The legal limit
The built-in restrictions of the NFC-powered Apple Pay mean that the service isn't for everyone. "Many businesses, particularly those whose transactions are above £20, may have seen very little usage of contactless to this point, and may not even have point-of-sale terminals capable of accepting NFC transactions," says Woods.
That said, Apple Pay's £20 transaction limit will rise to £30 in September. "It's a classic case of regulation not keeping pace with innovation," says Carroll. "The immediate draw of Apple Pay, then, is for lower transactions outlets like Starbucks. Looking forwards, the fact that London Underground signed up from the get-go is important."
Also key to the success of Apple Pay will be staff training. "Staff need to be familiar with the procedure, which means businesses will need to show live transactions on Apple Watch or iPhone to their staff, a challenge considering the hardware that will be required to do that," says Woods. "Common procedures such as issuing refunds require some very specific actions on the part of the retailer and the customer, including access to the device that made the payment." Will customers automatically understand the £20 limit? Probably not – and declining a payment for £21 will have to be done tactfully.
Apple Pay or Android?
Newer Android phones have proprietary payment tech that works with existing terminals, and not just contactless ones, as with Apple Pay. "While the sheer number of Apple devotees will drive initial contactless use, it will soon become part and parcel of everyone's payments," says Carroll.
Winston Bond, Technical Director at Arxan Technologies thinks that Apple Pay triggers a debate about software versus hardware-based security. Relying solely on an iPhone or Apple Watch, Apple Pay, by definition, is the latter. "Although it is seen as restrictive and could offer little incentive to merchants due to the proprietary nature of Apple, it has for a long time been viewed as stronger in terms of security," says Bond. "However, the software-based, Host Card Emulation (HCE) approach found in Android Pay is close on its heels … and it achieves a similar level of security protection as hardware-based, and offers additional advantages of speed and agility."
With Android platform adoption at least four times greater than iOS globally, the ultimate winner will be software – and that means Android. Bond stressed that to triumph, HCE tech will have to embrace tamper-proofing software and white-box cryptography.
Is there a risk of fraud?
Built into Apple Pay is tokenisation, where card details are not shared, which theoretically makes it safe. "Contactless is faster, easier and far more secure than using a credit card," says Carroll. "Every time a consumer hands their card number to a retailer is a potential opportunity for fraud, but contactless payment, by contrast, uses tokenisation, while Touch ID using fingerprints is infinitely more secure than PIN numbers.
Others think that Apple Pay is risky. "With a £20 limit to payments, the message is simply that this is not yet safe to use – there are many banks that have had successful mobile wallet launches with much higher limits," says Mary Ann Miller, Senior Director, Fraud Executive Advisor & Industry Relations, NICE Actimize, which has experience of Apple Pay's launch in the US.
Since tokenisation has been baked into the payments process, Apple Pay is supposed to be safe, but there has already been significant fraud around card provisioning. "Apple Pay has been made so easy to use that now potentially any fraudster can set up new iPhones with stolen personal info and then call the banks to provision the victim's card to the phone," says Miller. "This has already caused huge losses in the US, where many banks were not fully prepared."
Either way, as contactless payment reaches critical mass, cash and card-stuffed wallets will soon be a thing of the past – and businesses need to be ready.