Our Pledge To You

News

Why Apple Pay is the way you want to spend money

Life as an agnostic can be pretty sweet. I’m not trying to convert anybody here. I just want to point out as a result of my choice to reject formal religion while still remaining open to the possibility of a theist deity, I got to sleep in last Sunday and then on Monday, I got to feel as though maybe there was an almighty God with complete dominion over all there is and that He deeply approved of the work I was doing here on the mortal plane.

Because on Monday morning, mere hours after Apple released the iOS 8.1 update that enabled the Apple Pay feature on its new iPhones, I got a phone call from my bank telling me that it was issuing me a new card. I hadn’t become the victim of identity theft or anything; their computers noticed that I had engaged in risky behavior over the past year (i.e., “I bought stuff at Home Depot once or twice”) and they didn’t want to take any chances. The timing was so perfect that I’ve been checking the singe marks on my morning toast all week just in case it contained battery specs on the forthcoming Apple Watch.

Yes, finally, USA consumers are all-too-well-aware of how stunningly vulnerable our credit cards are. And finally, more secure methods of paying for things in stores are getting the press they deserve.

RELATED: CVS, Rite-Aid are wrong to drop Apple Pay

Out with the (insecure) old, in with the (almost bulletproof) new
The technology behind a conventional credit card has been around for more than 50 years: a number is printed on the surface of your card and anybody with eyes can read it or copy it down. The magnetic stripe on the back is no different from the numbers printed on the front. The “eyes” are just a cheap piece of hardware that skims a sequence of pulses that aren’t secured with any special tricks. There are a hundred ways to get that number without your knowledge and it’s usually the only thing a thief needs to make purchases.

The fact that I’ve completely explained the technology behind standard credit cards in about 50 words explains a lot about how vulnerable the system is. Whereas I could write 2,000 words explaining why Apple Pay transactions are secure and I’d still be skipping over lots of the engineering and criminally oversimplifying the math.

In simplest terms, when you configure a credit or debit card to work through Apple Pay on an iPhone 6 or 6 Plus (the only two iPhones that support it in brick-and-mortar stores), the phone’s Passbook app talks to your bank and creates a separate “burner” account number that’s securely associated with this one phone and with this one bank card. When you buy something at a store that accepts Apple Pay, you just bring your iPhone within a few inches of the payment terminal. Passbook opens up automatically. As soon as you verify your identity and your intent to make a purchase by giving placing a registered fingerprint on your iPhone’s TouchID sensor, the cash register tells the clerk that payment has been made and approved.

You still get a receipt and everything. Need to make a return? No problem, unless it’s a bathing suit and you’ve worn it already but we can all agree that this is a reasonable restriction.

Why this all works
Behind the scenes, your iPhone and the sales terminal have a quick and spontaneous conversation via near-field communications (NFC). This is why Apple Pay only works on the iPhone 6 and 6 Plus, and with modern terminals: Without NFC hardware, that conversation can’t take place. It’s a great technology that can’t be eavesdropped upon by a third party.

Even the store’s own computers don’t receive any data that can be used to make fraudulent purchases, so don’t worry about malware on that ancient unpatched Windows XP machine in the manager’s office. Apple Pay even works if your iPhone can’t find a connection to the Internet inside the store.

Further, if you lose your phone, Apple Pay won’t work without your fingerprint or Apple Pay PIN. And you can deauthorize it remotely. The unique keys that make Apple Pay work are destroyed forever. There’s no need to have your bank issue you a new credit or debit card, either, because your phone doesn’t carry those account numbers.

All you really need to know is that when you make payments with Apple Pay instead of a physical credit card, you’re switching from a system where anyone looking over your shoulder can charge 10 PlayStations to your account and using one in which fraudulent charges can only be made by someone with the code-breaking resources of space aliens, a Bond villain, or the government.

(Your physical credit card is still just as vulnerable as before, of course. The key to this whole thing is to never use your actual card except under duress.)

