tommorris.org

Discussing software, the web, politics, sexuality and the unending supply of human stupidity.


tube


TfL ticket inspectors aren’t able to verify Apple Pay and bPay users. Sounds like another reason to not use Apple Pay, along with how bloody fiddly it is to actually use.

Update: The story I linked to isn’t true. I still am not going to bother using Apple Pay as using my card is a lot less fiddly than using Apple Pay.


Testing Apple Pay in London

Apple Pay went live today in Britain. I was browsing Facebook and I saw another iOS user excited that they’d got Pay working. I know they have a penchant for downloading public betas and so on, so I thought perhaps they might be early to the party.

I grabbed my phone and saw that Apple Pay was on the menu. The card I use for the iTunes/App Store was already listed in there—I just needed to get a text. I also set up some other cards. The text approval cycle varies. With American Express, it was damn near immediate. With NatWest, it took a while. NatWest probably send out an order of magnitude more texts than American Express (just based on the fact that they have to notify customers about debit and credit cards, loans, mortgages, savings accounts and much else besides).

After playing ping-pong with verification codes, I now have four cards in my Passbook—my American Express card, my NatWest credit card and two NatWest debit cards. Barclays do not support Apple Pay, otherwise I would have added my business debit card. The reason Barclays aren’t supporting Apple Pay is because they have their own thing called bPay. They seem to think that people would much rather pay money to get a thing that looks like a Fitbit but is actually a way to make contactless payments. Good luck with that. Nobody wants that shit. So no Barclays. Just American Express and NatWest for me.

The first thing I noticed is how different the set up experiences were. When I set up the American Express card, the app gave me a welcome message from American Express which basically explained how I used it, and what to do if my phone is lost or stolen (basically phone them). My bank provided no such welcome message.

The layout of the Passbook changes once you have payment cards in there: it is split in to two sections with your credit cards at the top and your passes at the bottom. One thing that will be interesting is to see how exactly this all works when travelling: when you are at an airport and have a Passbook-based boarding pass, it prioritises that over the other uses of your phone. How you juggle between boarding pass and Apple Pay is something I’ll have to wait until I next fly to find out.

The Passbook entries vary in utility. The American Express Passbook entry is spectacularly useful. When I first got an American Express card, I downloaded the Amex app, but it requires me to enter my password to log in everytime. I stopped using the Amex app pretty much immediately and started using the (mobile optimized, responsive) website because I could login with 1Password. The Passbook card gives me the bare essentials of what I wanted from the website or the app but with less inconvenience—it shows me the recent transactions on my card. If I want to know the full balance on my card or how many points or whatever, I have to login to the website, but this reduces the friction a lot. If you have an American Express card, it is worth setting up Apple Pay for it, even if you don’t plan to use it much, just because Passbook is the most friction-free way to see your transactions.

The NatWest Passbook entries aren’t nearly as useful. They do distinguish between debit and credit cards, but if you have two debit cards from NatWest (say, a separate joint bank account, or a business and personal account), there’s no way to tell the difference between the two debit cards except the last four digits. Being able to add a label to your cards would be a useful addition to help separate these things out.

The NatWest Passbook transaction list only shows you transactions on your NatWest cards that have been conducted on the phone itself compared to the Amex approach of showing you all transactions conducted on your account.

Personally, I think that in this day and age, we ought to have instant SMS notifications for every single transaction for auditing purposes, but until that happens, I think that it is important for the banks and credit card companies to make getting access to your transaction log as seamless and non-fussy as possible while still staying secure. Until Apple Pay, it was easier for me to find out the transaction log for my Subway loyalty card than it was to find out the transactions on my credit cards.

Anyway down to the actual business of testing this thing.

First stop, a London bus. One of the New Routemasters (or “Boris buses” as they are known), to be specific. Hop on the back. Hold my phone to the reader and hold my finger on the button. It takes a fraction longer than it usually does with my card but eventually it works. Once I have climbed upstairs and sat down, the Passbook app tells me I had a transaction in “London, England”. I am guessing that is because the mobile payment point on the bus may not have transmitted as much data back to my phone as one in an actual shop.

