By Matt Birchler
Topic: payments
Posts: 4
Page 1 of 1

Addressing 4 Misconceptions About Payments I Typically Hear from Apple Enthusiasts

I’ve posted a lot both here and on Twitter about payments over the past year for two main reasons:

  1. The App Store rules around payments have been in question, so now payments are just another Apple-related subject.
  2. Lots of people commenting on this stuff have incomplete understandings on how this stuff works, and I’d like to share better information.

Why Listen to Me?

I’m a product designer at a major payments provider that processes billions of transactions per year, and is used by over 1/4 million merchants worldwide. As a technical product designer, my job requires me to have an understanding of how merchants operate, what they want, and how data is passed around (yes, I literally review the API logs during a transaction’s lifecycle).

As always, this post is entirely my own opinion and does not share any sensitive data.

Misconception 1: Merchants want to mishandle my credit card

Nope, in fact the vast majority of merchants would just as well never know your card number in the first place. There is something called “SAQ-A compliance” which is something that many, many merchants want to fall under. The super short version of this is that a merchant is exposing themselves to much less risk (and can save tons of money) if they can take payments without ever seeing your card.

I made this video earlier this year showing how merchants do this on the web.

https://youtu.be/Mj6VMsQBljE

Misconception 2: Apple is the only company people trust to process e-commerce transactions

This isn’t too common, but lots of people do seem to argue that “normal people” don’t trust anyone else with payments. I mean Apple is definitely quite trustworthy here, but they’re far from the only one who can do it, and they’re far from the only company “normal people” seem to trust. The App Store processed about $72 billion (estimated) in transaction volume last year, but e-commerce in general processed around $4.5 trillion last year. Apple’s App Store accounts for 1-2% of that total, which is impressive, but truly a drop in the bucket, and “normal people” are quite familiar with paying many other places.

Misconception 3: When I use an Apple Pay button on the web, Apple runs the transaction

This is a big one, and no, Apple does not process these sales at all. Here’s what happens when you see a payment form with an Apple Pay button and a “key in your card number” form:

  1. You click the Apple Pay button
  2. The merchant’s site feeds in the payment details to the Apple Pay SDK
  3. Safari displays a UI for the transaction total and any required fields/shipping options to the user.
  4. You confirm the sale.
  5. The Apple Pay SDK encrypts the card data and gives it to the merchant.
  6. The merchant makes an API transaction request to their payment provider with the encrypted token.
  7. The provider decrypts the token and gets the card info, the customer billing info, and shipping info.
  8. All this data is sent to the merchant’s processor (def not Apple) to approve or decline.
  9. The processor approves/declines the transaction.
  10. The merchant’s API request gets a response showing approved/declined.
  11. The merchant’s reporting shows the customer’s name, address, shipping details, and masked card number/expiration date.

Depending on how the merchant used Apple Pay, they can save that card to charge later as well, so it is not necessarily a one-time use token, even.

The important thing to know here is that when you use an Apple Pay button on the web, you’re saving time and reducing the odds of a typo in your payment details, but the transaction flow is basically the same for the merchant. And like I mentioned in the first misconception, the odds are that all ways a merchant takes your card data on their site involve the card number being hidden from them.

Misconception 4: Apple doesn’t sell line-item data for advertising

This tweet came across my feed yesterday when I was tweeting about payments:

Security isn’t just about fraud prevention. Most credit card processors and credit card companies sell your transaction data, unless you live in California.

Followed up by:

Purchases made through IAP aren’t itemized to the credit card companies. American Express doesn’t know what you purchased. It just shows as paying Apple.

Ok, so selling transaction data is indeed a thing, and while not everyone does it, enough do it that it’s something you should be aware of. However, this specific argument is barking up the wrong tree.

Banks do sell payment data, but that data is almost entirely just where you shop, not what you’re buying. My bank knows I buy things from Apple, but they don’t know what I buy from Apple. They also know that I buy things from other companies, but it’s exceptionally likely they also don’t know what I’m buying from those companies. Why?

To get into this, we need to talk about transaction data “levels” when it comes to e-commerce (retail is different, and we don’t have time to get into it). This is a bit simplified, but there are generally 3 levels you can qualify for:

  1. Level 1 data is the card number, expiration, CVV, and customer name/address.
  2. Level 2 data is generally things like order ID, PO number, and shipping details.
  3. Level 3 data includes more shipping data, as well as line item details.

The vast majority of the e-commerce you, an individual usually experience is likely Level 1, and sometimes Level 2. Level 1 is the bare minimum to run a transaction, plus a few things that help validate you are the actual card holder (CVV and address verification), and this is generally what gets sent to the payment processor.

Shipping data falls into Level 2 data, but just because you provide shipping details, actually doesn’t mean that’s a Level 2 transaction. Many times this shipping info is simply collected for the merchant to send you the product and it never even makes it to the payment processor (aka your or the merchant’s banks).

But those original tweets refer to the final level, Level 3.

