The race to launch the next big mobile payment application turned into a full out sprint after Apple Pay debuted in the fall of last year. The four front-runners - Samsung Pay, Apple Pay, Android Pay and CurrentC - are all competing for market share in a crowded and quickly changing payments space. Curious what the differences are between them, and which, if any, will be the answer to a growing payment card fraud problem? We break it all down, with the details you need to know:
This post was first published on PaymentWeek.
Given the attention around the mobile payment race, it’s worth noting that Apple Pay is the only system that is currently fully launched. Samsung Pay is currently in trial in South Korea, Android Pay has completed a trial and is waiting for launch, and CurrentC will be launching a limited trial of their own in Q3 of this year.
The differences between these platforms however, go much deeper than their expected launch dates. While Apple Pay and Android Pay are incredibly similar in their capabilities and the technology behind each transaction, Samsung Pay and CurrentC operate in very contrasting ways. Samsung Pay, with its Magnetic Secure Transmission support, which is the exact same technology that current magnetic stripe card terminals have, could very well be the most widely supported platform if it were deployed today. That said, the upcoming industry-wide switch to support EMV chip cards in October could render most MST-only terminals nearly extinct, as all merchants will need to provide chip card readers, otherwise be held responsible for fraud chargebacks that emanate from out of date terminals.
Unlike the other three platforms, CurrentC is banking on bypassing credit and debit cards altogether, unless they’re store branded. They’re hoping customers are comfortable enough with linking their checking accounts directly, and then plan on using QR codes on either the POS terminal or the customer phone to authorize an ACH transfer direct from the bank to the merchant. It is, however, worth noting that during an initial test of CurrentC last fall, the platform suffered a breach of customer data.
But CurrentC isn’t the only one that’s suffered security issues. When Apple Pay first launched in the late fall of 2014, it was plagued with fraud as hackers easily took advantage of the banks’ weak authorization processes and loaded stolen card information onto their own iPhones. Apple has steadfastly held that all cardholder verification steps are up to the individual banks, and that cards are not allowed to be added to Apple Pay until they are cleared by their respective issuing banks. Since then, many banks have transferred this verification step over to their customer call center, but hackers have found ways to exploit that process as well. According to mainstreet.com, hackers are now porting user mobile phone numbers over to their own devices, taking the verification call and continuing to easily loading stolen card info on their devices.
We have yet to hear of different or more secure onboarding processes to be expected from Samsung Pay or Android Pay, though more support from either to help banks with the verification process would likely be met with overwhelming accolades.
What has been grossly overshadowed by the fraud and data breach problems, is that all of these mobile payment platforms have developed unique ways to protect account numbers from being compromised during transactions. All four platforms tokenize account numbers before the transaction is initiated, to prevent merchants from ever receiving the actual card or bank account numbers, which will go a long way toward preventing mega-breaches the likes of Target and Home Depot.
What these platforms won’t ever do however, is eliminate payment fraud altogether. As we learned in the Trustwave Global Security Report this year, ransomwear attackers see an average of a 1,425% return on investment for their efforts. The likelihood that they will be deterred by tokenized account numbers or fingerprint verification are slim. This new technology is only a very small piece of a comprehensive payment security and fraud detection strategy, and should be considered as such.
Samsung Pay |
Apple Pay |
Android Pay |
CurrentC |
|
Launch Date |
Current in trial in South Korea. U.S. launch expected September 2015. |
October 2014 |
Late summer 2015 |
Limited trial run in Q3 2015 |
Compatible Devices |
Galaxy S6 and S6 Edge |
iPhone 6, iPad Air 2 and iPad mini 3 |
Any Android device that’s NFC compatible |
Unclear, but will likely have the broadest compatibility, since it’s only an app. |
Payment Technology |
Supports NFC, but also Magnetic Secure Transmission (same tech magnetic stripe cards require) |
NFC |
NFC |
POS terminals that can deliver and read QR codes |
Confirmed Partners |
Synchrony Financial, First Data, MasterCard, Visa |
MasterCard, Visa, American Express, Bank of America, BMO Harris, Chase, Citi, Capital One, among dozens of other financial institutions |
American Express, Discover, MasterCard, Visa, Bank of America, Navy Federal Credit Union, PNC, Regions, USAA and US Bank |
So far, no deals have been struck with major card issuers. |
Merchant Support |
Estimated 30 million merchants worldwide (expected to be the most universally accepted mobile payment platform, due to the MST technology that doesn’t require a new/upgraded terminal). |
Currently over 700,000 locations (it launched in the fall with a little over 200,000 locations). A list of stores is available on their website. |
Currently over 700,000 locations, along with hundreds of aps (viewable here). |
MCX the company responsible for CurrentC, is made up of dozens of the country’s largest merchants. |
Security |
Samsung Pay uses Knox (Samsung’s own mobile security software) and ARM TrustZone. They also use tokenization to ensure account numbers are protected. |
Tokenized device account numbers are stored on a chip on the specific device (and not on Apple servers). For each transaction, the device account number along with a security code are used to process the payment. |
Card numbers are encrypted, and a unique tokenized account code is generated for each transaction. The only notable difference is that Android Pay stores this information in the cloud. |
CurrentC requires the user to link up his or her checking account for direct ACH transfers. Like the other payment platforms, tokenized account numbers are sent to process the transaction. |
Onboarding & Authentication |
Scan or type in credit/debit cards (bank authentication required - though it’s not clear what that process looks like). |
Cards can easily be scanned or typed in. Authentication process falls on the bank. |
Difficult to tell, since the service isn’t live yet, but presumably will follow a similar process as Apple Pay and Samsung Pay. |
Unsure on how CurrentC will work with banks to authenticate the account data being uploaded to the app. |
To learn more about emerging payment technologies and how we expect it to affect security, check out our Knowledge Center: