The big battle in payment apps is not of different brands like Walmart Pay and Apple Pay; or among corporate giants like JPMorgan Chase (NYSE: JPM) and Alphabet (NASDAQ: GOOG), but between two very different payment technologies.
The real conflict in brick and mortar app payment is that there are two very different technologies in widespread use. This makes systems incompatible and effectively drives a wedge between the different companies offering payment solutions and their customers.
The two payment technologies out there are:
- NFC or near-field wireless communication, the technology used by Apple Pay, Android Pay, Samsung Pay and MasterCard’s (NYSE: MA) proposed solution; Masterpass. NFC works by sending a wireless signal directly to the cash register. It connects directly to a payment system through the retailer’s computer network. Basically NFC pays the register directly from a digital wallet.
- QR or quick read code; the method used by Walmart Pay, Chase Pay and the defunct Current C. QR works by having an app use a phone’s camera to scan a code that appears on a screen. The code contains information that gives the phone access to a payment system via the app. Unlike NFC, the customer’s phone connects to the payment system, via the customer’s wireless plan. There is no direct connection between the register and the phone. Instead the entire transaction takes place in the cloud – on Walmart Pay the receipt appears directly on the phone. QR pays the retailer’s digital wallet from the customer’s digital wallet.
There are strengths and weaknesses to both systems. NFC does not require an outside wireless signal, while QR needs one. The NFC technology is already built into many payment systems, QR is not.
The big advantages to NFC are that it is easy to use and readily available. Many people are already familiar with it because of Apple Pay. Despite that NFC, might never become the industry standard – because of security concerns.
Apple Pay’s Big Security Hole
Strangely enough QR’s big advantage is that it is more secure. My guess is that big retailers like Walmart (NYSE: WMT), Target (NYSE: TGT), Kroger (NYSE: KR) and Costco Wholesale (NASDAQ: COST) are leery of NFC because of security concerns.
The fear is that hackers would use the NFC signal to get access to their computer systems. There’s a subculture of hackers called wardrivers who drive around looking for Wi-Fi networks to crack. NFC systems like Apple Pay sound ready made for wardriving. Equipment and software for wardriving is widely available online and it has lots of practitioners.
A potential flaw of NFC is that all a hacker would need to do to get into a company’s system is to crack one phone. The direct connection might create the kind of backdoor into retail ecosystems that the FBI demanded for Apple Phone earlier this year.
The big fear of retailers is that wardrivers will be able to use an NFC payment app to get into their systems; and steal money or account numbers. Such breaches have occurred before; back in 2007 wardrivers were able to steal 94 million MasterCard and Visa numbers from TJX (NYSE: TJX) – the corporate parent of TJ Maxx and Marshalls. Target ended up paying victims of a 2013 data breach $10 million.
With history like that it is easy to see why Big Retail is so leery of NFC. It is also easy to see why retailers spent so much money developing another potentially more secure technology.
There are even greater potential dangers out there including an attack designed to shut down the company’s entire system. An example of that might be malware that freezes up all the cash registers or erases all the company’s data.
Such an attack might be imminent, respected encryption firm PKWARE listed an ISIS breach of a major corporation as one of the “top five most likely Cyberattacks for 2016,” back in January. Since two of PKWARE’s other Most Likely Cyberattacks on medical devices and a presidential campaign have come to pass it is likely. Ransomware predators extorted $17,000 from Hollywood Presbyterian Hospital in February; and Anonymous targeted Donald Trump’s campaign in March, just as the company predicted.
Are Walmart Pay and Chase Pay more Secure than Apple Pay?
Quick read technology’s security is potentially much tighter than NFC solutions like Apple Pay for two reasons:
- The code can be quickly or perhaps instantly changed in the event of a hack. The system can also be set to randomly generate new codes, which would make it far harder to crack. If Walmart Pay generates a new code for each transaction it would be a hacker’s nightmare. A hacker who cracked a phone would still not be able to get into a retailer’s system because the code changed.
- There is no direct connection between the customer’s phone and the retailer’s system. Instead all payment activity takes place in a completely separate system. This reduces the retailer’s liability by putting account numbers outside of its network. Even if the payment system gets hacked the bad guys will not get access to all the company’s data. Another advantage to this is that it would be easier to isolate an attack by malware in a separate system. A major goal here is to keep the phone’s vulnerabilities from becoming the system’s Achilles heel.
Obviously these advantages are theoretical but they are potentially tremendous. Particularly for Chase Pay; which would be a separate bank-owned payment network accessed via QR code. A wild card here is blockhain the technology that is the basis of bitcoin. Blockchain is theoretically far-more secure than present-day solutions and easily integrated with QR code.
If somebody were to come up with a blockchain that was also a QR code it would be the ultimate protection in payment security. Another advantage to blockchain is that it is a permanent virtual ledger; which would make it far easier and cheaper to track transactions. There would be one permanent record of every transaction to keep track of in a centralized system. I imagine that is Walmart’s ultimate goal for all its retail and financial transactions.
Retailer’s Risks from Apple Pay
If it works as designed, Chase Pay would enable merchants to take apps payments without any additional equipment or added risk. Instead Chase would assume the risks, a big problem with Apple Pay is that Apple (NASDAQ: AAPL) is trying to put all the risks on the retailers.
A retailer that uses Apple Pay exposes itself to data theft; and the potential of having to reimburse customers for losses. In exchange for that risk the retailer gets little in return, because it loses the ability to track customer purchases. That threatens Kroger and Walmart’s data-driven business model; which tries to predict customer behavior by tracking purchases.
Another advantage to Chase Pay is that it would work off of Chase’s bank accounts; which are insured by the FDIC, or credit cards Chase owns. That means Chase will absorb potential losses. Nobody knows who is responsible for Apple Pay losses, so that is an issue that sounds like litigation waiting to happen.
Walmart seeks to contain losses by operating its own payment network. It also gets the ability to track purchases and identify problems and opportunities.
The NFC/QR struggle in payment apps will remind some older people of the battle between VHS and Betamax to become the industry standard in video tapes. VHS eventually won, because it was more widely adopted. If history repeats itself here, the more widely used QR would win.
Another possibility is that payment app solutions will end up like operating systems with a number of solutions being used at once. Just as we now have Windows, Android, Linux, Chrome and other systems running all over the place and sometimes on the same systems, we might see QR and NFC in use at the same cash register or even in the same app. Much as today’s cash registers now take American Express, Visa, MasterCard and Discover.
The question the big payment companies will have to answer is can such a complex system function smoothly or effectively. Only time will answer that question and tell us which payment solution will win.