Identity theft and its accompanying crimes are so ubiquitous that the four major credit card companies (MasterCard, Visa, Discover, and American Express) set an October 1, 2015, deadline for credit card systems to switch to more secure "smart" chip cards. But while merchants and credit card companies scramble to upgrade their cards and terminals, other companies are turning to wireless payments to make everyday transactions just about hackerproof.
Here's a rundown on the wireless payment contendors and the technology behind them:
Apple Pay uses NFC (Near Field Communication) to transmit a one-time authorization code to the payment terminal. The authorization code is only released when a fingerprint is successfully scanned (or, if fingerprint ID is not working or not enabled, a passcode will suffice). The iPhone's internal security chip combines with the POS terminal to generate a cryptogram and then attach it to the customer's personal account number. That number is then sent to the bank, which processes the transaction. So even though the entire process takes just seconds and the money is shown deducted from your bank account, there is still processing happening on the bank's back end. If a hacker manages to crack the authorization code sent to the payment terminal, congrats: the code is useless.
However, Apple Pay has its limitations: it only works on iPhones 5s and newer and with the Apple Watch. It also only supports a handful of credit and debit institutions (though that number is steadily increasing), and is only currently available in the US and UK. Still, it's much safer than traditional credit and debit cards. Plus, it's admittedly pretty fun to use.
The Google Wallet has been around since 2011, making it the granddaddy of wireless payments. The Google wallet handles payments differently through the use of a Google Wallet Virtual card, which isn't the same as your bank card. The user has to first download the Google Wallet app, then enter the pincode. The Google Wallet Virtual Card then communicates with your preferred card, sends that information to the merchant, then and on to the payments processor. But that adds an extra step to the transaction, even if it does mitigate fraud, and it means that your actual card information still sits on Google's servers in encrypted form--not ideal, considering that those servers can still be hacked. Google's FAQs say, "Your actual credit card number is not stored. Only the virtual prepaid card is stored and Android's native access policies prevent malicious applications from obtaining the data. In the unlikely event that the data is compromised, Wallet also uses dynamically rotating credentials that change with each transaction and are usable for a single payment only. Finally, all transactions are monitored in real-time with Google’s risk and fraud detection systems."
Remember, too, that Google makes its money by being a big data gatherer and analyzer: the use of Google Wallet is free to the customer, but ends up costing Google through server processing and real-time monitoring. It's probably making up for those costs by analyzing shopping patterns gathered by Google Wallet customers.
Recently, though, Google has shied away from promoting Google Wallet as its wireless payment method of choice and has been using it for mostly peer-to-peer payments, similar to PayPal. Instead, Google is now promoting...
Android Pay relies on NFC communication and essentially replaces Google Wallet. It works nearly identically to Apple Pay's tokenization idea, in that no sensitive information is ever shared with the merchant, and that token is only authorized with a fingerprint or a passcode. The Apple Pay app needs to be downloaded and set up once, and then pops up automatically when it senses an NFC signal. However, while Apple's Secure Element is integrated into the hardware of its devices, Android Pay needs the cloud to generate its tokens. Though it can store a limited number of tokens on the phone, if you plan on making multiple payments in an area with a poor signal, you may be out of luck.
The downside, however, is that it only works for Android users, but an NFC signal is an NFC signal, so if you see an Apple Pay sign, chances are the POS will also work with Android Pay.
The newest to join the wireless payment fray, Samsung Pay works on its Galaxy S6 Edge+, Galaxy Note 5, Galaxy S6 and S6 Edge and is available to use in South Korea and the US. Unlike Google Wallet and Apple Pay, Samsung Pay works in almost every store, even those still using the magnetic swipe-to-pay POS terminals, and merchants don't need to sign up for any new programs or upgrade their hardware. The payment system uses similar technology as Apple Pay (NFC and fingerprint or passcode authorization). The technology that allows it to work with magnetic strip readers is unusual: it's called a Magnetic Secure Transmission and was developed by a company called LoopPay, which Samsung acquired earlier this year.
While anyone can buy a separate LoopPay device that slides onto the back of your existing smartphone, Samsung has integrated the technology into its Samsung Pay phones. A tiny metal coil bent into a loop creates a magnetic field that communicates with magnetic credit card readers the same way swiping a card does. What's interesting is that MST technology is actually older than NFC technology, which means merchants don't have to upgrade their POS systems. Samsung guarantees its Samsung Pay to work with 90% of current US pay terminals. A hefty number, and certainly higher than Google Wallet or Apple Pay.
The downside? It won't work with your iPhone or with most other phones, for that matter. But Samsung is so confident in its new technology that it's willing to pay you to use it.
The Bottom Line
For security and compatibility, Samsung Pay wins this round, but Apple Pay is close behind if more merchants will adopt NFC technology. We've come a long way from the Google Wallet app, though, and lightyears beyond plastic cards. Wireless tokenization and fingerprint authorization may be the keys to permanently stopping thieves from stealing credit card numbers....though they'll just move business to online fraud. Still, there's hope to protecting everyday transactions from those who would gladly steal from the unsuspecting card user.