Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Pay Now Accepted By T-Mobile, GameStop, NBA Teams and More

Bill Av said:
I think that Apple is full of **** concerning the whole no signature thing. When it comes to having to type in your pin or sign for something, I believe that stores and credit card companies set those requirements.
Click to expand...

Correct, it's up to merchants, credit card schemes and banks.

However, note that Apple itself has never claimed that TouchId got rid of current signature / PIN requirements.

That idea was made up by people who do not understand the way US credit / debit card purchases currently work.

Sure, Apple's videos never showed it happening, because that would make Apple Pay seem less magical. But they weren't lying... they simply chose situations where a challenge wouldn't occur. Apple marketing always tells a verifiable truth. They just avoid showing the less magical cases.
 
tmiw said:
My previous comment may have been an oversimplification. Apple Pay supports "on device CVM", which means the phone/watch authenticated the cardholder.
Click to expand...
True. But has ODCV been deployed anywhere yet on the POS side?
If the terminal knows to look for that in the data that AP sends, then signature/PIN is waived altogether.
Click to expand...
We'll have to wait and see. From what I hear, it seems that processors may someday accept ODCV as a replacement for signature, but not necessarily for online PIN transactions (I doubt, for example, that you will be able to use it to get cash back or use an ATM).
 
what stores?

Never heard of half of the stores listed... Hopefully they keep adding more well known stores. But I dont know if I trust apple pay with my credit card information...
 
eko91 said:
Never heard of half of the stores listed... Hopefully they keep adding more well known stores. But I dont know if I trust apple pay with my credit card information...
Click to expand...

I used it at my grocery store today (not on the official list of merchants, btw), although it asked for my signature. I will email the manager today and tell them their system needs tweaking. It undermines the security aspect of ApplePay to ask me to leave my signature behind. From now on, I'm just going to scribble when that happens instead of using my real signature. It's not like they ask to see/compare my signature at the store anymore so they really don't need to collect it. It's more if I dispute the charge with them later. But I'd like the store to not make me stop and do it when it isn't necessary.

Apple doesn't have your credit information, it's just a conduit between you and the credit card company. When you register a card between your iPhone and the credit card issuer, it gets assigned a code that gets stored on your iPhone. That's why you need to have a version 6 because it's a special hardware feature that stores the codes. The merchants also don't get your actual credit card info so no one working there can use your info criminally. I especially like that for cabs and I used it in a bunch of cabs in Chicago recently.
 
laurim said:
I used it at my grocery store today (not on the official list of merchants, btw), although it asked for my signature. I will email the manager today and tell them their system needs tweaking. It undermines the security aspect of ApplePay to ask me to leave my signature behind. From now on, I'm just going to scribble when that happens instead of using my real signature. It's not like they ask to see/compare my signature at the store anymore so they really don't need to collect it. It's more if I dispute the charge with them later. But I'd like the store to not make me stop and do it when it isn't necessary.
Click to expand...

1. To the merchant, the signature IS necessary, precisely for the reason you gave of you possibly disputing the charge. The first thing the CC bank will want, is for the merchant to pull up a signature.

2. I scribble too, so that's okay. Just don't sign some bogus name like "Michelle Obama", because a judge isn't going to think that's funny.

3. Apple Pay is no proof that it's your card being used. Witness the millions of dollars reportedly lost to Apple Pay transactions using stolen CC cards.

4. TouchID especially is no proof that the real cardholder registered the fingerprint (or passcode) that unlocked the Apple Pay app.

The merchant is taking the risk that your Apple Pay transaction is not bogus. You have to give something in return. In other countries, that's a PIN. Here, it's a scribble. For now, anyway.
 
kdarling said:
1. To the merchant, the signature IS necessary, precisely for the reason you gave of you possibly disputing the charge. The first thing the CC bank will want, is for the merchant to pull up a signature.

2. I scribble too, so that's okay. Just don't sign some bogus name like "Michelle Obama", because a judge isn't going to think that's funny.

3. Apple Pay is no proof that it's your card being used. Witness the millions of dollars reportedly lost to Apple Pay transactions using stolen CC cards.

4. TouchID especially is no proof that the real cardholder registered the fingerprint (or passcode) that unlocked the Apple Pay app.

The merchant is taking the risk that your Apple Pay transaction is not bogus. You have to give something in return. In other countries, that's a PIN. Here, it's a scribble. For now, anyway.
Click to expand...

Can you link to info about "millions of dollars being lost through Apple Pay"? I've never heard that. I guess you are saying criminals have stolen credit cards and are putting them in their iPhones and using them. Why aren't people cancelling their stolen/lost credit cards? And since when does a merchant actually go through the trouble of contacting a person to do a signature check after the fact? The dispute is simply registered with the credit card issuer and they just absorb the loss. I don't think most credit card companies do anything past that. I know when someone used my credit card the usual way I offered B0fA information to try to catch the person and they couldn't care less. The only useful thing about a signature for a merchant is comparing it at point of purchase with a physical signed card and that has nothing to do with ApplePay. So it shouldn't be included in the process. ApplePay is to protect ME from a bad employee at the merchant. Not to protect the merchant, other than if I don't have my cards with me I won't lose them or have them stolen. Criminals are always going to be a problem for merchants no matter what ApplePay does.

http://www.imore.com/unable-target-apple-pay-criminals-unsurprisingly-stick-fraud-identity-theft

EXCERPT:

What's more, Apple does a lot to help banks avoid approving illegitimate cards. Apple securely transmits encrypted iTunes account information from the iPhone to the bank. That includes the device name, phone number, last four digits of the card, etc.

