Google Wallet and Apple Pay: Enablers or Destroyers?

Google Wallet and Apple Pay: Enablers or Destroyers?

Written by Victoria Browne and Georgina Rayner.

When I was 16, I worked in Woolworths. Shortly after, they shut down, which in fairness had nothing to do with me entering the world of work.

Back then, I still occasionally took a cheque. I also swiped cards and asked customers to sign the receipt. On one thrilling day, we even had someone present a signature which looked nothing like the one on the card. Oh the drama.

Now, I tut in Sainsbury’s because they don’t take contactless.

In fact we’ve gotten so impatient with our paying methods that we’ll all brave the thought of some scally nicking our purse and going on a rampage in Starbucks just for the sheer convenience factor.

Security issues are something we regularly discuss in the office. Not least because, at some point, most of us have saved a relative north of age 45 from something ‘iffy’ online. We’re all aware of the threats online transactions pose, yet most of us don’t have any clue about the technology and the security factors behind them.

So now that the world of paying online is about to get all the more sophisticated, what do we need to know before we simply click and buy?

Google Wallet/Apple Pay: What’s the crack?

On Monday 8th June 2015, Apple confirmed (Worldwide Developers Conference) that Apple Pay will be launched in the UK next month. Google Wallet is a little more established (2011) and has comforting similarities to PayPal in that users can ‘send and receive money from anywhere’ using just an email address.

Both allow contactless payment using NFC (Near Field Communication) technology. However, they take slightly different approaches depending on the device you’re using to authenticate your payment. With obsessive control over its hardware, Apple currently adopts a pretty much elitist approach to Pay.

Only enabling Pay on the iPhone 6, iPhone Plus, iPad (and soon on the Apple watch), Apple uses its own Touch ID technology for payment authentication. Consequently, you only need to hold your iPhone near the contactless reader, tap your default card and then place your finger on the Touch ID and move your phone near the reader to complete payment.

Naturally, this provides an extra level of security over simply presenting your debit card.

Google on the other hand, uses more traditional PIN based authentication. This makes Apple’s system easier to use, but allows Google’s version to work on older hardware such as the iPhone 5. Both can also be used to purchase online, automatically handling the check-out process with pre-filled defaults and only requiring a PIN or Touch ID verification.

What are the security implications?

The security measures adopted by both Apple Pay and Google Wallet are probably enough to placate even the most twitchy of the security conscious.

Involving a lovely conversation in which both speak to your bank and share some witty anecdotes about you, on the face of it there’s little room for foul play. For example, neither system reveals the user’s card details to the vendor. For your convenience, in both cases, your card details are only provided once – during the initial set-up.

Google takes on a middle man approach by saving your card details on their servers and issuing a virtual ‘card’. When you pay, the device only transmits this virtual version. Vendors don’t get to see your real card (16 digits, expiry date, etc, etc.), this is veiled on Google’s secure servers. Of course, the virtual card directly deducts from your saved bank card, however the point is, nobody ever gets to see your carefully guarded bank card. Except for Google.

Apple on the other hand employs a tokenisation system. This means that when your card details are presented to the device, it contacts the issuing bank directly. Upon confirmation from your bank, a card specific token called the Device Account Number (DAN) is stored on a secure chip on the device.

The DAN is the only thing passed to the merchant when a payment is made and authorised.

Tracking implications

As Google Wallet acts as an intermediary by storing card details on its own server, it does not need to worry about striking a narrative with your bank. The idea of a virtual card is designed to replicate how you would use your physical card and it tracks and stores details of your transactions.

And because this is Google we’re talking about, it can use this data for ad targeting. This doesn’t mean that your data is vulnerable however. If you happen to be uncomfortable with your transactions tying in to your online experience, keep in mind that Google offers 100% security with its Google Wallet Fraud Protection policy.

Unlike Google Wallet, Apple declares it will never track your transactions. It doesn’t even store card details. It simply transmits your card details to the bank, authenticates them, and harnesses the resulting DAN. It’s essentially a clever encryption procedure, however to draw parallels with our current payment methods, it can be likened to an advanced credit card that can be rendered useless without power.

Although fingerprint scan security and the option to remotely disable the phone offers some protection if your card was lost or stolen, if someone did get access to your Apple Pay device, you would have to report losses directly to your bank.

Would you?

We work in digital. We love advancement (yes even tech for tech’s sake – hello pillow which charges my phone), but are we happy with the level of education regarding ‘online lifestyles?’

Of course not. We were taught at school that burglars could put fishing rods through our open windows and steal our things. Now we’re grown up we’re meant to believe that the intangible can and will be trusted with our personal information.

It’s wonderful, it’s clever and we’re impressed. But how many people out there would be willing to embrace this technology?

Do tech giants reimagining the world have a responsibility to educate us and provide a similar level of compensation as the FSCS? Or is it on us, the consumer, to educate ourselves, embrace change and understand the risks?

We’d love to start a discussion on this matter. Let us know what you think.

Vicky Browne
  • Tim Reese

    I think that these technologies will find their own audience immediately.