Slashdot Mirror
Rite Aid and CVS Block Apple Pay and Google Wallet
An anonymous reader writes CVS and Rite Aid have reportedly shut off the NFC-based contactless payment option at point of sale terminals in thousands of stores. The move will make it impossible to pay for products using Apple Pay or Google Wallet. Rite Aid posted at their stores: "Please note that we do not accept Apple Pay at this time. However we are currently working with a group of large retailers to develop a mobile wallet that allows for mobile payments attached to credit cards and bank accounts directly from a smart phone. We expect to have this feature available in the first half of 2015."
Not only that, but it's a huge pile of data mining/theft. They requires direct access to take money from your current account (it bypasses the credit card companies, which is why they want to use it), and it requires access to your health data (for no known reason, but it requires it). Basically, it's a cluster fuck of ID theft.
How does this not violate these stores' agreements with Visa (etc), which have explicitly partnered with Apple and Google to provide Pay and Wallet as a valid method of using their (virtual) cards at the register?
And worse than simply not accepting it, they did so because they plan to come up with their own competing product??? WTF, Rite Aid, do you really think people will rush to use yet another crappy store-specific solution, rather than look confused at the cashier for a few seconds before walking away, leaving their stuff at the register?
While Google Wallet and Apply Pay may be free to the end-user, I highly doubt that it is free for the retailer.
Apple doesn't get a penny from the end user or from the retailer, so I suppose Google doesn't either. With Apple Pay the retailer pays the lowest rate available (percentages depend on how secure the payment method is; the more secure, the cheaper for the merchant). Apple gets some money from the bank; the bank saves money by having less fraud.
Bullshit. Canada was using direct debit with Interac since the early 80s. It is run by a group of banks and hits your bank account directly. It doesn't go through credit card companies. It is the most common form of payment here. I could go into a mom and pop corner store and pay this way for 30 years. People like it. It is not for profit but was formed by the banks and run on a private network. People didn't and don't want single companies like Visa or Google or Mastercard or Apple having all the power doing this. Companies that are for profit that want to take an even bigger cut of your money, run on public networks, and make money selling your data. I have a debit card that is very thin. It even fits in with the rest of my ID that I take everywhere anyway, and it is only online on a private network when I make a purchase... when the card is in the machine. Please explain what is so fucking great about Apple or Google pay on phones that run all the time on public networks, open to possible hacks.
-- I ignore anonymous replies to my comments and postings.
I already carry something around in my wallet for paying for things that's convenient, secure, (as long as I don't lose my wallet,) and accepted virtually everywhere I go.
It's called, "cash."
Are there downsides to using "cash" for paying for things? Sure, you have to remember to get it before spending it, and generally you have to earn it before you can use it. On the upside... you have to remember to get it before spending it, reducing frivolous and mindless, impulse-buy spending, and you have to earn it before you can use it, reducing the odds of going into debt.
It also assures me of privacy, (it's way harder to track than credit/debit cards, mobile payment systems, etc.) doesn't cause me to get e-mailed or snail-mailed spam or junk-mail, etc., I don't have to worry that some ass-hat will think my "spending habits" are "irregular" and decide to decline my "cash" payment, or that some jack-booted government thug will decide my spending habits are too similar to someone else' spending habits and that I'm therefor up to no good...
"Cash" is the best mobile-payment system ever created, which is why its catch-phrase has hung around so long... "Cash is king."
But enjoy your magical, hackable "near-field" bullshit, and your "magnetic-stripe" crap. I tried many such things, and have gone back to cash. Accepted pretty much everywhere I ever go, or might go, trace-free, and if you're really worried about cooties... you're much more likely to get sick from inhaling the air than from touching money. Best of luck to you all. I'm going to go hit the ATM. (Since I use a credit union, and not a bank, and I use the network ATM's, I don't pay any fees either.)
Cheers!
You realise Google Wallet is pretty much the same. Unlock your phone, touch the pad. No data handed over, one time code that can't be reused so cloning is pointless.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
HIPAA (note spelling) doesn't protect billing data, when properly signed away in the ToS. That you can figure out from someone's purchases that they are a teen on the pill doesn't mean that "health data" is being transmitted, or that the information transmitted isn't required for proper billing records.
But then, someone who talks about HIPAA and doesn't know how to spell it, obviously doesn't know what they are talking about, but isn't afraid to post like they do, confusing others.
Learn to love Alaska
Your arguments are a little bit nonsense. Why do you have people with credit cards "digging them out of their wallet", but phone users seemingly already having their phones in their hand? Why would I "already have the phone in my hand" unless I'm a teenager?
Seriously, I engage in maybe two transactions with brick and mortar merchants a day. The difference between pulling out a credit card and unlocking my phone, typing in a PIN or futzing with a fingerprint, finding the NFC app (or whatever) is so tiny as t be meaningless. Then on top of it, I would feel foolish paying for something with my phone, because so far, everyone I have ever seen paying for something with a phone looks either a little bit foolish or very foolish.
Being an obedient consumer is very low on my list of priorities. I'm OK with letting the NFC revolution pass me by.
You are welcome on my lawn.
Pretty much doesn't cut it. With Google wallet you need to unlock your phone (entering that pin) and then potentially enter the Google wallet pin to authorize the transaction. So two pins versus none. Google wallet hasn't taken off because it's more hassle than using a credit card, which was the point.
Maybe in the USA.
In the rest of the world, restaurants have WIFI pay terminals that waitresses can bring to the table for credit card or debit card transactions and all the new ones support NFC as well.
Actually, post Chip+Pin (and RFID interact flash for that matter) this sort of attack isn't possible. That's because the chip inside the card creates a unique one time approval for the transaction. The approval is un-replayable,
At worst, attack wise, you might be able to perform a turnstile attack on it (Interac flash reader, taped to a turnstile say), but transactions over Interac flash are capped at under 100$ and every 5 transactions you have to re-auth with a full chip and pin, so the banks' risk is pretty limited there.
Disclaimer: I've not done an indepth analysis of the security controls myself. I know there were some weaknesses in the Euro implementation around not signing the list of allowable transaction verification mechanisms or somesuch (look up the blackhat talk if you need to know) but it's a LOT more difficult these days then inserting a skimmer on the terminal and video recording the pin. (Interac was always two factor, until interac flash).
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Actually, the QR code is because iPhones didn't come with NFC. And Apple isn't allow app access to NFC yet (most likely because the NFC APIs aren't stable yet, but we can pretend it's to kill bad ideas like CurrenC as well).
The only reason for the fingerprint reader usage is because EMV demands it to access the secure element (Note: iPad Air 2 actually has an NFC chip in it, but no NFC antenna! It's suspected at least part of the secure element is the NFC chip, otherwise why have a completely useless chip htere?).
Apple Pay is just a fancy implementation of the EMV payment spec - it actually doesn't really have much "Apple" to it other than spiffing it up to make it all shiny and usable Apple-style. The spec is from EMV and that dictates how it all works.
Apple doesn't control squat. All Apple Pay is is a virtual credit card implementing the spec with EMV. That's why it works practically everywhere with ZERO retailer involvement - as long as their terminals can do NFC purchases, Apple Pay will work. It does require the payment processor and the banks to have their end of the EMV spec done, which is why it only works with a few banks right now.
This is unlike Google Wallet, which is a payment system like Paypal - Google gets all your transaction information because they need to charge you. In Apple Pay, it's just using another representation of your credit card, which means Apple doesn't get involved in the transaction. It's why Apple Pay gets charged out at Card-Present rates, while Google Wallet only gets Card Not Present (higher fees because higher fraud).