginning to roll out here. One major reason for the delay, according to my industry sources, is direct pushback from retailers unwilling to pay for the hardware upgrades.

And despite the high-profile security breaches that seem to happen every few weeks, many merchants continue to turn a blind eye to security risks (based on my direct experience). While I empathize with the difficulties of protecting a weak transaction system in the first place, quite a few executives willfully ignore security and fail to support even basic precautions that will still be required by more modern systems.

It’s no exaggeration to say that most merchants hate the credit card brands and the banks that support them, but consumer demand forces them to accept credit cards anyway. Retailers have been looking for a way out for decades.

Rock, Meet Hard Place -- One problem merchants have is that they lack good alternatives to credit cards. They can’t get a foothold on mobile devices since they don’t have relationships with manufacturers, and the wireless carriers would likely block them to support their own mobile payment systems (as many did with Google Wallet).

Merchants do issue their own credit cards, but that isn’t a cross-merchant solution and most customers will have only so many cards at one time.

They can accept debit cards, but that system is full of risks to consumers since accounts don’t have the same protection, and despite years of support, adoption is still low.

Really, the only option available to retailers, as they see it, is to build their own app and payments system, which is precisely what they’re doing.

Enter CurrentC -- When you get down to it, CurrentC is a bit of a hack. Here’s how it works. You as a shopper download the app, sign up for the service, and connect the service directly to your bank account. When you want to make a payment at a participating retailer, the POS terminal displays a QR code that you scan with your phone. That act generates the tokens and payment transaction details (see my Macworld article on Apple Pay to understand the role of payment tokens). The cloud service then reconciles the transaction and transfers the funds from your account.

CurrentC provides two advantages to the merchants. They completely avoid the credit card system, and they’re able to track transactions and tie them directly to loyalty programs or marketing initiatives. But it faces three huge hurdles: security, usability, and consumer risk.

I don’t have enough details to evaluate the CurrentC system fully from a security perspective, but it could be relatively secure at the technical level. I do worry about CurrentC on Android phones, which have proven susceptible to malware.

In general, NFC can be more secure that CurrentC’s app-based approach since there are ways to design the hardware that largely circumvent the operating system when making transactions. Without hardware security support, I don’t see any way CurrentC can be as secure as Apple Pay or some other NFC systems. And some of the retailers behind CurrentC don’t have the best security reputations.

Worse, usability of CurrentC is a mess, thanks to the need to pull out your phone, open an app, and scan a QR code. It takes more effort than using cash or a credit card. The primary reason I predict Apple Pay will succeed is because it’s easier to use than nearly any alternate payment option.

The final elephant in the room is consumer risk. In the United States, we have zero liability when using credit cards. Fraud is covered by the banks and merchants. In contrast, CurrentC requires direct access to your bank account, which doesn’t have anything close to the fraud protections offered by credit cards. That’s why I never use my PIN-based ATM card for debit transactions, even when it’s supported. If something bad happens, I am far more likely to be on the hook for fraud if someone steals my card number and PIN.

MCX will have to cover this risk if CurrentC is to have any chance of success. Without such guarantees against fraudulent usage, you would be foolish to use the system.

Wrong Motivations -- By refusing to use Apple Pay and focusing on CurrentC, merchants are acting more out of a sense of revenge, with a nod toward profits, than in the interests of their customers. (Were CurrentC to be wildly successful and kill off credit cards entirely, I’d be shocked to see merchants pass the savings on to customers by lowering all prices by 2–3 percent.)

CurrentC may be more secure than current magnetic-swipe credit cards, but it’s less usable and less secure than Apple Pay. There really aren’t many benefits to customers, unless merchants force everyone to use CurrentC instead of existing loyalty cards.

It’s also hard to build consumer trust when we see near-weekly reports of massive merchant credit card breaches in the headlines. Unfair or not, these losses make us much less trusting of a merchant system with direct access to our bank accounts.

The merchants aren’t primarily dismissing Apple, they’re taking on the entire credit card system. Their main chance of success would be to partner with Apple and Google directly, but it’s hard to see that happening any time soon — Apple isn’t about to hamstring its new product by angering its partners. Consumers like credit cards, for better or worse. CurrentC isn’t even close to what would be necessary to take down such an entrenched system.

Merchants aren’t blocking Apple Pay to collect data on us. They aren’t doing it to spite Apple, or to pressure Apple into giving them a split of the profits. While those might be factors, the real reason is a deep-seated, and possibly well-deserved, hatred of credit cards.

