With macOS and iOS 10, Apple is changing how we pay online, inside Messages, and even by voice

14.06.2016
Apple Pay is coming to Safari in iOS 10 and macOS Sierra, letting etailers and other payment-collecting sites offer an Apple Pay button that passes transaction verification to an iPhone or Apple Watch. Apple also said that iMessage apps in iOS 10 will allow payment apps, like Square Cash, to allow person-to-person payments within iMessage and via Siri; rumors of Apple directly offering Apple Pay for peer-to-peer payment so far seem misplaced.

About two dozen payment platforms work with Apple Pay today, and two of them, Stripe and Shopify, confirmed on Monday they will offer Apple Pay in Safari. Apple showed a list of early adopting retailers in one slide, and those retailers use an array of payment processors that will have to enable support as well. Shopify further noted that its hosted merchants who use Authorize.Net, Braintree, FirstData Payeezy, or CyberSource would be eligible for Apple Pay.

Square, so far, is the only iMessages app and Siri payment service announced. Square Cash is the merchant payment processing firm’s peer-to-peer payment app, requiring people sending cash to use a credit card or debit card, and those receiving it to register a debit card linked to a bank account.

In Safari, a customer will click an Apple Pay button to opt to pay via Apple’s processing system. On a Mac, a request will be sent to an iPhone via Continuity, which requires proximity to the computer, and then a buyer will use Touch ID on an iPhone or double-press the side button of an associated Apple Watch. Payments through Safari on an iPhone will allow same-device confirmation via Touch ID or via a linked Watch.

Apple Pay offers a huge reduction in risk for consumers, sites, and credit-card networks over other Web-based payment approaches, whether directly entering your credit card details, or using a system like Pay with Amazon, which requires a Web-based login to an Amazon account. Handing over any information to a site opens a customer and the merchant up to risk at every point from the user’s browser to the firm’s servers.

Keyboard-logging (keylogger) malware, browser exploits, and server-side security flaws (a la Heartbleed) can allow the interception of data. Even when payment information is securely received, companies that fail to secure it properly can allow the leak of details, such as the 40 million credit card numbers stolen from Target in 2013. (This reporter had Visa and American Express numbers stolen online from retailers earlier in 2016; security researcher Brian Krebs explains how that happens.)

However, Apple Pay in Safari has several advantages. First, the proximity requirement between a Mac and an iPhone or Watch prevents effective remote attacks. Second, not having to enter credit-card information or a password keeps even an attacker with a keylogger from grabbing your details. Third, the biometric requirement of Touch ID has the same benefit for an online transaction as an in-app purchase or other purchase within Apple’s app ecosystem.

And finally, the transaction never passes your credit-card number to the merchant, nor to Apple. Rather, the transaction uses a credit-card number proxy and other encryption details to pass from your iPhone through Apple’s processing network and to the ultimate payment network. The merchant receives verification that the transaction was successful or not.

Apple collects a tiny sliver of the transaction fee from the processing side of the equation. Consumers and merchants don’t pay extra. Payment platforms effectively handle transactions as if Apple Pay is just another way to enter or provide a credit card, rather than as a competitor.

Dozens of department stores, publications, airlines, and others were listed in Apple’s keynote slide, and all of them appear to have iOS apps. A Stripe spokesperson noted that Indiegogo, Instacart, Deliveroo, Kickstarter, OpenTable, Spring, and Warby Parker, shown on the keynote slide, are Stripe customers.

Many, if not all, of the featured sites offer in-app “durable goods” (non-digital items) for sale, so they can already use Apple Pay and avoid Apple’s 30-percent commission for digital goods. With back-ends already integrated with payment platforms that allow Apple Pay, extending from an app to a website is likely a small step.

Most modern payment platforms that work with merchants of all sizes offer, as Stripe does, a simple method of payment that requires inserting just a few lines of code and very little back-end programming. Larger sites or those with more complicated offerings may have deeper integration with a payment platform, but it could again be as simple as adding a button, a little back-end logic, and a couple of lines of JavaScript, because most of the Apple Pay iceberg is handled on the processor side.

Companies that sell via a hosting platform, like Shopify, may be able to enable Apple Pay with a click—or with no work at all. Shopify said recently it has over 240,000 merchants on its store system, and store owners using its in-house payment system or one of several others will need to click Activate Apple Pay to start accepting those payments.

Apple Pay is currently available in the United States, Australia, Canada, China, Singapore, and the United Kingdom, and is coming later this year to France, Hong Kong, and Switzerland, Apple said at WWDC.

Apple also said in its Monday keynote that Siri and Messages in iOS 10 would be opened up to third-party developers, including for payment apps. While Apple Pay allows both credit and debit cards, the system isn’t designed around receiving payment. Perhaps Apple will extend Apple Pay in the future for bidirectional payments, but for now it’s deferring to companies like Square, which said Monday it would allow Square Cash payments through both Siri and Messages.

A Square spokesperson said that an iPhone owner would simply be able to tell Siri to send someone money, and then confirm by voice. In Messages, a user can bring up Square in the list of Messages apps, select it, select a sum to send, and complete the transaction.

Square requires both sides of the transaction to have registered in Square Cash, but recipients who aren’t yet signed up will be prompted to retrieve the app to receive funds.

(www.macworld.com)

Glenn Fleishman