During Apple’s recent Worldwide Developers Conference, Apple didn’t reveal Near Field Communication capability on its next iPhone version, but it did announce something seemingly similar to a digital wallet, with a password manager to boot.
The iCloud Keychain Apple announced is a cloud-based feature that Apple would include in its next iPhone operating system, iOS 7. It would enable users to store passwords and log-in information. But it also would allow users to store payment card data for use with mobile-commerce sites.
From Storefront Backtalk:
Apple didn’t spill many details about the new feature except to say that the card numbers will be delivered with 256-bit AES encryption (we’re guessing that means an encrypted connection, but Apple didn’t say), the numbers will only be sent to “trusted devices,” and the feature will suggest specific card numbers when an order form calls for them.
Now, Apple has been running a retail chain for more than a decade, and it understands PCI. It also understands that the PCI Council still hasn’t nailed down the requirements for mobile POS devices handling payment-card numbers. But that’s not Apple’s problem here. Apple users won’t need to use iCloud Keychain to order anything from Apple—Apple already has their credentials. It’s only other retailers that Apple will be serving up card numbers for. So when the iCloud Keychain is being used, it won’t be in PCI scope for Apple, because Apple won’t be acting as a merchant—just a cloud storage provider and phone maker. For other chains, the customer’s phone is out of PCI scope too, just as a mag-stripe card would be when it’s sitting in a customer’s wallet.
This system is designed so that any security problems are always somebody else’s problem—and never in scope for PCI. It’s probably the cleverest PCI workaround ever by a retailer. And it will dodge PCI responsibility for what could become the largest cache of payment-card numbers outside the banks/processors/card brands system. Very clever, Apple.
PCI issues aside, it would be interesting to know how Apple defines “trusted devices.” Would they represent servers used by third-parties specializing in cloud-based data storage, or would they represent merchants’ processing servers, which would facilitate the card transactions initiated through the keychain? Our assumption would be the latter because, as noted by Storefront Backtalk, Apple isn’t the merchant, so the card data would need to be sent to the merchant’s processor to complete the transactions. How Apple deems such card-data recipient devices as “trusted” remains uncertain, which is how most typically might define what Apple has up its sleeve.
Click here to read more from Storefront Backtalk.