I’ve been making Apple Pay purchases with an iPhone 6 all week long and it works great. Setup was as simple as telling Passbook that I’d like to enable Apple Pay and, sure, go ahead and link the same credit card that I use with the iTunes Store. You can also register a card just by holding it up to the device’s camera. You can register multiple cards and choose to charge something to a specific account. Not all banks support Apple Pay, but Apple has already lined up most of the majors and they continue to bring more card issuers on board.

Point Of Sale terminal displaying the industry symbol for touchless payment systems.

Any checkout terminal with this oval logo on it can accept payments via an NFC-enabled phone … unless the store has disabled the feature.

Not all stores accept Apple Pay, either. Fortunately, Apple Pay is built on top of an existing industry standard for touchless payments and it can work with any point-of-sale terminal that displays the universal contactless card symbol.

I’ve been trying to use Apple Pay as much as possible this week. These contactless payment systems aren’t everywhere yet but they’re not hard to find. Some stores have intentionally disabled these features, and even at a McDonald’s (which was one of the major “shout-out by Tim Cook during the Apple Pay announcement” supporters of Apple Pay) I couldn’t get it to work.

Regardless, it’s absolutely the way you want to spend money, moving forward.

Google Wallet: Just as good, just as important
Apple’s to be praised for making secure contactless payments into a bang-the-drum feature of the new iPhones. In doing so, they’re spreading the word about contactless payments for everybody. If you have an Android phone that has an NFC chip in it, you’ve been able to make payments at any of these terminals for years without even knowing it (Google Wallet has been around since 2011).

All you need is the free Google Wallet app. Setting it up is only slightly a step or two trickier than configuring Apple Pay, but in the end you get almost the exact same experience: use your phone to safely pay for things using an existing card account.

Is it as secure as Apple Pay? Yes, within the context of a 1,500-word tech column and not a 50,000-word thesis paper on transaction security. Both Apple Pay and Google Wallet use similar schemes to secure the magical keys that make payments happen: They’re stored inside special secure chips on the phone and not in an unprotected area of system memory or storage where any other code can get at them. Validating your identity with a PIN isn’t as safe as doing it with a TouchID fingerprint, that’s for sure. But I think the overall chances of being defrauded by a Google Wallet point-of-sale transaction and an Apple Pay one are about the same.

And paying for stuff with Google Wallet on my daily-carry Nexus 5 phone wasn’t majorly different from using Apple Pay. It’s just a little bit less magical. I usually had to place the phone in contact with the terminal (thus rendering the term “contactless payment” ironic), and when additional validation was necessary, I did it with a PIN instead of TouchID.

I must also admit that although I trust Google, the answer to the question “Which company is least likely to harvest data about your habits?” is ”Apple.”

Otherwise? Touch my phone to the terminal, listen for a trill, collect my Snickers bar and Diet Dr. Pepper. Easy. And every place that accepted Apple Pay also took Google Wallet.

Screenshot of a Gmail receipt sent by Google Wallet

Google Wallet emails receipts for every transaction. Apple Pay usage isn’t as easy to follow.

There’s one aspect of Google Wallet that I prefer to Apple Pay: its electronic receipts. When a payment is made, Google Wallet generates a standard system notification on the phone, whereas Apple Pay zips me back to my iPhone home screen so fast that I was left wondering if I was free to leave with my stuff.

Wallet also maintains a log of payments within the app, and even generates an email receipt. That last one is going to come in hella-useful when it’s time to do my bookkeeping at the end of the month: I can just set up a folder in my mail client for all of them and just scroll through all of my incidental expenses. Apple Pay transactions simply appear in my credit card statement.

Even if you don’t have an iPhone 6/6 Plus or an NFC-enabled Android phone, check with your bank to see if they can issue you a new card with chip and PIN technology. It isn’t as convenient as contactless phone payments, and you’re still exposing a printed card containing your credit card number to the visible air, but terminals equipped to use chip cards are more secure than magstrip readers.

Either way, it’s long-since time for U.S. consumers to move toward safer ways to buy things in stores and restaurants. How long have folks overseas had chip and pin technology? So long that Mitchell & Webb did a sketch about it almost 10 years ago!

… But watch the sketch after you’ve set up Apple Pay or Google Wallet or called your bank about the chip card. You know how you get when you start looking at YouTube videos.