Apple Pay opens little by little
It is generally accepted among security experts that security by obscurity is not a positive sign of a well-engineered security system. At the other end of the spectrum, a totally open system, where anyone is able to branch any hardware or software peripheral without control can hardly be seen as secure. Real-world implementations of security systems generally evolve between those two extremes.
Apple has always been leaning on the closed and secure side of the spectrum. They developed Apple Pay as a “closed ecosystem,” where they would control all aspects of the system. Then, little by little, thanks to NFC standardization, and more general acceptance, the system becomes more open. Tokenization services are now standardized and proposed essentially by the major international payment schemes.
Things are evolving again under several types of pressure. Regulation plays a part, but one can suppose Apple is also sensitive to business demands from issuers, merchants, and acceptance systems, which are all willing to perform more payments through Apple Pay.
EU regulations my take long to be built but when they are finally enforced, they become a strong pressure means on large corporations. In May 2022, the European Commission made public that it considered a violation of European antitrust regulations the fact that Apple was restricting access to its NFC functions to its own payment apps: Apple Pay was the only mobile wallet solution that may access the necessary NFC input on iOS, as Apple did not make it available to third-party app developers of mobile wallets. Now, under pressure of the European Commission, Apple announced it would let other stakeholders access its mobile payments systems.
In France, Apple Pay transactions that were so far processed using the international rails of Visa and Mastercard will, from 2024, be able to use GIE CB French national scheme. Originally, only Crédit Agricole and SG (ex-Société Générale) were using GIE CB for Apple Pay transactions, while other financial institutions had to deal with Visa or Mastercard for their tokenization services, necessary to complete NFC transactions. Now, all issuers of cards bearing the CB logo, will be able to use a new GIE CB tokenization platform, which will be built with the support of STET to have their cards included in Apple Pay.
Germany passed a law in the same direction as early as 2019, requiring Apple to allow other mobile payments services to access the iPhone’s NFC chip for payments, against a "reasonable fee," without stating what was deemed reasonable.
Even in the UK, where EU antitrust regulations do not apply, the open banking concepts have been brought into Apple Pay, allowing cardholders from most UK-based financial institutions to view their debit card account details, as well as debit and credit card spending history, payments, deposits, and withdrawals, conveniently in one place in Wallet.
Things are evolving on the acceptance side as well with the arrival of Apple Tap-to-Pay technology that turns any iPhone into a SoftPOS, globally in the EU. In France, the technology is launched with BPCE (Banques Populaires, Caisses d’Epargne) and acceptance partners Adyen, myPOS, Revolut, SumUp, Viva Wallet and Worldline. In addition, BNP Paribas, Crédit Coopératif, MarketPay, Stancer and Stripe are expected to join the program in the coming months. Similarly to transactions completed on a regular POS, transactions ill at first be routed though Visa, Mastercard, Amex or Discover, the integration with GIE CB being planned as the next step.
The combination of business opportunities and constraints with antitrust regulations are proving efficient in fighting too closed systems. Our secure transactions industry has enough experts to make this transition from a fully closed to a half-open environment a secure one.