Slashdot Mirror
Rite Aid and CVS Block Apple Pay and Google Wallet
An anonymous reader writes CVS and Rite Aid have reportedly shut off the NFC-based contactless payment option at point of sale terminals in thousands of stores. The move will make it impossible to pay for products using Apple Pay or Google Wallet. Rite Aid posted at their stores: "Please note that we do not accept Apple Pay at this time. However we are currently working with a group of large retailers to develop a mobile wallet that allows for mobile payments attached to credit cards and bank accounts directly from a smart phone. We expect to have this feature available in the first half of 2015."
Not only that, but it's a huge pile of data mining/theft. They requires direct access to take money from your current account (it bypasses the credit card companies, which is why they want to use it), and it requires access to your health data (for no known reason, but it requires it). Basically, it's a cluster fuck of ID theft.
How does this not violate these stores' agreements with Visa (etc), which have explicitly partnered with Apple and Google to provide Pay and Wallet as a valid method of using their (virtual) cards at the register?
And worse than simply not accepting it, they did so because they plan to come up with their own competing product??? WTF, Rite Aid, do you really think people will rush to use yet another crappy store-specific solution, rather than look confused at the cashier for a few seconds before walking away, leaving their stuff at the register?
While Google Wallet and Apply Pay may be free to the end-user, I highly doubt that it is free for the retailer.
Apple doesn't get a penny from the end user or from the retailer, so I suppose Google doesn't either. With Apple Pay the retailer pays the lowest rate available (percentages depend on how secure the payment method is; the more secure, the cheaper for the merchant). Apple gets some money from the bank; the bank saves money by having less fraud.
Bullshit. Canada was using direct debit with Interac since the early 80s. It is run by a group of banks and hits your bank account directly. It doesn't go through credit card companies. It is the most common form of payment here. I could go into a mom and pop corner store and pay this way for 30 years. People like it. It is not for profit but was formed by the banks and run on a private network. People didn't and don't want single companies like Visa or Google or Mastercard or Apple having all the power doing this. Companies that are for profit that want to take an even bigger cut of your money, run on public networks, and make money selling your data. I have a debit card that is very thin. It even fits in with the rest of my ID that I take everywhere anyway, and it is only online on a private network when I make a purchase... when the card is in the machine. Please explain what is so fucking great about Apple or Google pay on phones that run all the time on public networks, open to possible hacks.
-- I ignore anonymous replies to my comments and postings.
You realise Google Wallet is pretty much the same. Unlock your phone, touch the pad. No data handed over, one time code that can't be reused so cloning is pointless.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Actually, post Chip+Pin (and RFID interact flash for that matter) this sort of attack isn't possible. That's because the chip inside the card creates a unique one time approval for the transaction. The approval is un-replayable,
At worst, attack wise, you might be able to perform a turnstile attack on it (Interac flash reader, taped to a turnstile say), but transactions over Interac flash are capped at under 100$ and every 5 transactions you have to re-auth with a full chip and pin, so the banks' risk is pretty limited there.
Disclaimer: I've not done an indepth analysis of the security controls myself. I know there were some weaknesses in the Euro implementation around not signing the list of allowable transaction verification mechanisms or somesuch (look up the blackhat talk if you need to know) but it's a LOT more difficult these days then inserting a skimmer on the terminal and video recording the pin. (Interac was always two factor, until interac flash).
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Actually, the QR code is because iPhones didn't come with NFC. And Apple isn't allow app access to NFC yet (most likely because the NFC APIs aren't stable yet, but we can pretend it's to kill bad ideas like CurrenC as well).
The only reason for the fingerprint reader usage is because EMV demands it to access the secure element (Note: iPad Air 2 actually has an NFC chip in it, but no NFC antenna! It's suspected at least part of the secure element is the NFC chip, otherwise why have a completely useless chip htere?).
Apple Pay is just a fancy implementation of the EMV payment spec - it actually doesn't really have much "Apple" to it other than spiffing it up to make it all shiny and usable Apple-style. The spec is from EMV and that dictates how it all works.
Apple doesn't control squat. All Apple Pay is is a virtual credit card implementing the spec with EMV. That's why it works practically everywhere with ZERO retailer involvement - as long as their terminals can do NFC purchases, Apple Pay will work. It does require the payment processor and the banks to have their end of the EMV spec done, which is why it only works with a few banks right now.
This is unlike Google Wallet, which is a payment system like Paypal - Google gets all your transaction information because they need to charge you. In Apple Pay, it's just using another representation of your credit card, which means Apple doesn't get involved in the transaction. It's why Apple Pay gets charged out at Card-Present rates, while Google Wallet only gets Card Not Present (higher fees because higher fraud).