Unfortunately, none of this has anything to do with improving the customer experience. That’s why it’s hard to see these retailers sticking to their guns in the long run, and I anticipate that I’ll eventually be able to use Apple Pay in their stores.

 

Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <http://tidbits.com/advertising.html>
 

Comments about The Real Reason Some Merchants Are Blocking Apple Pay… for Now
(Comments are closed.)

Scott Rose  2014-10-27 12:27
The real answer for merchants is Bitcoin. 0% fees.
David Weintraub  2014-10-27 15:24
Bitcoins has no fees? Every time you use Bitcoins, there's a "fee". There's a fee for using it at merchants who take Bitcoins (because they turn those Bitcoins immediately into dollars). There are fees when you convert Bitcoins from dollars and back. And, if Bitcoin does become popular, there will be a fee for processing that transaction (unless you want to wait for an hour for the transaction to clear).
Please. bitcoin is for frigtards and wankers. it is never going to be a payment system. at best, it's a speculative commodity.
I agree completely Scott. It's already designed for security. People who think there are fees don't understand it enough yet. Those that seem to think it will never be a payment system must obviously be from the finance industry who stand to lose the most when it finally comes to fruition. Funny (I have never seen that commenter before around here. How do the trolls find places like this?)
jehrler  2014-10-27 13:56
I think the legislative limit on liability is $50 though most banks/card issuers on their own bring it down to $0.
David Weintraub  2014-10-27 15:30
Most credit card fraud is limited. The banks are quick at catching it in the act. My son had his wallet stolen, and two minutes later got a fraud warning because the thief tried to buy train tickets. Interestingly, my son also buys tickets, but the thief tried to buy a whole bunch at once. That transaction never went through. The entire fraud was about $13 in the first ticket the thief bought. Even the massive breaches are limited in their score. Most of the credit cards are canceled as soon as the fraud is discovered. And, the banks usually discover it much quicker than the stores. Imagine a Target sized breach with direct bank account data. The thieves would quickly drain the accounts, and the stores could be liable for billions of dollars. Add treble damages, and even mighty Walmart would have to declare bankruptcy.
One thing that I keep missing in these articles is that CurrentC is tied to a bank account. Which means no credit. If you don't have the cash, you can't buy anything. Which makes this system even more bizarre to me. They will lose all the credit sales.
Unless I'm missing something, this just makes no sense at all, short run or long run.
Seth Anderson  An apple icon for a TidBITS Contributor 2014-10-28 08:33
Agreed! If a consumer wants to purchase something, and doesn’t have the immediate cash to purchase it in their banking account, what are the CurrentC merchants planning on doing? Using the old insecure stripe card? Opening a lay-away account? or just losing the sale? Seems not that well thought out.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-28 08:43
A good point. I don't know what percentage of sales are made on credit, but presumably the merchants are willing to forgo some of those.
Michael  2014-10-28 12:56
It can also be tied to the store's credit card, so you can buy on credit (e.g., you'd use a BestBuy credit card at BestBuy). So this is a way for the retailer to collect the credit interest directly...
jehrler  2014-10-31 10:47
It's even worse than that. Unlike a standard debit card an ACH is delayed so when you make a purchase and start an ACH on its way it won't be reflected in your checking balance for a business day or two. The next day (or couple of days if a weekend) you look at your account and all is good so you make another purchase.

Before the second ACH hits, the first one is pulled leaving you with not enough funds to cover your second purchase.

Unlike a debit card where the second purchase would simply be declined at no cost to you (unless you opted in to a overdraft plan with its fees), now you get to have fun with NSF fees to both your bank/credit union and CurrentC. Oh joy, back to remembering writing checks and balancing registers!
Michael Schmitt  2014-10-28 10:00
It sounds like the PCI council is using the No True Scotsman argument.
Michael  2014-10-28 12:31
One of the big omissions that all these articles have is that they comment on credit card fees, as if other forms of payment are free to the merchant. Cash costs money to process... every see an armored truck pull up at a store to pick up the receipts? There are some (old) studies that say that cash is more expensive for merchants than credit cards.

