Here's how Apple should make its new payment NFC tag

Apple has recently presented a new functionality: being able to pay with your iPhone (more info here). Wait, aren't we supposed to do that with Apple Pay since 2014? Yes, but now it's different, here's why.

Today, you can pay in a brick and mortar merchant with your iPhone or Apple Watch. For this:

• you need to register your payment card in your iDevice's dedicated mobile app: the Apple Wallet
• your merchant needs a contactless point of sale (PoS) + its payment provider must have a partnership with Apple

During the payment process (that looks like a simple beep to the naked eye), both the phone and the PoS have quite a complicated discussion over the air. They speak a standardized secure language over a technology called Near Field Communication (NFC). Then the PoS contacts your bank to check you are indeed the owner of the phone, checks your balance and the payment is done (ok, the process is in reality way more complicated but let's keep it simple). All of this is possible because both the phone / watch and the PoS are smart devices. And smart has a price, starting at approximately $100 per device.

Now what happens if we want to make payments easy, but with much cheaper (therefore duller) devices? ?? Now that's an interesting challenge, and here are a few scenarios that we could tackle:

• let's put a NFC sticker (price <5￠) on a fixed price item
• let's put a NFC sticker on a renting item (scooter, bike, etc.) : the tag (which memory is non modifiable) contains the reference of the item ; then, at checkout, the smartphone dynamically contacts a web service to obtain the price (in our scooter scenario, the price would depend on the renting duration)
• let's put a NFC sticker on a machine, acting as an unsupervised PoS (such as a parking ticket machine)

Sounds great, doesn't it? But is there any catch? Not really, however keep in mind that an operation done with your phone in front of a point of sale is considered a "brick and mortar" payment. A payment done with a simple NFC sticker along with Apple Wallet will be considered (my guess) as an online payment. It is important to note that fees applied by schemes (Visa, Mastercard...) are higher on online payments (for more information about interchange fees and "card not present" status, I suggest reading Card Present vs. Card Not Present Transactions by Ellen Cunningham).

So, what will these stickers contain?

My guess is that Apple will store classic data in a structured form, such as :

• amount + currency (probably limited to USD at first)
• merchant ID
• merchant category code (grocery store, restaurant, etc.)

This won't necessarily be stored inside the tag, for more flexibility the tag might only store a reference that the wallet application will check online for getting all data (this allows to have a dynamic price, to update data later without having to update the tag). Now obviously this would require the payee to have a server that could dynamically provide the necessary data (e.g. the scooter's renting company knows how much time your ride lasted, so they can dynamically say how much you owe them).

But can't I already do that with my existing scooter app? Sure, you have already registered your card info in your dedicated mobile app, so you can do what is called a "card on file" payment, that is to say paying without entering again your card information (this method was popularized by Amazon's then patented one-click-payment or Uber). But what if the scooter you desperately need at this very moment is owned by a brand you haven't already registered for? Do you have the time to download this new app, register one more time (entering your email and your phone number, choosing a password, typing the code you've received by SMS), in order to have your ride? Apple brings here a mean to do it smoothly with Apple Wallet, no extra app needed, and I must admit that's smart. Plus your card information won't be stored in another company's database (knowing the high frequency of breaches nowadays, it should be a relief).

What's the risk of using a cheap NFC tag?

I was suggested by Liju and Steve Moser that someone could put a fake sticker on top of it, in order to receive money instead of the right payee. This risk (called man in the middle) is mitigable with a simple cryptographic signature, associated to a proper certificate chain that can be verified by the wallet application. Any entity trying to pretend being a well known retailer (like someone registering as being "Aple" pretending to be "Apple") would soon have its certificate blacklisted.

So, what's your suggestion in the end?

My humble suggestion to Apple here is quite simple: even though your market share for mobile devices is quite good (~45%), you're not alone. Wouldn't it be a shame if Android devices could not benefit from your idea? Since you'll probably store some (if not all) data online, I'm sure you could find a way to monetize it. Otherwise, payees will have to buy more expensive tags with more memory to be able to store both Apple proprietary payment data along with Google's proprietary payment data.

Conclusion

Well I guess we'll know soon enough how things will go, as the next Apple's developers conference is going to take place in June. Rumors mention that iOS developers will be granted a more powerful access to NFC features. I'm looking forward to seeing what new scenarios will therefore be unlocked.

If you're a geek and you're still there

First : thanks for reading. Here are a couple of quick technical suggestions:

• way of storing data : either directly in the URL's parameters, or using a compressed serialization format such as ASN.1 or equivalent) ; storing it as a URL would give the possibility to regular NFC readers to read its data, and maybe have a plan-B experience (please no custom shoebox:// scheme)
• signature : there's a standard for that (NFC Signature Record Type Definition 2.0, preferably with the more compressed M2M certificate format), no need to reinvent the wheel
• there's a recent NFC Forum Money Transfer candidate specification, if you're lucky enough to have access to the doc', might be interesting to have a look
• did I already mention that we'd rather not have a proprietary data format? ??
• note: did you know that tags can be emulated by smartphones? This could mean that any phone could become a simple PoS...