The bleeding edge showed up early for financial institutions that went first with Apple Pay. Fraudsters have quickly burrowed into the supposedly super-secure payment tunnel.
The way thieves made their way into the spanking-new service is decidedly low tech and well documented. They’re using stolen credit card numbers and other personal info purloined in past breaches to provision their iPhones. That’s it.
Four major credit union card processors I checked with — CO-OP Financial Services, PSCU, Card Services for Credit Unions and The Members Group — say they’ve had no reports of fraud among their clients. But the media outcry has raised awareness of the issue, and exposed perhaps millions of readers for the first time to the red, yellow, and green paths used by Apple Pay, issuers, and processors to approve a transaction.
Green means go, of course, while red means stop. No issuer or processor involvement here. Yellow? There’s the rub.
Transactions flagged as yellow go back for further review. Big banks have been fingered first for not taking enough caution. Credit unions that don’t want to take the blame might want to beef up that yellow path with some tougher authentication of their own.
The cure can be as simple as the cause. Most frequently mentioned is adding new “out-of-wallet” questions to authenticate transactions that get the caution light, including the most recent transaction.
PSCU also is sharing some other best practices — including new rules in widely used neural networks — with client credit unions to use themselves when authentication checks are made in-house instead of to its contact centers, says David Hall, PSCU’s senior vice president for vendor alliance partnerships.
The Most Secure Transaction Ever
Ultimately, however, knowing the member is key whether through Apple Pay or traditional transactions, Hall says, adding, “It’s important to remember that an Apple Pay transaction is arguably the most secure transaction ever performed.”
PSCU says 33 of its 818 client credit unions are now live on Apple Pay, a number growing by 10 to 15 every two weeks. “We have over 100 in queue,” Hall says. “There is no shortage of interest among our member owners.”
CO-OP also has been out front in signing up client credit unions on Apple Pay. That CUSO’s director of product development, Michelle Thornton, says news of the Apple Pay breaches has prompted questions from her client base. She says CO-OP advises simply sticking to best practices already in place for securing credit card, phone, and other transactions.
“If you’re still concerned, you can certainly add the last transaction question or some other factor,” she says. “Remember, they already might have the card number, expiration date, last four numbers of the social, mother’s maiden name, that sort of thing. But they’re probably not going to know the last transaction.”
CO-OP is adding new Apple Pay credit unions at about the same pace reported by PSCU. CSCU, meanwhile, says only a handful of its 2,300 credit union clients are live on Apple Pay. That number is expected to explode soon when FIS — CSCU’s card processor — “rolls out its service that will handle the Tier 2 support calls and other related services on behalf of the credit union,” says Tom Davis, the CTO who oversees emerging payments for CSCU.
Davis says FIS “is completely aware of the fraud and how it’s perpetrated. He adds, “The other concern is the fraudsters that utilize the green path by setting up an iTunes account with stolen credentials and then port the account over to Apple Pay to get around the yellow flow barrier. FIS is prepared to handle this at the provisioning stage.”
Adoption And Options
Also on the Apple Pay beat, more usage numbers are in. InfoScout and PYMNTS.com reported this week that about four months in, a vast majority of folks with iPhones equipped to do Apple Pay still don’t.
These are the same folks who reported on Apple Pay’s first Black Friday, saying then that their poll of 400 people with the new iPhones found only about 5% who tried it out on that holiday shopping day.
The new PYMNTS.com report did say the weeks of Apple Pay promotions by financial institutions and other providers — and tons of free advertising via news coverage — has had some impact, along with Apple’s own work at signing on new banks and merchants.
This time, PYMTS and InfoScout say more than 1,000 individuals who could use Apple Pay were surveyed. This time, 15% had tried it. Lack of awareness and preference for other payment methods were cited among the reasons.
So, if security and interest don’t equal a rush for your credit union to offer Apple Pay, you’re not alone.
A Utility, Not A Strategy
"Mobile is important but Apple Pay is a utility, it’s not a strategy. We haven’t lost anything by taking our time here,” says Tom Ruback, vice president of card services at Pennsylvania State Employees Credit Union ($4.1B, Harrisburg, PA).
Ruback was on a panel at a BAI Payments conference earlier this month in Phoenix, AZ, attended by Callahan writer Aaron Pugh. Ruback told the session that his credit union was offered the chance to jump into Apple Pay but would have had to sign documentation within just three days of receiving notice.
Ruback also estimated that maybe 200 to 300 members would immediately start using the service, from among the 35,000 members the big credit union said now have the capability.
The PSECU executive told the BAI session that credit unions also have to consider not just what they are paying from a branding perspective but also their own administrative and support costs. Plus, Ruback says, Samsung, Google, and PayPal are ramping up white-label options of their own that could work quite well.
Speaking of Apple Pay competitors, CSCU is gearing up to support them, too, should the demand arise. That includes client and client member education. Davis says.
“As more of our credit unions move to Apple Pay and eventually Samsung Pay and beyond,” he says, “we’ll begin an education series designed to keep our credit unions up to date not only on fraud topics related to wallets and tokenization, but other relevant wallet strategies as they continually evolve.”
So, what’s the hurry?