Visa works on Apple Pay for Europe, Mastercard eyes NFC as standard by 2020

While Apple hasn't officially given Apple Pay the nod for anywhere outside the US, the signs are good that Europe, and the UK in particular, could be next on the list.
Written by Liam Tung, Contributing Writer

As Apple prepares to roll-out its contactless payment system in the US, card giants Visa and Mastercard are looking upbeat about the prospects for Apple Pay arriving in Europe.

The NFC-enabled iPhone 6 and 6 Plus — launched alongside Apple Pay on Tuesday — are set to go on sale in the UK, Germany and France next Friday. But, unlike their US counterparts, consumers in Europe won't be able to use their new iPhone to make payments with Apple Pay — despite there being millions of NFC terminals that support mobile and contactless payments on the continent.

Apple Pay will go live in the US in October with support from credit and debit cards from Visa, Mastercard and American Express, as well as some US banks and a handful of retailers. The two new iPhone, as well as Apple's forthcoming Watch, will all have NFC antennas to enable contactless payments, with credit card details stored in Passbook.

According to Visa Europe, Europeans can rest assured that there are efforts underway to ensure they will be able to use an iPhone to make contactless payments. When that will happen, however, is unknown.

"We are working closely with Apple and with our member banks to bring this new service to market in Europe," Steve Perry, chief digital officer at Visa Europe said.

Perry said Apple Pay is "a critical piece of the mobile payments jigsaw" and that there are now more than 1.5 million Visa contactless terminals in stores across Europe that are ready to take mobile payments. 

Mastercard yesterday announced that by 2020, for European merchants to accept Mastercard and Maestro, they must have equipped payment terminals to accept contactless cards and NFC equipped mobile phones.

Mastercard wants all new POS terminals to adhere to the new standard upon deployment from 1 January 2016, while existing POS terminals can be replaced at the latest by 1 January 2020.

The Mastercard service that's supporting the Apple Pay contactless payments is MasterCard Digital Enablement Service (MDES). MasterCard transactions made through Apple Pay use "industry-standard EMV-level security, and are protected using standards-based payment tokens". Mastercard hasn't said whether it's working with Apple to bring Apple Pay to Europe, but the company is expanding its US launch of MDES this year to "other major markets during the course of 2015".

Meanwhile, UK payment processing firm Worldpay said that June 2014 marked a new record for contactless payments, reaching £71.6m for the month. Its data also shows that contactless payment volumes in the UK more than doubled from four million in July 2013 to 10.9 million in July 2014. London represents 42.1 percent of its contactless transactions made since January 2012.

The company also found in a UK survey that 71 percent of respondents found 'tap and pay' less hassle than Europe's chip and PIN requirements under the EMV standard — the replacement for mag-stripe cards that the US considered following the massive data breach at Target. Apple will be hoping that Europeans see using Apple Pay with iPhone's TouchID to authorise a payment as easier than entering a PIN.

Apple hasn't shared full details about its payment system yet, but has revealed that it will rely on "tokenisation" of credit card numbers, in which a unique Device Account Number — a token — is stored in a "Secure Element" in the iPhone or Watch.

Johannes B Ullrich Dean of Research for the SANS Technology Institute said that on the surface, the way Apple had designed Apple Pay appears to be more secure than US mobile payments startup Square's system — and he believes Square, which encrypts card details before sending it to a POS machine, is a lot more secure than most card readers in the face of a compromised POS machine.
"The use of a token is a bit better then what Square is doing. Square encrypts the credit card, so the card still has to be used, and if someone would be able to get a hold of the encryption key, they may still be able to decrypt the card," Ullrich told ZDNet.

"With tokenization, the token is more or less just a "serial number". For example, think of an employee ID as a token for your social security number. For most business processes, you can just use the employee ID, and if someone steals the employee ID, it would be useless outside the company. But if HR for example needs your SSN for a specific purpose, they could use your employee ID to look it up."

Despite Apple Pay being an improvement on US magnetic stripe cards, security experts point to other potential weak points. "As far as we can see, the key issue is that your Apple Pay information is tied to your Apple ID, just like the rest of your iCloud data," said Paul Ducklin, Sophos' head of Asia Pacific. 

"In other words, exactly the same security shortcomings in iCloud that led to the recent stolen nude celebrity photo scandal might be a path to the outright theft of your digital wallet."

Read more on Apple Pay

Editorial standards