Pottering around on Twitter, I noticed an interesting question:
Why can’t I use Apple Pay for everything online? Shouldn’t there be some way for me to hold my phone up to the screen when I get to an order page online and scan a QR code and hold my thumbprint or something? — Joe Weisenthal (@TheStalwart) January 2, 2019
Joe has a point. Apple Pay is far more secure, and far more convenient, than messing around typing card numbers in to web pages as we did back in 1998. And globally, merchants lose some $20-$30 billion per annum in card-not-present fraud, so why aren’t we using our (secure) mobile payment systems to pay for things we buy on the (insecure) web already?
Well, first of all you can use Apple Pay to pay for things on the web but only if you are using Safari and only if the merchant has implemented Apple Pay. The merchants, however, don’t want to implement a solution that only works for a small proportion of their customers (ie, people who use iPhone, Safari on the web and have Apple Pay configured correctly). Merchants would prefer a more universal solution such as W3C or SRC.
Change, however, may be just around the corner.
Barclays Equity Research put out an interesting note on payments in November. Called “Sleepwalking into 3DS2.0 and PSD2”, it kicks off by saying that “the mandated 3-D Secure 2.0 and the requirement for two-factor Secure Customer Authentication (SCA) are around the corner, but the industry does not seem ready for this major change in transaction processing protocols”.
Well, quite. I’m glad to see they agree with our decision to make SCA the highest priority of our “Live 5” areas for our clients to focus on in the coming year.
In this note, Barclays say that an unintended consequence of PSD2 will be a better e-commerce experience on mobile, where biometrics are a convenience technology, rather than the desktop, and this should benefit digital wallets (again as we note in our Live 5). In the store too, mobile may have the advantage. Contactless payments will require a PIN entry every five transactions or €150 (depending which the issuer mandates), unless an online transaction in the interim authenticates the card and restarts the counter.
However, an Apple Pay or Google Pay mobile transaction would be authenticated every time and because of CDCVM, can ignore the contactless limit (currently £30 in the UK). While a card is arguably marginally easier than mobile wallets today for contactless, this may be enough to shift the advantage to mobile.
Thus, the future of secure retail transactions will converge on the smartphone, irrespective of whether those transactions are physical or virtual.