clock menu more-arrow no yes mobile

Filed under:

Retailers Banning Apple Pay Are Taking a Big Security Risk

It's their prerogative, they can do what they wanna do.

Reuters / Kacper Pempel
Jason Del Rey has been a business journalist for 15 years and has covered Amazon, Walmart, and the e-commerce industry for the last decade. He was a senior correspondent at Vox.

Apple wants to make it easier for people to use their phones to pay for everyday goods at retail stores using a new system called Apple Pay. But two major drugstore chains recently banned the technology, setting the stage for a showdown with Apple.

The move is the retailer’s prerogative, and CVS, Rite Aid and other retail chains have what they consider to be good reasons for banning Apple Pay: They want customers to use their own mobile payment system because it will cost them less.

In the meantime, they’re taking a huge risk that could have catastrophic results if any of them suffer security breaches like their peers did last holiday season. That’s because the mobile payments app that they’re backing, called CurrrentC, won’t launch until sometime next year, leaving customers with the same old clone-friendly credit cards they’re using now.

Apple Pay, on the other hand, is a much more secure payment method than traditional cards. What happens when one of these stores gets hacked during the holiday season like Target, Home Depot and Michaels were last year? They’ll be on the receiving end of pure customer outrage coupled with hard questions from elected officials.

Here’s a basic rundown on Apple Pay’s security measures. Apple Pay customers have to authenticate a purchase with their fingerprint by placing their finger against an iPhone’s home button, which also acts as a fingerprint identification device. Then, and only then, is payment information sent to a merchant’s checkout system. The information that’s transmitted isn’t the shopper’s actual card information. Instead, it’s a stand-in code known as a “token.” That token then makes its way through the payment network and is not matched up with a shopper’s actual credit card account until it reaches a virtual vault secured by either the card network or the bank that issued the card. A merchant never has access to the sensitive financial information like they do with traditional payment cards.

That also makes Apple Pay a safer bet in the event of the same kind of point-of-sale attack that Target suffered. Hackers likely would have only gotten these tokens, which are useless without the corresponding account information that’s stored separately.

CurrentC is expected to use a form of tokenization so actual payment information isn’t transmitted with each transaction, which should, in theory, make it more secure than current payment cards. But there aren’t enough details known to say whether it can come close to the security offered by Apple Pay. And, again, it isn’t going to be available until next year.

So whatever their reasons to ban Apple Pay, MCX retailers like CVS and Rite Aid are choosing to ban a payment method that is more secure than what is currently the default non-cash method. As entrepreneur and payments buff Mike Dudas said in a smart blog post this weekend:

“I would not want to be the retail executive who explains to my iPhone carrying customers why I forced them to swipe a credit card at my store in December 2014 and then had my security systems breached.”


This article originally appeared on

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.