The risks from phone-based payment solutions like Apple Pay might be far greater than many insurers assume. Despite media reports about the safety of Apple Pay; which arrived in the UK in June 2016, there are some indications that such apps might be far riskier than is commonly believed.
Most of America’s large retailers are refusing to accept Apple Pay; and a similar product from Alphabet called Android Pay. The reasons for the refusal are obscure but most of the stores involved are equipped to accept such payment.
Nor are large retailers necessarily hostile to the idea of app-based payment, the largest retailer in the United States and the world; Walmart Stores Inc., has rolled out its own payment app. Walmart Pay is now accepted at 4,600 of the company’s stores in America, Market Mad House reported. Despite that Walmart refuses to accept Apple Pay or Android Pay in its stores.
Are there security risks to Apple Pay
Insurers need to monitor this situation because security concerns may have played a role in Walmart’s decision. Walmart Pay employs a totally different technology than Apple Pay and Android Pay.
Apple Pay and Android Pay use Near Field Communication (NFC); in which a wireless signal is used to communicate directly with a retailer’s payment system. Walmart Pay uses Quick Read (QR) Code technology; in which the phone’s camera takes a picture of a bar code, shown on a cash register screen.
A key difference between Walmart Pay and Apple Pay; is that Walmart Pay then uses the phone to withdraw money directly from a bank or credit card account. The transaction takes place outside Walmart’s system, which might limit liability. Both systems try to protect the transaction by creating a token; or separate encryption, for each payment.
An interesting difference is that Walmart’s solution offers an added layer of security; in the form of the QR code. A new code is generated for each transaction, which theoretically makes it harder to crack.
Nor is Walmart the only entity that is forgoing NFC in favour of QR Code technology. America’s largest bank; JP Morgan Chase, is offering Chase Pay – another QR-Code based solution. Like Walmart, Chase has refused to utilize NFC, which raises serious questions about Apple Pay’s security.
Liability and Payment Solutions
Interestingly risk management and liability seem to be the reasons why there are two different payment app technologies in widespread use. Apple, Alphabet, Chase and Walmart all seem to be motivated by fears of liability in the decisions made about payment applications.
Apple is refusing to share transaction information with retailers; possibly out of the fear that it would be liable if customers suffered losses, if payment data were lost or stolen. That is part of the reason why retailers like Walmart, Amazon and the giant American grocer Kroger have refused to accept Apple Pay; those companies employ a data-driven business model, in which corporate decisions are based on transaction information.
Retailers like Walmart might be afraid they would assume liability for losses if they give a technology company like Apple access to their payment systems. Part of the reason for resistance to NFC is that it connects an outside app directly to a payment system.
Another US retailer; Target, was forced to pay customers $10 million because of hacking in 2015, CNN reported. Target was sued after hackers stole the credit and debit card numbers of 40 million of its customers in December 2013. Target was also forced offer each customer a year of free credit monitoring and identity theft protection because of the breech. Given that history it is easy to see why American retailers are so resistant to new payment technologies.
Payment Applications and Liability
One reason why Walmart is offering its own payment solution is to limit liability by controlling its security. Interestingly, Walmart might be assuming a greater level of liability by taking full control of the payment ecosystem.
In the United States, banks and credit-card companies routinely assume responsibility for 100% of losses caused to customers by theft. Despite that American banks have been far more willing to embrace Apple Pay than retailers.
At last count, 1,433 American financial institutions were supporting Apple Pay. One reason for banks’ willingness to accept Apple Pay is that the United States government insures bank accounts for up to $250,000 (£191,168), through the Federal Deposit Insurance Corporation or FDIC. That means the FDIC is assuming some of the risks, banks are incurring by utilizing Apple Pay.
This raises an interesting question: who would be liable for losses if a payment app were hacked. Would it be banks, the government, retailers or the company offering the payment solution? Such questions will probably have to be resolved by the courts through litigation.
Banks resist Apple Pay in Australia
Nor are such disputes limited to the United States, in Australia four major banks; Westpac, Commonwealth Bank, the National Australian Bank and the Bendigo and Adelaide Bank, asked the nation’s financial services regulator for permission to negotiate collectively with Apple on issues including NFC. The regulator; the Australian Competition and Consumer Commission, has tabled the request so it can study the issue, the Australian Broadcasting Corporation (ABC) reported.
Liability is at the heart of this dispute because the banks want access to Apple’s technology. Apple has refused to give the banks direct access to its closed Apple Pay system because of potential risks to its security.
“Providing simple access to the NFC antenna by banking applications would fundamentally diminish the high level of security Apple aims to have on our devices,” Apple’s submission to the Commission reads.
Insurance and Payment Applications
The risks created by payment applications create some interesting opportunities for insurers.
The most obvious of these opportunities is policies that would protect retailers, financial institutions, individuals, government agencies like the FDIC or technology companies from losses created by payment applications. The risks from hacking and the potential liability might make such coverage vital to payment applications in the future.
This gives rise to some interesting disputes including how the insurance would be paid for. The most likely means of covering the cost would be added charges on transactions; although it remains to be seen if customers would accept the extra cost.
Other questions that will need to be answered include the level of risk and the amount of coverage necessary. So far; no payment app has been hacked, but given the amount of cash involved it is only a matter of time before some criminal penetrates Apple Pay or Walmart Pay. When that occurs, risk management and insurance questions will come to the forefront.
The risks and liability created by payment applications are far greater than is widely assumed. That means the opportunities for insurers created by this technology will be great.