Just my 2 cents
Josh Centers  An apple icon for a TidBITS Staffer 2014-10-28 13:18
You may be right. I'm sure it costs them more in liability. Regardless, they want to eliminate every transaction cost. The thing to bear in mind is that retail is a low-margin, high-volume business. These companies are driven to cut costs anywhere they can.
not all retail. Maybe grocery stores and walmart. But there's plenty of retailers with much higher margins. this thing (currentc) is dead in the water before it's even out of the gate.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-28 15:49
How does that jive with the fact that many gas stations charge 5-8 cents per gallon less for cash payments? If cash were just as expensive to process, they'd have no reason to charge different prices.
Duane Williams  2014-11-18 18:16
Virtually every business accepts credit cards. How is the cost not already built into the price of goods?
Just speculating, but I'd say most "cash" transactions at gas stations are direct debits, not physical bills.
jehrler  2014-10-31 10:50
Not only is there the cost of armored cars, but there is also shrinkage in the till plus the registers have to be counted at the end of the shift (usually twice, once by cashier and once by manager).
jehrler  2014-10-31 11:05
My guess, though I don't know, is that gas stations generally have a high average $ transaction for gasoline.

Counting 3 $20 bills takes no more time than counting 3 $1 bills. So saving $1.20 in fees compared to 6 cents is a big differentiator.

edited to add: Also, people tend to buy gasoline in round increments and/or prepay in round increments so making change and counting coins is less of an issue than at, say, McDonalds.

p.s. not to be too pedantic Adam, but it is jibe not jive.
William Rausch  2014-11-05 15:50
I think it might be that the credit card service charge jumps out as a ine item but the cash "service charge" is buried in the normal overhead of business.
What support, if any, does Apple Pay offer for loyalty, affinity and reward systems? What & who is moving to bring such programs into Apple Pay?
I use my credit card for several reasons:
* get miles for every dollar, which really add up and keep that account from going dormant due to insufficient activity
* get monthly record of all purchases, which makes tracking of various expenses easy
* cash management is only an issue once a month, not daily or with every transaction
Josh Centers  An apple icon for a TidBITS Staffer 2014-10-28 13:16
None yet, but Apple is reportedly working on rushing out support for that.

As far as credit card rewards, you should be getting those just as if you had swiped the card itself.
If Apple Pay isn't supporting this yet, then why are you saying credit card rewards should arrive the same way as if the card were swiped? Are you talking prospectively?
Josh Centers  An apple icon for a TidBITS Staffer 2014-10-28 13:32
Sorry, let me clarify.

Apple Pay doesn't yet support store rewards, like Walgreens Balance Rewards — you still have to use Passbook for that.

But credit card rewards, like cashback and frequent flyer points, should still be accumulated.
As Josh mentions, Apple does not support store reward cards.

However, they do support credit card reward programs. Any transaction that is done using Apple Pay is no different than if you had swiped your credit card. i.e. Apple Pay currently supports all of your reasons for using credit cards.

You will get the miles from your mileage reward credit card. You will get monthly records of all of your purchases via your credit card statement (you can also see your Apple Pay purchases on your phone). Cash management also doesn't change ... you still get your monthly bill and still pay it the same way.

This new "CurrentC" thing avoids credit cards and takes the money directly out of your bank account. No credit card rewards. No monthly statements. Money is withdrawn instantly, so no credit.

I would never use this system for so many reasons, and one of them is that I also like the rewards I get from my credit cards.
jehrler  2014-10-31 11:27
As I mentioned above, CurrentC does not actually take the money out instantly like a debit card. It goes via ACH which is much like paper checks with a one to two business day turnaround.

This makes cash management much more complicated for the consumer and increases the risk of incurring NSF fees to CurrentC, your bank/credit union, third parties.

Yuck.
Chris Campbell  2014-10-28 13:26
Can the MCX merchants get together and create their own "credit card company" that doesn't impose the fees they loathe? Then the only fees they have to deal with are the fees from their credit card processing company. But they could start one of those as well. Issue accounts to their customers, and customers could use it with Apple Pay or swipe a physical card or whatever. (Or don't issue physical cards and ONLY use a digital solution.)

I know there are a number of smaller credit/debit card networks out there that aren't universally accepted. MCX could form something similar, but accept it at their locations.
adoption would be nil. I expect blowback against them about this regardless. I know for one, I am going to boycott walmart, cvs, rite aid, and bestbuy - not that I go there much anyway, but now won't just out of principle.
In terms of security, how does Google Wallet compare to Apple Pay?

I have been reading a lot of bitter comments that GW was first and best, but now that Apple has "copied" it, NFC is suddenly getting attention.