Second stop is a branch of Boots pharmacy. I hold my phone to the reader and it goes into pay mode. I authenticate and my phone says “done” but the card reader wasn’t having any of it. I try again and then pull my wallet out and charged it to my card normally. The assistant told me that someone else had used their iPhone to pay earlier that day and it worked then.

Third attempt today was to get the bus home. I think I’ve got it this time. Only like a buffoon, instead of holding my finger on the home button, I press the home button and it leaves the Apple Pay screen and goes back to the homescreen. I have to pull the phone away from the reader, put it back, then put my finger back on the home button. The bus driver looks at me as if I’m simple.

Will Apple Pay mean leaving wallets and purses at home everyday? No. It means a proportion of payments can be done on your phone. The contactless ones in shops where the gear supports it. It is slightly more fiddly and you are reliant on a device that can lose its charge. It might mean lesser used cards get left at home (business expense cards, store cards) but most people will want the security of having the actual plastic in their pocket to pay when it goes wrong.

I can perhaps see how there might be some contexts in which just having one’s phone and some cash might be an alternative: exercise and clubbing. Like, if I’m going to a nightclub, I want to take the least amount of stuff possible. My phone, plus some banknotes and keys is pretty minimal compared to having to take a wallet. I can pay to get in, pay for some drinks with my phone and then book a cab home with Uber/Hailo etc. (or pay for the night bus—or maybe the night Tube—with Apple Pay). That’s the theory: might not work so well if one has used up all one’s electrojuice on nocturnal WhatsApping, Grindering/Tindering, Snapchatting, Instagramming or Shazaming.

Apple definitely need to improve the UX. iOS 9 promises to do this: double tapping the home button will apparently allow you to “pre-auth” the next payment before you touch it to the reader. Meaning hopefully you won’t be the arsehole holding up the queue of busy commuters on the bus or at the Tube gate faffing with his phone (or worse, his bloody smartwatch). That might improve things.

There are still some unanswered questions I have. Let’s take Transport for London. They have a system called price capping. If I am using an Oyster card or contactless card, the cost of using them on a pay-as-you-go basis won’t ever exceed the cost of buying a daily or weekly travelcard covering the journeys I have made. But does that work if one uses a contactless card and the same card via Apple Pay interchangeably? I asked TfL on Twitter and haven’t had an answer. I read earlier that starting a Tube journey with Apple Pay and finishing it with a card will lead to two journeys being recorded, and two fines. This seems like a recipe for massive quantities of ballache and some time-consuming calls to the refund line. It would be nice if TfL were to sort this out and explain it in a simple way so people don’t get caught out.

One thing I’d be interested in is whether there’s any plans to handle person-to-person money transfer in the future in addition to consumer-to-business. PayPal fees kind of suck, and I don’t really know anyone who actually uses Paym. There’s Bitcoin, but I’m not a Ron Paul-worshipping goldbug and I don’t think my non-technical friends and family are going to want to learn what a blockchain is or convert their Pounds Sterling through some shady-looking website. And none of them are that bothered about bringing back the gold standard either. It’s all very well making it easier to make credit card payments to businesses, but it would get quite interesting if Apple were to basically build a nice user experience on top of Paym: tap phones together, type in the amount, send.

Overall, Apple have done an okay job at this. One time transaction keys and biometric verification seem an improvement on the current joke that is credit card security.1 It needs to not randomly not work at places where contactless payment otherwise works and the iOS 9 updates need to make it so we aren’t stuck holding up queues waiting for TouchID to do its thing. There are real benefits in switching to a smartphone-based payment system (transaction notifications and biometric security), but it needs to be as seamless and boring as using my existing contactless cards.

  1. Example one: they think that the failure of a shared secret model can be fixed by adding another shared secret—CVV numbers. The credit card fraudster now has to work so much harder—they now have to turn your card over and take note of a three digit number printed on the back (or four digit number on the front in the case of Amex). That’ll stop them.

    Example two: 3D Secure aka. SecureCode aka. Verified by Visa. Banks and credit card companies encouraging people to fill in personal data in an iframe embedded in random websites is basically teaching non-technical users how to make themselves more vulnerable to phishing.