If you've ever bought gas from inside the station, or perhaps some aspirin from a national pharmacy chain, you've probably seen those payment terminals with a Touch Here sticker at the top, inviting you to pay by just tapping the terminal with your credit card (instead of swiping). If you saw Tuesday's video demo of Apple's new Apple Pay system in action, you probably noticed something very similar.
That's because payments using Near Field Communications (NFC) — the technology behind those swipe-free terminals and now Apple Pay — is nothing new. The technology has existed since the late 1990s and appears in many forms, including key fobs, payment cards, and even (on certain phones) Google Wallet. It isn't necessarily the most widely deployed payment technology, but it certainly isn't new.
Which begs the question: Why all the hype about Apple Pay? Is it merely the Reality Distortion Field hyping something that's actually ho-hum? Or is there something deeper here?
Something borrowed, something new
The easiest way to understand what is new about Apple Pay is to walk through the process of using it.
The first step is, you buy an iPhone 6 or 6 Plus. These are the only phones to support Apple Pay, because the entire system relies on two new pieces of hardware: the secure element and the NFC chipset.
Phone in hand, you next need to load it with a credit card, either by taking a picture of your credit card or by approving an existing card that's already tied to your Apple Store account. Apple is the first vendor to support this loading system — possibly because it may be the first to get permission from the credit card brands to do so.
But this is where things get interesting. When the iPhone scans the number off your card, it doesn't store it locally, or even on Apple servers. According to Apple sources, Apple mediates a connection to the payment network or issuing bank associated with your card, which then provides a Device Account Number.
This technique is known as tokenization. Tokenization has many flavors, but at core what it's doing is replacing a sensitive piece of data (your credit card number, say) with a random piece of data that (typically) has the same structure and formatting. For example, there are a variety of tokenization systems that take a real, 16-digit credit card number, store it in a database, and return another 16-digit number that meets all the structural requirements of a credit card (it passes the LUHN check).
Tokenization is great because it reduces or eliminates the need to update legacy systems that expect a credit card number, without ever exposing the real number. Tokenization is typically handled by the payment network, which (in some implementations) encrypts the credit card number right when you swipe it, sends it back for the token, and then provides that to the merchant to keep for things like refunds or customer tracking. If the merchant's system is breached, no real numbers are exposed; the tokens can also be merchant-specific for any given credit card, making them useless anywhere else.
Sign up for MIS Asia eNewsletters.