Sports Authority + Apple Pay = secure, but not convenient

Discussion in 'iPhone' started by KeepCalmPeople, Nov 4, 2014.

  1. KeepCalmPeople macrumors 65816

    KeepCalmPeople

    Joined:
    Sep 5, 2012
    Location:
    San Francisco Bay Area, California
    #1
    I used Apple Pay for the first time at a Sports Authority here in the US. The process was:
    1) Hold phone up to the POS terminal until it says done
    2) when terminal prompts for PIN, press 'Cancel' button
    3) press the 'Info' button on the phone's screen to display the device account number of the card being used, and show it to the store clerk for verification
    4) sign on the POS terminal

    Apparently showing the store clerk the device account number is 'for my security', but the whole thing rather makes a joke of having Touch ID to authenticate my identity. And why is my signature needed too?

    When I went to McDonald's, I just held the phone over the scanner and was done.

    Based on my experience so far, contactless payment is really no different to getting out a card to pay - all the benefit is in the fraud protection for the banks (and a cut for Apple).
     
  2. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #2
    All the benefit? So you won't be inconvenienced the next time your card gets skimmed and cancelled and you have to wait a few days for the new one to arrive?

    As for signature being required, Apple support page does say they may sometimes require it, but old habits die hard and it'll be some time before merchants cease doing this (once they realize the pointlessness of it).

     
  3. calvy macrumors 65816

    Joined:
    Sep 17, 2007
    #3
    I didn't think Sports Authority was an authorized Apple Pay retailer. I used mine there though with Amex and it worked, but I did have to sign the POS terminal, which I thought was silly, being I already confirmed with my fingerprint.
     
  4. MasterRyu2011 macrumors 65816

    Joined:
    Aug 22, 2014
    #4
    This is the caveat with Apple Pay and Google Wallet. Some merchants like Mcdonalds work seamlessly; others may require you to perform other steps that the stores require if you want to go through with the sale. Apple Pay doesn't allow to skip all of the other things that you would normally need to go through with a card.
     
  5. JoeTomasone macrumors 6502

    Joined:
    Aug 8, 2014
    #5
    You are signing a legal agreement to pay the card issuer, not confirming your identity.
     
  6. duaneu macrumors 6502a

    Joined:
    Jun 19, 2010
    Location:
    Bellevue, WA
    #6
    Sports Authority is listed on Apple's website as a launch partner.
     
  7. Allthings-I macrumors 6502

    Joined:
    Jul 25, 2014
    #7
    Its going to take a year or two to educate the world on NFC payments, See NFC payments have existed for a few years now, however they were never as big as now, and the delay in catching up with the times of store employees makes you jump through hoops.

    many stores here in Chicago when I go shopping and if i use my credit card require me to present the card and photo ID so defeats using Apple Pay but I'm sure once people become more familiar with it, those two pieces of plastic will not be necessary when using Apple Pay.

    This is the official launch of NFC payments, before this I swear I have never seen anyone use a smartphone to pay at any store when ever I was in line and I am in Chicago....

    now, I see people whipping out their iPhones to pay anywhere and everywhere.
     
  8. Tyler23 macrumors 603

    Tyler23

    Joined:
    Dec 2, 2010
    Location:
    Atlanta, GA
    #8
    Sports Authority is an official Apple Pay partner.

    I used Apple Pay at Sports Authority a few weeks ago and it was really easy.

    When it was time to pay, I held my iPhone up to the terminal and used Apple Pay. The only other thing I had to do was sign the electronic pad. That was it. Took less than 10 seconds.
     
  9. KeepCalmPeople thread starter macrumors 65816

    KeepCalmPeople

    Joined:
    Sep 5, 2012
    Location:
    San Francisco Bay Area, California
    #9
    I must admit I thought showing the clerk the device account number was/is unnecessary, and I told the clerk so. It was not her fault, she had definitely received training, and knew how to show it on the phone, apparently that is the way at least that particular store is going to proceed.
     
  10. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #10
    Actually, according to the email from American Express, you're supposed to give them the last 5 digits of the Device Account Number if a merchant asks for the last 5 digits of your card.

    From Amex's "American Express Card Added to Apple Pay" email:
     
  11. JoeTomasone macrumors 6502

    Joined:
    Aug 8, 2014
    #11
    I just made a purchase there tonight and had the exact same experience.
     
  12. Pharmscott macrumors 6502a

    Pharmscott

    Joined:
    Dec 13, 2011
    Location:
    Sacramento, CA
    #12
    This is the kind of silliness that could prevent NFC payment from gaining popularity. Sliding your credit card and signing would be faster. I hope this Sports Authority is the outlier, not the growing norm.
     
