Apple Pay rival MCX already hacked, but insists it’s OK to keep your sensitive data in the cloud

MasterCard (Apple Pay ads 001)

The whole CVS/Rite Aid/Apple Pay controversy is about to get uglier as MCX, the consortium of retailers who back the competing CurrentC mobile payment system, on Wednesday responded to accusations that it was purposefully blocking Apple Pay, Google Wallet and other NFC-based payment solutions and requiring participating retailers to use CurrentC exclusively.

Apple Pay has been praised for being secure and protecting your privacy by not sharing customer or transaction data with merchants. According to MCX, it does not store sensitive customer information in the mobile app. Instead, users’ payment data is stored “in our secure cloud-hosted network”.

Maybe I’m reading their blog post wrong, but if customer data and especially payment information is stored in the cloud, then it’s not secure and this is precisely why Apple Pay is, in my personal opinion, better.

Responding to reports claiming that participating CurrentC merchants will be fined for offering other payment services, MCX confirmed that exclusivity is required but denied fees for leaving.

“If a merchant decides to stop working with MCX, there are no fines,” reads the blog post. So far so good, but the wording doesn’t explain why merchants are being fined for offering competing services, which could be viewed as unfair trade practice.

“MCX merchants make their own decisions about what solutions they want to bring to their customers; the choice is theirs,” reads the post. “When merchants choose to work with MCX, they choose to do so exclusively and we’re proud of the long list of merchants who have partnered with us”.

Walmart and Best Buy, both MCX partners, said earlier they would not support Apple Pay. According to Walmart yesterday, denying Apple Pay and other NFC-based mobile payment service is in consumers’ best interests.

“Ultimately, what matters is that consumers have a payment option that is widely accepted, secure and developed with their best interests in mind,” an unnamed Walmart representative told Business Insider.

Built on top of the Automated Clearing House (ACH) network, CurrentC avoids credit card networks entirely and instead charges your bank account directly.

The service relies on a mobile app that customers use to scan bar codes displayed on a cashier’s screen and requires an Internet connection during the time of purchase, unlike Apple Pay.

Users can choose to “limit the information they share through our privacy dashboard, which means they will have the ability turn off location based services and opt out of marketing communications in our app,” MCX said.

The ambiguous wording doesn’t mention data collection by retailers and sharing information about customers between participating merchants. The link to MCX’s CurrentC Privacy Policy was conveniently broken at post time — so much about user trust.

In terms of pharmacies, MCX “may end up interacting with limited information in the course of processing payments such as location and transaction amount,” though the consortium ensures that “CurrentC does not collect any information from any other apps, or health information stored in the mobile device”.

apple pay iPhone 6 convenient

MCX does share troves of sensitive customer information with merchants. Contrast this to Apple Pay, which only stores payment information in the phone’s Secure Element. The data is walled off from the rest of the system and never gets synced to the cloud.

Furthermore, Apple Pay does not share any personal information with the merchants or banks except for a unique device and transaction ID to allow merchants to keep track of purchases. When a customer makes a purchase with Apple Pay, their Device Account Number along with a transaction-specific dynamic security code is used to process the payment.

At no point does your actual credit or debit card numbers get shared by Apple with merchants or transmitted with payment or even stored on the device itself (that’s because Apple Pay uses tokens).

And if that weren’t enough, MCX’s systems have just been hacked!

MCX hacked (image 001)

As a notice on MCX’s website reveals, “unauthorized third parties” have hacked their systems and stole email addresses and other information for an unknown number of users.

With the CurrentC-Apple Pay battle brewing, MasterCard meanwhile is happy to promote Apple Pay with a series of TV ads and even Amazon relented and is now allowing its customers to load their Rewards Visa Card into Apple Pay.

And as retailers in the MCX camp are about to lose some sales by hating on Apple Pay, banks like Wells Fargo are giving shoppers money just to try Apple’s service. According to Apple CEO Tim Cook yesterday, the company saw over one million card activations in the first 72 hours.

The service already accounts for more mobile wallets in the United States than all other mobile payment options combined. Commenting on the CVS/Rite Aid’s Apple Pay blockage, Cook said that “in the long arc of time you’re only relevant as a merchant if your customers love you”.

Despite “overwhelming” response to Apple Pay, the iPhone maker conceded that there’s still much work to be done in order to sign up additional merchants and banks, bring Apple Pay to China and implement new features such as a rumored loyalty rewards program.

[MCX Blog]