Again, the merchant may be collecting line item data from you, but that could be just so they know what your order is and what they need to fulfill. This does not make the transaction “Level 3” though, it only qualifies if those line items are passed onto the processor. In the vast majority of cases, they are not. See, Level 3 processing is considered an add-on for most merchants, if it’s available at all. That means you pay extra for being able to send this data with your transactions. Most merchants don’t want to do that, but some will because it can mean lower overall fees in some cases.

Additionally, Level 3 transactions are usually used in B2B (business-to-business) or B2G (business-to-government) transactions. B2C (business-to-consumer) is almost always irrelevant here. A merchant will send this enhanced data because they want to drop the processor fee from something like 2.8% to 2.2% (it varies, of course). That difference doesn’t seem like much, but remember, these are B2B and B2G transactions, which tend to be quite large. The difference is trivial on a $15 lunch ($0.09), but on a $40,000 order, that’s $240, which ain’t nothing and adds up fast!

Anyway, this is a long way of saying:

  1. The vast majority of the time, your line item data is not sent to the processor.
  2. It’s usually banks selling data about where you shop, not what specific things you’re buying.
  3. Merchants can sell/use line item data for ads or sell it off, but they also need to know what you’re buying so that you can give you the things you paid for. That’s true whether you’re buying direct or through Apple’s in-app purchase system.

That’s It for Today

There is probably more I could jump into, but these are the 4 that I’ve seen in the past few days alone that I wanted to hit on right now. I think it’s good that people are interested in payments technology and want to talk about it, but I think it’s important for us to be talking about things accurately and not in the vague way I usually see online.

Restaurants, QR Codes, Splitting the Check, and a Peek Into My Day Job

All Of A Sudden, Qr Codes Are Everywhere

For restaurants, the codes can help solve the labor crunch brought on by the pandemic by requiring less waitstaff. They also offer an opportunity to engage more deeply with guests.
“This is the first time that restaurant POS [systems] have really had access to the patron of the restaurant,” said Jennifer Sherman, VP of product for NMI, a payment technology company. “I think that’s gonna open up an interesting new world of user experience, of diner experience.”
That could mean built-in customer satisfaction surveys, loyalty programs or the option to easily split the check, Sherman said.

Jennifer Sherman is my boss and the stuff we're working on for restaurants is some really exciting stuff. Can't wait to share it when it's out!

Take 2 Minutes and Set Up Apple Pay on Your iPhone

https://twitter.com/mattbirchler/status/733839243697491969

Every so often I'll tweet something about how amazingly fast I was able to check out at a random store with Apple Pay. We all know that EMV (chip and pin) payments are slow, but secure. We also know that old fashioned credit card payments via magnetic strip are faster, but way less secure. What if I told you that Apple Pay gets you the best of both worlds, and all it takes is 2 minutes to set it up on you phone?

Setting up Apple Pay is a breeze. All you have to do is go to the Wallet app on your phone1 and hit the "Add Card" button or "+" at the top right of the screen. You'll take a picture of your card (or key it in), and then choose the 2 factor authorization you would like your bank to use to confirm you are who you say you are. I chose the email option from Chase, and they sent me an email within a minute that had a code I entered in the Wallet app to complete the set up. That's it, you're good to go.

Now that Apple Pay is set up on your phone, you never need to go into the Wallet app again. You can leave it in that "Never use" folder with all the other apps that are collecting dust on your iPhone.

All you have to do the next time you are in a store that supports Apple Pay is hold your phone up to the reader with one of your TouchID fingers resting on the iPhone's home button. As soon as you put it up against the reader, your iPhone's screen will light up and ask you to put your finger on the home button to authenticate. If your finger was already there, it authenticates less than a second after lighting up.

For reference, here's where the NFC chip is on the iPhone:

And here's where the NFC reader is on a couple of the most common card readers I've seen in the wild:

And if your concern is whether Apple Pay is even an option at the stores you go to, don't worry about it too much. No, not everywhere has Apple Pay yet, but the list of retailers that do is increasing every day. Below is a list of stores I have used Apple Pay at in the past year:

  • Walgreens
  • Jewel-Osco
  • Meijer
  • Panara Bread
  • Whole Foods
  • Party City
  • Trader Joe's
  • Apple Store
  • Best Buy
  • McDonalds
  • Crate and Barrel
  • Staples

There are certainly places I would like to use Apple Pay where it hasn't been added yet, but my experience is better at all of the above locations because they do support it. Apple also has a more complete list of locations that support Apple Pay is you are looking for somewhere I don't personally shop.

I'm a huge proponent of Apple Pay, and so is basically every one else I've convinced to try it at least once. So take a couple minutes this weekend and get Apple Pay set up on your phone. I think you're going to fall in love with it.


  1. Dig it out of that "Never use" folder you threw it in before. 

CurrentC is Totally Going to Launch Eventually, Seriously

MCX announced that they are pushing back the launch of CurrentC:

As MCX has said many times, the mobile payments space is just beginning to take shape – it is early in a long game. MCX’s owner-members remain committed to our future.

They're not wrong that the mobile payments world is still very young, but they're delusional if they think their terrible solution is going to be a major player. I got to use CurrentC at Target in early 2015 and it was a mess (although I was pretty easy on it at the time). From what I can tell, the service has not improved much since then and partners are dropping all the time.

Page 1 of 1