  13. KeepCalmPeople thread starter macrumors 65816

    KeepCalmPeople

    Joined:
    Sep 5, 2012
    Location:
    San Francisco Bay Area, California
    #13
    Given that the device account number is:
    1) human-readable
    2) does not change, much like the credit card number itself

    It really offers no additional security. A thief can memorize it just as easily as the credit card number...

    People will give up using contactless payment if every place has a different payment protocol...
     
  14. Steve686 macrumors 68030

    Steve686

    Joined:
    Nov 13, 2007
    Location:
    US>FL>Miami/Dade>Sunny Isles Beach>Condo
    #14
    So the thief is going to skip the TouchID part of initiating a transaction? If so....'Dat boy good!!
     
  15. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #15
    I didn't say it has anything to do with security. It's only if the merchant requests it per Amex and so far, I've not been asked for it in the couple of times I've used Apple Pay. My guess is it's not common much like the merchant requesting the CVC code on credit cards.

    I disagree about people giving up contactless payment due to different protocols. We're already subject to different payment protocols with credit cards, including some requesting to see ID, requiring or not requiring signature, the merchant's requesting the CVC code, etc.
     
  16. KeepCalmPeople thread starter macrumors 65816

    KeepCalmPeople

    Joined:
    Sep 5, 2012
    Location:
    San Francisco Bay Area, California
    #16
    Well I think we can all agree that if credit card issuers are on board with Touch ID being a secure method of authenticating someone's identity, and their processes for verifying that only the owner's own credit/debit card has been added into the device's Apple Pay, then any other form of identity verification is pointless...
     
  17. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #17
    Agree with this; however, as someone mentioned, they may be requiring the signature as a legal agreement to pay the card issuer, not as a method of identity verification.
     
  18. TraceyS/FL macrumors 68040

    Joined:
    Jan 11, 2007
    Location:
    North Central Florida
    #18
    Some POS systems could still just need programming. At Target, anything over $200 we have to manually enter the last 4 digits of the card. This is to ensure the front matches the back.

    Obviously not the case here, but if the POS is still stupid, that could be one reason. And, it would make sense to tell you to use the DAN because that is what the POS saw, not the real card.

    So, I think they are just saying, don't pull your physical card out, still use the phone.
     
  19. wombat94 macrumors member

    Joined:
    Oct 15, 2010
    #19
    These are the kinds of modifications that will take time.

    If the Point Of Sale prompted for a PIN, it sounds like the card that was stored in your Apple Pay was a debit card, and not a pure credit card.

    Many retailer will check for this fact before authorizing a payment and ask for a PIN because most customers (statistically speaking about 70 - 80%) will put in a PIN if asked for it. Processing a debit card as credit DOES cost the retailer more money than processing it as a PIN-based transaction. The difference isn't as great as it used to be before the CARD act reforms of a few years ago, but it IS still more expensive for the retailer to do signature-based debit card transactions than PIN based.

    If the OP had put in a PIN, instead of hitting cancel to process as credit then the last-four digits and signature parts of the transaction would almost certainly NOT have been necessary.

    Since the transaction was rung as credit, the POS system followed that path. My guess is that Sports Authority hasn't had time yet to update their system so that it recognizes NFC payments and therefore still requires the last-4 digit entry even though it serves no real purpose any more.

    Card-present credit card fraud has gotten so good that the original reason for requesting the last-4 digits really isn't even valid any more. That security measure was originally put in place when the common method of card-present fraud was to take an existing card and re-write the mag stripe with a different cards' information. The last 4 check was put in place to make sure that what was read from the mag-stripe matched the numbers printed or embossed on the surface of the card itself. Nowadays, the fraudsters have gotten sophisticated enough to just manufacture a whole card in many cases - so the last-4 check really doesn't help much anyway

    The signature is still likely to be required on higher-dollar purchases for a while until banks' agreements with merchants are modified.

    Quick server restaurants, gas stations and convenience stores have agreements that specifically state that they don't need signatures for purchases under a certain dollar amount (usually $25 or $50). Many other retailers COULD have that agreement, but if their typical purchase is more than that value, they may still require a signature on all purchases so that there is consistency for training their cashiers.

    I suspect that as NFC catches on and the security improves at the point of sale, that dollar value for purchases that are fully protected for the merchant without a signature may rise if it is an NFC transaction - but the systems will have to be modified to specifically recognize that fast. That takes time.
     
  20. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #20
    If its not convenient then people will just not bother with it. I'm not sure why you had to go through that rigmarole
     
  21. deeddawg macrumors 604

    Joined:
    Jun 14, 2010
    Location:
    US
    #21
    You don't understand how it works. Understandable, there's a lot of ignorance and misinformation out there.

    The device-account-number needs to also have the single-use token that's generated by the hardware in the phone. Without it the charge will be denied.
     

Share This Page