- Wealth PMS
Apple introduced a new system called Apple Pay where you hold the phone next to a little device at a shop, and touch a button, and voila, the payment is made.
This happens through NFC and some potentially proprietary Apple stuff. According to the Verge:
In a store, you’ll hold your iPhone in front of a reader and place your finger over the fingerprint sensor to confirm. In an app, you’ll select Apple Pay as your payment method and confirm with Touch ID.
Cool! This solution has two factor authentication. The Touch ID (fingerprint or PIN) is the second factor.
There’s another layer of security. For each credit card you have, Apple stores a “token” and security key so that your card data isn’t transferred to the merchant terminal. The POS Terminal then does the authentication and authorization using the token.
Our answer: It should, but it’s unlikely to, unless Apple, Indian banks and the RBI get together and work things out.
(Of course, it doesn’t matter right now since Apple Pay is only going to be available in the US).
Technically an Apple Pay transaction can qualify as one of two kinds of transactions.
1) As a card-present transaction, in which case the reading machine will effectively “swipe” the card when you move your device close by and select Apple Pay.
2) As a card-not-present (CNP) transaction, in Apple Pay for apps (where you just click the Touch ID and pay automatically, no card reader is present, for in-app purchases)
(2) above is is tough in India as CNP in India requires two factor authentication, as dictated by the bank. Every card uses different mechanisms for two factor authentication (including redirecting you to a web page) and Apple will probably struggle to make this seamless across all cards. While they are true two factor (the second factor is the fingerprint or a Touch ID Pin), Apple will have to work closely with banks to prove to them the second factor was truly authenticated in instances of disputes. This kind of think may require RBI to “okay” things as well.
In the case 1) above, RBI mandates more secure cards, with the “Chip and Pin” concept, where a card has a chip inbuilt and all authentication has to be encrypted, and you have to put in a Pin number in many cases (in all cases when using debit cards, some credit cards are exempt).
Apple actually works like a Chip and Pin (it stores an encrypted form of the card in a secure encrypted Chip in the phone, and it can accept a pin). But its current structure is that the PIN it accepts is validated with Apple(I think), but for India the PIN must be sent and validated with the bank instead.
Apple will have to work with banks and probably NPCI, to prove that its transactions are indeed secure. And while RBI regulations are open, they require merchant terminals to have certain encryption features, and will need to accept this new technology too.
With minor changes, Apple Pay can be made acceptable in India, as long as the payment ecosystem is okay. But the bigger deal here is Android, and similar technology can be used with Android phones, many of which are already NFC enabled and have encrypted areas of chips (called Secure Elements). While Apple Pay isn’t something usable by devices outside the Apple world, a similar concept can be built for Android, and this might actually be the answer for “two factor” authentication we’ve all been complaining about – eventually, the second factor can be embedded in your phone. (Face recognition, voice phrase recognition, a PIN, a fingerprint or even a gesture on the screen; literally anything that’s not stored on the card) Google can do this at the Android (o/s) level, and devices will have to follow.
I’m not all that kicked about Apple devices, but Apple Pay is a very interesting concept. I’d see the Android ecosystem’s reaction to be key for device based payments to move to the next level in India (the devices are affordable and more prevalent). Hopefully Apple will come and clear the way.