Pub. 2 2014 Issue 4

www.uba.org 14 O n October 20, 2014, Apple released “Apple Pay”, a way for consumers to securely pay with their smart- phones. Apple bills the new payment system as a permanent and more secure replacement for your checkbook, plastic cards and wallet. How Apple Pay Works Apple Pay is a cardless, mobile payment system lauded for its ability to make pay- ments directly through a mobile phone. Through Apple Pay, customers may take a photo of their credit card and their iPhone stores it virtually on a secure chip inside. To make a payment, customers enable the app and waive the phone over a merchant’s reader. Here is how it works. After launching the payment application on a phone, the phone and credit card terminal con- nect using near field communication technology (NFC). The customer then enters either a passcode or uses a fin- ger scan to verify the transaction. The transaction is then validated with a chip that relays the authorization back to the NFC modem by providing a one-time, transaction specific digital signature. The payment then processes the same way it would in a traditional credit card swipe transaction. Apple Pay Risks Information security is the biggest risk associated with any payment system, and Apple Pay is no different, especially in light of Apple’s recent and notorious iCloud breaches. Apple Pay’s claim of “more secure payments” revolves around the one-time, transaction-specific digital signature. Credit cards work by using a single account number embedded in the magnetic strip. Thieves who obtain credit card numbers can easily use the same number for subsequent unauthorized transactions. In contrast, a transaction initiated through Apple Pay does not in- volve any account numbers. A thief who steals the transaction specific number used to purchase a movie ticket cannot use it for anything else. Apple claims not to have any information stored on their server, such as credit card account numbers, which hackers can steal to defraud customers. Notably, however, Apple disclaims any liability for fraud- ulent transactions submitted through Apple Pay. Apple requires an agreement with both the issuer bank and the customer in order for customers to take advantage of Apple Pay. We can speculate that the reason Apple requires an agreement with the account holding institution is because it enables Apple to avoid Regulation E error resolution and requirements and liability. A non-account holding service provider like Apple is exempt from Regulation E liability if it has an agreement with the account holding institution. See 12 C.F.R. § 1005.14. If Apple gets hacked, banks and merchants pay for any losses. Compliance Management To best manage compliance risks as- sociated with Apple Pay, banks should conduct the proper vendor management “Apple Pay” Raises Compliance and Security Questions for Banks By Pamela Stockwell and Dimitris Rousseas