Using that information, banks can determine whether or not they'll authorize the card for Apple Pay. Banks can also choose to require a text message, email, customer service call, etc. before authorizing. All of this is publicly detailed in Apple's iOS Security Guide.

http://www.theverge.com/2015/3/4/8149663/apple-pay-credit-card-fraud-banks

EXCERPT:

In a statement, Apple essentially says the onus is on the issuing banks to approve every card before it can be added to Apple Pay. "Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank," an Apple spokesperson said. Banks have began making changes and tightening up their provisioning protocols for Apple Pay, according to sources familiar with the situation. Apple Pay currently supports over 100 banks and credit unions across the US.

But according to multiple sources, while fraud has increased on Apple Pay, the incidents of fraud have been somewhat isolated (Abraham points to organized crime rings around Miami and Dallas as the main culprits) and haven’t reached every Apple Pay banking partner. I spoke with a few banks who said they haven’t seen any fraud issues related to Apple Pay, including PNC, who stated "this has not been an issue for PNC, and we are confident in the anti-fraud practices currently in place."
 
Last edited:
laurim said:
Can you link to info about "millions of dollars being lost through Apple Pay"? I've never heard that.
Click to expand...

Where have you been? :) Okay, for example, a WSJ article here.

I guess you are saying criminals have stolen credit cards and are putting them in their iPhones and using them.
Click to expand...

Yes. Apple and the banks did not implement good enough registration checking protocols, so criminals took advantage. Ironically, most of the bogus purchases have been made at Apple Stores.

And since when does a merchant actually go through the trouble of contacting a person to do a signature check after the fact?
Click to expand...

You're missing the point. Pulling up a stored signature is a required action for a merchant to pass liability up the chain. The fact that it's rarely needed, so most don't take checking it seriously, is neither here nor there.

The only useful thing about a signature is comparing it at point of purchase with a physical card and that has nothing to do with ApplePay.
Click to expand...

Yep, we all agree that checking a signature is virtually meaningless. I would note that TouchID is no proof of user identity either, since the fingerprint was not registered at a bank.

Most countries use PINs, which are also not totally reliable since they can be stolen, but they've been pretty reliable.

So much so, that when hacked POS terminals were used to steal PINs in Europe, banks refused to believe the hacked users for a very long time. In some countries, laws had to be passed so that the burned customers could finally get their money back.
 
kdarling said:
Where have you been? :) Okay, for example, a WSJ article here.



Yes. Apple and the banks did not implement good enough registration checking protocols, so criminals took advantage. Ironically, most of the bogus purchases have been made at Apple Stores.



You're missing the point. Pulling up a stored signature is a required action for a merchant to pass liability up the chain. The fact that it's rarely needed, so most don't take checking it seriously, is neither here nor there.



Yep, we all agree that checking a signature is virtually meaningless. I would note that TouchID is no proof of user identity either, since the fingerprint was not registered at a bank.

Most countries use PINs, which are also not totally reliable since they can be stolen, but they've been pretty reliable.

So much so, that when hacked POS terminals were used to steal PINs in Europe, banks refused to believe the hacked users for a very long time. In some countries, laws had to be passed so that the burned customers could finally get their money back.
Click to expand...

TouchID IS an adequate means of identifying the cardholder if the banks took the time to verify that the person who registered the card was actually the person who owns the card. The TouchID is linked to the owner of the AppleID the banks are given to help them identify who is registering the card, therefore, the TouchID IS me and IS my signature. It's just a different kind of signature like a digital signature is to a secure PDF on important documents or the digital signature on the SSH certificate on a secure website.
 
laurim said:
TouchID IS an adequate means of identifying the cardholder if the banks took the time to verify that the person who registered the card was actually the person who owns the card. The TouchID is linked to the owner of the AppleID the banks are given to help them identify who is registering the card, therefore, the TouchID IS me and IS my signature.
Click to expand...
And how are they supposed to link the Apple ID to the identity of the bank customer? Anybody can easily create new Apple ID's under whatever name they want.
 
laurim said:
TouchID IS an adequate means of identifying the cardholder if the banks took the time to verify that the person who registered the card was actually the person who owns the card. The TouchID is linked to the owner of the AppleID the banks are given to help them identify who is registering the card, therefore, the TouchID IS me and IS my signature.
Click to expand...

Touch ID is not linked to the owner of the Apple ID. It's linked to whomever had access to that phone and its passcode, so they could register a print. It does not prove the identity of whose finger it was.

The only way that Touch ID could positively prove that it was the cardholder's finger that unlocked Pay, would be for the cardholder to previously visit a bank and submit a fingerprint in person, verified by photo ids etc, and then have that print info securely stored into the phone. Of course, that makes it much more difficult to change, but that's the whole point.

That said, it would not be surprising if banks... ever hungry for making purchases easier to make... sooner or later loosened the rules even more and allowed current day onboard verification such as Touch ID, unverifiable as it is.
 
kdarling said:
That said, it would not be surprising if banks... ever hungry for making purchases easier to make... sooner or later loosened the rules even more and allowed current day onboard verification such as Touch ID, unverifiable as it is.
Click to expand...
That exists, as mentioned further up in the thread (on-device customer verification, sometimes called mPIN). The banks are well aware that the current versions are not as secure as online verification; it is intended to be used as an alternative verification form with a security level somewhere between signature and online PIN.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back