It seems almost inevitable these days that your credit card information will be at risk from a retailer’s system breach or worse, your card number stolen and used for fraudulent purchases.
Clearly the established credit payment systems are lacking. Next generation payment methods like mobile pay and chipped credit cards promise improvement; whether they will help or introduce new security concerns remains to be seen, so use at your own risk.
Using your smartphone to pay for purchases at first glance seems like a huge security risk, one I wasn’t even willing to entertain until researching this column. Holding all of that financial information in an electronic wallet kept within an easily stolen device? No way.
Mobile payments offer two main selling points: payment convenience and the security of keeping your credit card information to yourself, since merchants do not ever see your actual number. There are two major players in the field, Apple Pay for iPhones and Android Pay for droid phones.
Apple Pay can be used at participating merchants with an iPhone 6 or later or an Apple Watch. Both of those devices, along with iPad Pro, iPad Air 2, iPad mini 3 or later, can also use Apple Pay for purchases within apps.
To use Apple Pay, store the cards you want to use for payment in your Apple Wallet, by typing in the information or taking a picture. The picture is not stored on your device. From there, the information is encrypted and sent to Apple servers, and then on to your bank for approval to use with Apple Pay. When approved, your bank sends an encrypted device account number to Apple that is used for your transactions. The token is stored in your phone on a Secure Hardware Element. Your complete card numbers are not accessible to Apple, and are not stored on your device.
While this makes cards you enter secure within your Apple Wallet, thieves have been able to use stolen credit card information to link to their own Apple Wallets to use for purchases.
A retailer must have Near Field Communication (technology in their point of sale system in order to accept Apple Pay. To make a payment at one of the 700,000 retailers equipped with NFC, hold your device near the NFC reader with your finger on the touch ID, or by unlocking your phone with your passcode. Your credit card information is never transmitted to the merchant, so there is no risk of it being stolen, at least in that part of the transaction. Some store loyalty rewards cards can also be stored in your wallet and used in conjunction with payment during transactions. More are being added in time.
Apple Pay does not keep a history of transactions that can be tied back to you, which they interestingly tout as a benefit, while Android Pay sees keeping that history for you as a benefit.
Android Pay, the mobile payment spun off from Google Wallet, also uses NFC technology at registers. It works with any android phone with NFC capability, and requires your phone to have a lock screen.
After installing the Android Pay app on your phone, enter your card information or take a picture of the card to store in your wallet. Like Apple Pay, Android Pay uses a generated token to send a virtual card number to merchants rather than your actual card number. However, the token is kept not on your phone, but in the Google cloud, using technology called Host-based Card Emulation.
When making a purchase, simply unlock your phone and tap the payment terminal. At this time, the Android Pay wallet integrates many more store loyalty reward cards than Apple Pay. You can also use Android Pay to make app purchases.
On both Android and Apple Pay, one card is set as default for easy check out, but you can open the app before paying to swap out the card if you want to use a different one for that particular transaction. And both can be used without a cell signal; Apple Pay because your tokens are stored in the chip in your device, and Android Pay because a few spare tokens are kept handy.
Paypal Mobile is another way with your phone at limited merchants. Use the Paypal app to see who in your area accepts Paypal as payment. Payment can be made in the traditional sense at the point of sale terminal using your cell number and a PIN, or by checking in with the merchant. In some cases, like the Willow Tree restaurant in Stroudsburg, you can order online via the app.
When using payment by checking in, Paypal sends your photo to the merchant’s device to identify you when you come in, and gives the merchant permission to charge your purchase to your Paypal account. You don’t need your wallet or your phone. In your Paypal wallet, you can load credit cards, debit cards, link your bank account, and your Paypal account. Like the others, payment is charged to the default method in your wallet but can be changed prior to purchase. Paypal keeps a transaction history in your account and also provides coupon offers within the app.
You’ve likely received new replacement credit cards in the past few months that have an embedded chip. These “chip and signature” cards, also known as EMV (Europay, Mastercard, and Visa) are a welcome security improvement. The magnetic stripe in the usual credit card stores your name, account number, expiration date and card verification code, so that information is all a thief needs to use your card.
With the new chip technology, instead of swiping your card to transmit the information via the strip, you will dip your card into a reader that will gather a unique transaction code from the chip. That code cannot be used again, so even if a thief has the information, it is useless.
Because not all merchants have the chip readers yet, the newly issued cards have both the stripe and a chip, but eventually cards will only have the chip. Some cards will have NFC technology to tap rather than dip the card. With this technology comes a change in who is responsible for fraud. In the past, the bank was financially responsible in the event of fraud; as of Oct. 1, 2015, the responsibility began a shift to whoever was least EMV compliant, which in all likelihood may be the merchant.
How to protect yourself
Should you decide to use mobile payments, there are some important safeguards to use. Always keep your phone locked, and turn off NFC when you are not using it. Beyond that, know how to track, lock and wipe your phone clean through Android’s Device Manager or iCloud should your phone be lost or stolen. And always keep an eye on your credit card and bank account activity so you can spot and report fraudulent transactions quickly.
Erin Baehr is a certified financial planner and owner of Baehr Family Financial, a fee-only financial planning and investment advisory firm in Stroudsburg (PurposefulMoney.com). Baehr can be reached at 570-223-1550 or at Facebook.com/YourMoneyEveryday.