Why couldn't Google make a serious dent in the payment market?
Dennis B. Swaney  2014-10-28 22:43
Because of Google's poor reputation?
Don Whiteside  2014-10-29 15:27
Because Android phones did not necessarily have to include the needed NFC components to enable Google Wallet. A tremendous number of the Android devices in use are low-cost items that don't implement anything that would cost more, including NFC. Apple can make the blanket statement that if you have an Iphone 6/6P you can use Apple Pay. Google could not make that sort of push.
Steven Fisher  2014-10-31 16:16
Right now? I believe that Google's implementation of NFC payments doesn't currently use the same combination of Device Authorization Numbers and one time tokens. That means stores get your credit card number (or possibly an equivalent, equally traceable), which won't prevent something like Target, Home Depot, KFC or any of hundreds of smaller examples.

However, I believe that's a new part of the standard, so presumably they'll use it in the future. The security of their path through that would have to be evaluated separately from Apple Pay, of course.

tl;dr: Google's security model is full of compromises right now that were previously considered reasonable, but we're realizing aren't. They'll update it, and we'll have to figure out what they've done and how secure it is then.
Villager12  2014-10-29 00:02
Most informative article I've read on this fun brouhaha. Interesting point about my treasured credit card rewards. The merchants pay the painful fees to the card companies who then simply recycle a lot of the fees back to me, making the credit card company a hero in my eyes. Ouch. Helps me appreciate the "hate" they have for the card companies. Do I care...no. But eye-opening nonetheless. I think CurrentC will fail due to it's fundamental customer-unfriendliness. With elegant payment solutions like ApplePay raising the bar, what retail CEO will really want to hitch his company's brand cart to the the customer-spiteful MCX horse?
Dennis B. Swaney  2014-10-28 22:50
Ditto what Adam said above. It's interesting that all these merchants who hate the CC/Debit fees don't offer discounts for cash like a lot of fueling stations do. But I guess they are just too greedy.
Tim H.  2014-10-29 07:02
I see it as complacence, if a retailer thinks the customer will always come back, why not inconvenience them? It might also be an attempt to leverage a better deal from credit card issuers.
Adam Engst  An apple icon for a TidBITS Staffer 2014-10-29 09:02
iMore has discovered that the CurrentC app is doing a number of things that don't seem particularly user-friendly:

http://www.imore.com/whose-interest-currentc-really-serving
Josh Centers  An apple icon for a TidBITS Staffer 2014-10-29 11:49
And CurrentC has already been hacked.

http://www.businessinsider.com/currentc-hacked-2014-10
There is coverage that CurrentC builds a history of a customer's purchases. How is this different than my credit card company right now? I guess I always assumed Visa/MC were tracking me and letting anyone that paid enough know my prefs. TIA.
jehrler  2014-10-31 11:21
One difference is that your credit card company knows that you bought something at CVS. They don't know that what you bought was two tubes of toothpaste, a pack of gum and a pregnancy test. CurrentC, being tied into the merchant, *could* share that data with the other merchant members.

It is a bit unclear how much detail on the consumer's purchase CurrentC will share among the merchants.

Even if they don't share *exactly* what you bought, they could offer a profile of you to the other merchants that says you are likely to be attracted to coupons for Colgate toothpaste, Wrigley's gum and Huggies.
abetancort  2014-11-03 00:57
CurrentC will be also be Credit Provider too, it's a lucrative business and they won't dismiss that line of business. They won't charge you like a debit card but like a revolving credit card, that's at the end of the month and probably to lure you in they'll revolving period will be longer in the real of 60 days (tha would average to 30 days) instead of the usual 30 days ( tha average out to 15 days). You would receive and end of the period statement with your purchases.

They don't aim to be monopolistic but to grab a significant marketshare that give them leverage to negoti with credi card companies and issuers.

They want to cut apple out because it's steping on their turf, it' sa new player and the don't want more players or middleman between them and the customer.
Maynard Handley  2014-11-03 14:44
"I don’t have enough details to evaluate the CurrentC system fully from a security perspective, but it could be relatively secure at the technical level."

This seems to miss the point. The big worry with CurrentC is not that someone's going to intercept your QR codes as they are being scanned, it is that, as far as I can tell, the ONLY way the system can work is for the merchants to know (ie store on a computer) your bank account along with how to directly siphon dollars out of it.

These are the same merchants that have repeatedly demonstrated that they do not know how to secure data on the internet. The cavalier way with which they have not addressed this issue since then (for example, in theory they could hire a trusted agency to store the bank account info, and only communicate with it via one-time tokens --- but they don't) suggests that there is a serious disaster her just waiting to happen...