Apple only gave a fleeting demo of how contactless payments would work on its new Apple Watch at its Spring Forward event on Monday, but it was an impressive one. You select a card from Passbook in the watch interface and then tap the wearable device against it or wave it over the payment terminal and, presto, your credit card is charged. The watch emits a tone and a vibration to show the transaction has gone through.
Furthermore, according to reports from the event, Apple Pay doesn’t always need to be manually activated in the watch. If you move your hand close to a near-field communications (NFC) based terminal, the app will immediately become active and use your primary credit card for payment — most likely the terminal’s NFC radio “wakes up” the NFC chip along with the Pay app in the Watch.
There also doesn’t seem to be any passcode or other ID authentication necessary. Most retailers will ask for signature –– after the EMV transition this year, many will start asking for PIN codes –– if the purchase is over $20 or $25, but Apple seems to removing every other barrier possible to a simple tap-and-go payments in its new wearable device.
But how does Apple do this with compromising security? Rather ingeniously actually. The Apple Watch appears to use its other sensors to make an indirect ID. Last week at Oracle Arena, Apple head of internet software services Eddy Cue explained that the watch senses when you put it on and then asks for authentication, which you can give either by supplying a fingerprint on the iPhone 6 or 6 Plus. If you’re using an iPhone 5 or 5s, which don’t support Apple Pay directly, you can enter a PIN code in the phone’s app or on the watch itself.
After that, as long as the Apple Watch is clamped to your wrist, your authentication is valid in Apple Pay. But as soon as the watch detects that you’ve removed it, Apple Pay locks up, requiring you to re-authenticate to re-activate it.
This means you won’t be handing your wristwatch to your waiter to pay your check, but most people probably don’t want to see their new $350-plus fashion accessory disappear behind the bar anyway. Short of a desperate criminal cutting off your hand at the forearm, it’s a pretty full-proof system: Apple Pay is active when the watch is on your wrist, and it’s nullified when the watch comes off.
What’s particularly interesting to think about is how this kind of variable authentication might be used to validate different types of transactions in the future. Anyone who has ever shopped with a piece of plastic knows that different levels of security come into play depending on what and where you’re buying. For instance, self-service gas stations typically ask for your zip code at the pump. Signature requirements kick in at a grocery store if you rack up a high enough bill. And if you’re making a big dollar-amount purchase, a clerk will often ask to see a picture ID.
Apple could fit different levels of Apple Pay authentication to those various retail security policies and then offer them up as options to merchants or payment processors. For instance, any purchase under $25 may not require any additional verification beyond a wave of a wrist. A more expensive purchase that would normally require a signature could be handled with a PIN code entered on the watch, instead of a John Hancock with a pen. A very expensive transaction could require Touch ID verification on the phone and a PIN number to boot.
I don’t know about you, but if I’m about to pay a $900 bill with my watch, I don’t mind jumping through a few extra hoops. On the other hand, I do get really annoyed when I’m forced to go through four or five different screens on a drug store’s payment terminal when all I’m doing is buying a stick of deodorant. If Apple could match a purchase’s level of hassle to its price, then it could do something much more impressive in payments than merely making them contactless.