Apple’s Deal with Major Credit Cards Companies Has Hidden Value

| Editorial

It's one thing for a company that makes great hardware to move into wearables. It's quite another to delve into mobile payments. But the two are linked in ways we don't yet appreciate.


Whenever Apple sees a market opportunity for hardware, whether it's an iPod or an iWatch, it's frequently confronted by marketplace issues that block its ability succeed.

Other companies, in my view, tend to leave the issue to the customer and, instead, focus on features that will distract the customer from underlying issues, such as security.

Apple, on the other hand, knows that its customers tend to view the Apple ecosystem as a coherent whole. Music is downloaded to iTunes, then synced to an iPhone. Photos are shared via iCloud. Find my iPhone on an iPad mini can locate a lost or stolen sister device. Yosemite Macs can use an iPhone as a Wi-Fi hotspot. The list goes on.

It's All About Sales

In concert with all that, it's been an irritation for years that major credit card companies have been slow to adopt the more advanced technologies used in Europe, smart credit cards. If Apple can use its technology and market clout to effect a favorable change in the technology that helps its customers enjoy the secure and fruitful use of its iPhones for financial transactions, the company is going to sell a whole lot more of them.

All of this depends, of course, on a solid infrastructure based on sound security. Apple, more than any company I know, understands that great security in its mobile products will lead to more sales of its mobile products. A smartphone is no longer just a telephone. It's emerging as our credit card, our ATM, and our remote banking portal.

Small but crucial differences in product design can often go unnoticed and the implications glossed over. For example, the iPhone has hardware encryption. Some other smartphones do not. A passphrase encrypted iPhone is very secure, provided the owner doesn't jailbreak it.

In the end, it doesn't matter if a smartphone has this or that feature for the sake of thrilling the customer—or for comparison chart oneupmanship. What matters is whether customers will embrace a next generation smartphone that allows them to have relative confidence that in our nasty, dangerous world of hackers out there, the iPhone will give them the best shot they can possibly have at evading a financial loss.

The genie is out of the bottle. There's no going back now. Reverting to a 1990s flip phone in the (comical) style of Leroy Jethro Gibbs (NCIS) isn't the answer.

The iPhone in Transition

The iPhone 6 will be a transition smartphone. In other words, in the past, companies that make smartphones have added feature after feature, cameras, magnetometers, gyroscopes, GPS, you name it, and all these features have provided great new functionality and features, but they've also opened the door to the black hats. In the future, smartphones will become financial instruments—with even greater risks.

Starting with the iPhone 6, there is more than privacy at stake. Some smartphone users will claim they don't care if a hacker steals their sister's phone number. But take their money, and they tend to get really angry.

The deals that Apple has struck with American Express, Visa and MasterCard, aren't just an idle excursion by a hardware company into exploratory financial services. Rather, it's Apple's unique way of stepping into a market that has certain problems that could stymie Apple's future growth and developing an elegant consumer solution.

I believe Apple intends to invoke its serious engineering skills to bring its own unique brand of ease of use and transparent security to the whole financial affair. That's a foundation Apple can take to the bank in the long term when it starts selling the iPhone 6.

This personal, financial security initiative on the iPhone is something that other smartphone companies will certainly try to mimic.  How well they succeed will be judged by the consumers.

All this is something to keep in mind as you watch Apple's September 9 event. Oh, and by the way, Apple will generate some handsome revenue from this service. We won't begrudge them that.



I fully agree - there is a lot more here than people realize.

On a related thread a few days ago, before the deals were announced, I suggested that Apple might make a deal that gave it a part of the “fee” charged by Visa/MC in return for a reduction in losses. Some posters thought that Apple would not, and would stick with hardware sales. I believe that is a myopic view and that Apple will use the “fee” as a competitive weapon. Apple knows that its solution is secure and has presumably convinced Amex/Visa/MasterCard. So, for a part of the fee, Apple would indemnify the issuer and bank against fraud. Banks and issuers would save money, and Apple would make some. Now Samsung might run some new ads about the cool-factor of the new Galaxy, but will it put its money on its fingerprint reader and maybe a “secure enclave”? I don’t think so - these are part of a system that cannot easily be copied and using the fee is a way of making that a competitive advantage.

Many people have been writing about the presence or absence of NFC but I wonder if it’s that important. NFC has security issues but maybe Apple has added an application layer or somesuch to overcome the shortcoming.  But it is worth remembering that all the credit card terminals in the U.S. will be replaced within the next twelve months or so in order to accommodate the new cup cards. It would not be hard for all these to have both NFC and BtLE, for merchants so inclined.

The other thing about NFC is that it, rather obviously, relates to card-present transactions. But the card-not-present ones are as big an issue, if not bigger. Lots of merchants will be looking for ways to encourage people to use their iPhones for purchases.

The huge change is that what Apple appears to be doing hardens the transaction exchange from end-to-end. Hacks on terminals such as the one at Target become impossible. Even the infamous chip+PIN compromise of a few years ago (white-coated “servicemen” replacing the card readers) is a thing of the past. No-one else is doing this—no-one. And that’s huge.


vpn, thanks for your take on this. I haven’t followed this closely and may have missed something. I read that the Target hack the result of sloppy corporate IT security, when the hackers got in through a flaw in the air-conditioning software. Was that incorrect?


ibuck: it does appear that Target had not configured its networks very well, amongst other things. There seems to have been no separation between the network supporting POS terminals etc and the general corporate network. And there was at least some access to the corporate network by outside vendors, such as the A/C company. it certainly does seem that the initial breach was into that company, and that access then became access to Target’s own network.

To make it even worse, Target’s IT security firm noticed weird stuff going on and notified Target. This was after the data had been “collected” but while it was still sitting on a server in Target’s network. That is, BEFORE it was exfiltrated. Target took no action, and we know the result.

Lee Dronick

  I read that the Target hack the result of sloppy corporate IT security, when the hackers got in through a flaw in the air-conditioning software. Was that incorrect?

That is what I heard, but I have also seen a story that they first got into an external Human Resources service and then into Target. As to the HVAC controls, there is a lot of talk about such controllers, traffic lights, watermain valves, and other such things being a currently underprotected. The venders recommend strong passwords, but the end users are either sticking with the default or using a simple and common password.


Lee: the report from Brian Krebs (Email Attack on Vendor Set Up Breach at Target, <>) says that it was the HVAC company but it doesn’t matter which - the problem is that an outside vendor had access to Target’s corporate network, and that Target hadn’t separated the sales network (POS terminals, interfaces to banks and card processors) from general, everyday stuff.

It is frightening to see how many companies set up a single, flat network and have no separation of anything from anything else. Except maybe the HR machine with salaries. So each workstation can see every other one. It’s a great way to spread malware or spoof services. In fact, this is exactly the issue with the Windows Update problem a few years ago. A machine would connect to the “update server” but in fact it had been spoofed by a hacked machine on the local net (being local, it responded more quickly than the real server). The malware was then installed automatically with no human intervention (I think there was also a certificate weakness that caused the spoofer to be accepted as real). No - the network should be set up so that workstations never see one another (reduces traffic, too) and people who need to share things should do that on a server - with proper access control.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account