Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance.
Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality yet, but it’s one step closer. With Apple Pay, iPhone 6 users will now be able to connect their payment cards, such as their Chase-branded cards, to the NFC chip and pay through a contactless terminal. Merchants who use these terminals, and configure them in the right way, could potentially be completely exempt (except for the terminals themselves) from PCI DSS.
Where I think this starts to get very interesting is the possibility of using incentives to influence the behavior of your customers in how they pay. Every payment instrument carries some kind of risk or liability whether it is cash or card. Merchants accept payment cards to increase ticket sizes and reduce the amount of physical cash-on-hand. But what if you could influence your customers to pay you with the lowest liability option for you?
Now that merchants are allowed to add a surcharge to your ticket if you are paying with a credit card, they have the ability to create incentives for customers who are willing to pay using the instrument that carries the least amount of risk. Or perhaps they spin up rewards or discounts to customers to help them lower their overall risk footprint by using a payment instrument that is considered “safer.”
Imagine for a moment that you go to pay for your groceries and you can pay the amount on the screen if you use the contactless payment or a chip, but to pay with magstripe would incur a $2 convenience fee. Hell, call it a compliance surcharge if you like. Could this be the carrot that the public needs to switch to a safer way of doing payments?
Where this really starts to get interesting is if Apple were to monetize other parts of the CNP play. Companies have tried to add secondary authentication mechanisms for these payment types for decades as well. With the adoption of the iPhone 5s and 6 and the Samsung SG5, could the thumbprint reader be the new way to authenticate a CNP transaction using your Apple ID or your Google Play account?
Depending on where things end up, I see huge incentives for companies to minimize their payment risk, revamp how they handle payments, and ultimately find ways to opt-out of dealing with PCI DSS. Given the state of the ecosystem, perhaps Apple Pay just tipped the first domino in a long string of payment revolution?
See my follow-up post with a good cheat sheet for Apple Pay.