Speed read

In this article, the first of a series about mobile payments, we use Apple Pay as an example to introduce mobile payment technology. Over the series, we’ll overview the various legal and regulatory issues around mobile payment.

The concept of using a mobile phone to complete a payment is not new. However, there has recently been a big push from banks, telcos and others to get this technology into mainstream use, both in New Zealand and elsewhere.

Below, we introduce the key features of mobile payments, how the industry functions, and why the future of payments may create more questions than answers. We’ll use the recent introduction of Apple Pay as the example, and over the coming articles, outline how this and other models might apply in New Zealand.

The Detail

Apple Pay launches in the UK

The Apple Pay mobile payment system has recently launched in the UK, allowing users to make payments of up to £20 (increasing to £30 in September) with their iPhone 6 or Apple Watch. Expectations are high – Apple reported 1 million Apple Pay activations within three days of its US release last year.

Apple Pay will launch in Canada later this year, but there are still no details of a NZ release.

What exactly is Apple Pay?

First, let’s go back a step. A mobile payment, technically, is any payment effected by a mobile phone. This means there are several different types of mobile payments, including mobile app versions of online payment platforms (such as PayPal), direct carrier billing (when a charge is added to your phone bill), and closed-loop payments (where funds pre-loaded to an app can be redeemed at a single business, such as the Starbucks app).

Another key variant lies between four party models and three party models. A typical example of a four party model is a transaction where Visa and/or MasterCard are involved. The four parties are:

  • Customer
  • Customer’s bank
  • Merchant
  • Merchant’s bank.

The Semble model, dealt with later in this series, is an example of this.

The three party model is best illustrated by Diners and Amex: there aren’t the two banks involved. In this series we will focus on the four party model as that is where much of the action is.

Apple Pay is an example of yet another type of mobile payment platform, where payments are executed by contactless communication at the Point-of-Sale. This simple action – holding your iPhone near a

payment terminal – belies the complexity of the technology and behind-the-scenes detail. In the lingo, the Apple app “disintermediates” and provides a platform for both three and four party models.

How does Apple Pay work?

Apple Pay relies on digital wallet technology, in which encrypted credit card data is stored on the Secure Element chip of an iPhone. While this particular strategy is novel, Apple  is not a digital wallet pioneer. Other digital wallets have already been launched, including Google Wallet, which employs Host Card Emulation (HCE) technology that stores credit card data in the cloud.

To execute a payment, credit card data is communicated from the digital wallet to the payment terminal by a near-field communication (NFC) chip, which has a communication proximity of about 10cm. Only the iPhone 6 and Apple Watch currently contain NFC-compatible chips, so Apple Pay is limited to owners of these devices.

Setting up Apple Pay

Apple’s digital wallet is called Apple Passbook. The credit card attached to a user’s iTunes account can be used in Passbook upon confirming the card’s security code. Additional cards can also be added by manually typing in the card details, or by using the iPhone’s camera, as seen in the screenshot above.

Some credits cards are immediately verified when added to Passbook; others require a phone call or email from the bank providing the card. Note that card schemes (such as Visa and Mastercard) also play a key role in mobile payments, which we address further below.

Click here to view image.

Once verified, the physical credit card is no longer necessary to use Apple Pay, because the card’s information has been encrypted and securely stored on the phone.

Are these payments safe?

When holding an iPhone near a payment terminal, users must authenticate Apple Pay by placing a finger on the Touch ID fingerprint scanner of their iPhone 6. With an Apple Watch, authentication is achieved through continual skin contact. These features generally prevent stolen iPhones and Apple Watches from being used to make purchases.

Click here to view image.

Encrypted credit card data held on the Secure Element is not uploaded to iCloud or Apple’s servers. Nor are credit card details transmitted to merchants. Apple uses a method called tokenisation to scramble this information and send it with a unique dynamic security code that, if intercepted, cannot be re-used for fraudulent purchases.

So there’s nothing to worry about?

The transactional security of mobile payments is still an issue, as is the fact that major corporations are increasingly subject to sophisticated hacking attempts, like the 2014 hack of Target’s payment systems.

Another concern for consumers is big data and privacy. Apple insists that:1

“We are not in the business of collecting your data… Apple doesn’t know what you bought, where you bought it, or how much you paid. The transaction is between you, the merchant, and the bank.”

Apple does know the exact time of your purchase, however, and the Apple Pay terms and conditions state that if location data is turned on, the location of payments are aggregated to improve Apple’s wider services.2

These seemingly innocuous pieces of information could be matched with other data on your phone, or the data held by other participants in the mobile payments industry, to identify very specific and personal consumer behaviours. As an example, see our article Big Data in business father learns of teenage daughter’s pregnancy from retail chain.

To be clear, these are issues facing the mobile payments industry as a whole, not only Apple. We’ll address them in more detail in later articles, but they lead to one final question…

How does Apple make money from Apple Pay?

To answer this, it’s important to identify the players involved in each Apple Pay transaction.

In general, mobile payments have introduced two new players to the payments space: Telcos and Trusted Service Managers (TSMs).

TSMs act as the neutral intermediaries between providers (banks, merchants) and telco network operators. TSMs exchange and manage the secure elements necessary for a safe mobile payment to take place.

The TSM could be fully independent, or a joint venture between market participants. The latter is currently the case as to one approach in New Zealand, namely the service called Semble, a  New Zealand-based mobile payment app available on Android devices. It is a TSM initiative involving Spark, Vodafone, 2degrees, Paymark, ASB, and BNZ. Under Semble’s model, credit card data is stored on the Secure Element of the SIM cards provided by these telcos.

Under Apple’s model, however, the Secure Element is part of the iPhone device, not the telco-provided SIM. Apple also manages data by acting as its own independent TSM, greatly reducing the role of telcos in the Apple Pay process.

A further point to note is the importance of the banks and card schemes, which impose Merchant Service Fees (MSFs) each time credit cards are used. In New Zealand, about 80% of MSFs are “interchange fees” retained by the bank issuing the card, or passed on to card schemes in the form of network fees.

Click here to view image.

MSFs are covered by merchants in some NZ industries (meaning retailers generally receive less from credit card payments than, for example, from EFTPOS which have no MSFs), but passed on to customers in other industries (a credit card surcharge is now the norm when paying for a flight or taxi).

Using the Apple Pay model as an example, the diagram above shows how the numerous participants in the mobile payments industry have greatly increased the complexity of possible commercial relationships and potential monetary flows.

Apple users incur no additional fee to use Apple Pay, but Apple, acting as its own TSM, has other options to skim the cream from Apple Pay transactions.

Apple is reportedly collecting a credit card transactional fee from financial institutions, in addition to (a) existing “interchange fees” (although in various countries the Apple fee may be taken off the normal interchange fee), and (b) the new fees charged by credit card networks to tokenise card data for secure mobile payments.3  The banks don’t pay Apple directly – these fees are collected  by card schemes, who then pass on Apple’s share.

What’s more, these additional Apple Pay costs cannot be passed on to customers under Apple’s contractual arrangements. We’ll add more detail to this in our article, Mobile payments and competition law, as it may be a legal issue in NZ.

Watch this space

Many observers predict that mobile payments will grow into a multi-trillion dollar industry in the years ahead. Given the multitude of possible commercial  and legal arrangements for software providers, TSMs, banks, and telcos to share or fight over this market, it remains an area to watch.

In the articles to follow, we’ll address some key mobile payment issues in more detail, including regulation, cybersecurity, privacy, contractual issues, and aspects of commercial and consumer law.