Brian Knight
Associate Director, Financial Policy, Center for Financial Markets
Banking and Business and Capital Access and Capital Markets and Finance and Financial Innovations and FinTech and Global Economy and Job Creation and Public Policy and Regulation and U.S. Economy
Brian Knight is an attorney with significant experience in new sources of capital, financial technology, and entrepreneurial issues. He is interested in the interplay between technological, regulatory, and market innovation and how best to improve access to capital for businesses of all sizes.
read bio

Apple Pay, fraud, and why no responsibility might not be a good thing

By: Brian Knight
March 30, 2015

We have previously discussed the impact of mobile wallets, with Apple Pay being the most recent and most hyped. We have also discussed how innovation and incentives have led to a credit card system that is both safe and convenient. Now there is a story in the news that bridges the gap, and it deals with the unfortunate topic of fraud. A Washington Post story describes an observed elevated rate of fraud on Apple Pay, with one analyst, Cherian Abraham, placing the rate at about 6 percent, which as the Post points out is about 60 times the rate of swipe transactions.

How is this happening? Is Apple’s tokenization process faulty? Have hackers infiltrated Cupertino? Are people stealing iPhones and defeating the fingerprint check (or worse, cutting off fingers)? No, it is much simpler than that. Criminals are buying payment credentials online and loading them onto iPhones, and then using Apple Pay to buy things with the stolen card. There is a fiendish brilliance to it, the thief doesn’t need to have the card, which means the card isn’t missing, which means the card’s actual owner may not know the card was compromised until the statement arrives (if they even read the statement). This gives thieves plenty of time to go on sprees. 

ThinkstockPhotos 178370626

Additionally, this type of theft is likely much harder for stores to combat, because it exploits an asymmetry between “card-present” and “card-not-present” transactions. A card-present transaction is just what it sounds like: you swipe your card to pay. A card-not-present transaction is when you buy something over the phone or online and provide the credentials to the merchant, but the card itself isn’t swiped. Card-present fraud requires the thief to have your credentials, either on your card or on another, such as a hotel key card, onto which he has loaded the credentials. Card-not-present fraud requires the thief know some of the details; the exact amount of info required depends on the merchant and type of transaction. Not surprisingly, card-not-present fraud is significantly higher, with the Federal Reserve placing fraud rates at three times that of card-present fraud.

Because the cost of fraud frequently falls on the retailer, many of them take security very seriously. Brick-and-mortar merchants have built their security operations and expectations largely around the card being present, while online and phone retailers have focused on developing internal processes to weed out card-not-present fraud. They often require the creation of an account, including collecting information, such as shipping address and order histories. These provide ammunition to help weed out fraudulent purchases. To shop at Amazon you need to create an account and use it every time, something you don’t have to do at the local store.

The problem with Apple Pay fraud is that it allows card-not-present fraud to occur in a card-present environment. The card credentials are loaded into the phone offsite, and then the phone is used as a proxy for the payment card in the store. This means that the transaction can bypass the traditional safeguards for cards (the physical presence of a card, the cashier looking at the signature) and card-not-present transactions (matching shipping and billing addresses, checking against prior order histories). This places retailers and banks at considerable risk because, under the rules of the credit-card networks, they are likely responsible. This is the position Apple is taking. This position may not entirely unreasonable, since ultimately the bank issuing the card is responsible for allowing it to be attached to Apple Pay. But I wonder whether such a view is in Apple Pay’s long-term best interest.

Retailers are not going to continue to accept a method of payment that places them at significant risk, especially one that’s hard to avoid while maintaining the convenience advantage that Apple Pay offers. Asking every customer to show ID when they use Apple Pay is a great way to get people to stop using it entirely – though at least one state lawmaker has made just such a suggestion.

Instead, it might be wiser for the payment networks to insist that Apple and other digital wallets makers to share responsibility for breaches where they are the weak link in the chain, as the other players in system do. Not only would this be both fairer to banks and merchants, and more pro-consumer, but it would be better for Apple. This would be a matter of private contract, where Apple could have clear role and explicitly defined rights and responsibilities. Not only would this give Apple an incentive to improve security, which it would likely do in a more elegant, usage encouraging way than asking for IDs at the register, it would also help the company mend fences with the banks and merchants upon whom Apple Pay’s success relies. It might also help blunt any effort to regulate Apple as part of the credit industry, since its role would be already understood, and it would already be sharing responsibility for protecting the system.

Private incentives and innovation driven by voluntary contract have served the market well so far. I hope Apple will consider embracing them more fully.