Apple Pay UK: A Road Test
The rumours were true. This morning Apple Pay launched in the UK. I’m a strong believer in the value of user testing so decided to do some myself for Apple Pay.
Given the reported teething issues with some card issuer’s authentication processes and fraud in the US I was interested to see if our banks here had learnt from these mistakes… How would their registration processes be? Had they properly tested their Apple Pay processes?
In the name of digital risk research I attempted to add the following cards to Apple Pay…
An active but rarely used NatWest card
A cancelled Amex card
A (non-eligible) Lloyds card
The Amex card on my iTunes account (incidentally the same Amex recently cancelled)
If you have read up a on the Apple Pay registration process, you will be aware that registrations are classified according to the risk that it is not the true card holder initiating these. Where your bank has some doubt that it is actually you trying to add a card to Apple Pay they will request further authentication. I was interested to see how well my banks knew me and if and how they would request authentication for my selection of cards.
According to the US Apple support pages “Apple…sends the encrypted data, along with other information about your iTunes and App Store account activity (such as whether you have a long history of transactions within iTunes), information about your device (such as phone number, name, and model of your device plus any companion iOS device necessary to set up Apple Pay), as well as your location at the time you add your card (if you have Location Services enabled) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay..”
Based on the above, I do have a few years history of transactions with iTunes however the iPhone phone I was adding my cards was not the phone I have registered with iTunes or my banks so I was prepared to have to provide further authentication. Here’s what happened…
The active NatWest card
Could I add it? Yes.
What authentication was I asked for?
After entering my name, the card details and security code I was prompted to verify by calling NatWest or receiving a one-time security code to my mobile number on file. I went for the one-time security code but I would be interested in seeing what information I was asked for over the phone.
Anything else?
The T&Cs for NatWest were very brief. While I am all for succinct T&Cs I’m not sure these add a great deal given I have already agreed to the credit card agreement being referred to.
Once I had successfully added a card, I received a text message from NatWest to my mobile number on file confirming I had added this to Apple Pay.
During my tests I deleted my NatWest card from Apple Pay twice. When I tried to add it back a third time I received an error message advising me to contact my card issuer for more information.
The cancelled Amex card
Could I add it? No.
What authentication was I asked for?
It never got to the point of authentication – once I entered the card details I got an error message. This was not the message I would have expected as referred to the issuer not supporting the card but it still prevented a cancelled card being added with the details from the plastic.
The (non-eligible) Lloyds card
Could I add it? No. An error message advised the issuer didn’t yet off support for the card.
The Amex card on my iTunes account (incidentally the same Amex recently cancelled)
Could I add it? Yes.
What authentication was I asked for?
I had read from some sources that for cards being added to Apple Pay from iTunes only the security code on the card needed to be entered for authentication. However, when I attempted to add my card, I was prompted to receive a one-time security code for this journey also. I had the option of receiving to my mobile or email on file. As mentioned, the iPhone I was using Apple Pay on is not the same number as the mobile I have on file with iTunes (and the plastic card was cancelled) so this could well be a security precaution.
Interestingly I was able to add the cancelled Amex card that I couldn’t add manually via this route. When it appeared in Apple Pay, the last four digits of the card number were different to the cancelled plastic so it looks like Amex automatically created a link to the replacement card. I was also able to use this card to pay with Apple Pay (see below). This approach makes sense to me as it was only the original card details that were cancelled and not my iTunes credentials. By allowing me to use the card via Apple Pay I can keep making transactions while I wait for my new plastic to arrive.
Anything else?
The Amex T&Cs are meatier than NatWest’s and include additional information on security recommendations (further info if you scroll down too):
Once I had added the card, Amex sent an email to my email address on file confirming my card had been added to Apple Pay and some further security advice. This came through about an hour after I added the card. When I deleted the card I received another email confirming I had deleted a card from Apple Pay.
All in all I was satisfied with my experiences adding cards to Apple Pay. The Apple hosted experience is very slick and the card issuer authentication processes integrate well. The use of a one-time passcode seems to be the prevalent authentication approach which is reassuring as this is a lot better than asking for static security information, like Mother's maiden name. I would however like to go through the authentication path via calling Natwest to see what information they request for authentication (I will have to call anyway to re-add my card afte rlocking myself out!)
Sending an SMS/ email to the mobile/ email address on file with the issuer is a good means of making the card holder aware that their card has been added to Pass too in case this has been done fraudulently. The difference in T&Cs between the two issuers was a bit surprising but once PSD 2 comes into law this could drive further standardisation here.
My next test will be using Apple Pay for a transaction... keep posted!