Payment Dispute Standards and Compliance Council

Apple Pay and Chargebacks

Apple Pay is coming up for its 10 year anniversary as it was introduced on the 20th of October 2014, in the US, followed by a gradual global roll out with Apple Pay becoming available to issuing banks in the UK in July 2015.

HOW DOES APPLE PAY WORK?

Cardholder participation in Apple Pay begins with them initiating a request to add a debit or credit card to their mobile device. The issuing bank will determine if the card and cardholder are eligible. The cardholder may be prompted to accept terms and conditions specified by the card issuer and may also be asked to complete additional verification.

Apple Pay is then facilitated by the replacing the traditional primary account number (PAN) with a Device Account Number, otherwise known as a Token, which is loaded into the built-in wallet application contained within the applicable Apple device. This potentially makes the purchase more secure in that the actual card number is not stored on the device. The Device Account Number is stored within the Secure Element, a certified chip within the device, designed to store payment information safely and is isolated from all Apple operating systems. It is never stored on Apple servers or backed up to iCloud.

MAKING A TRANSACTION

When carrying out in store transactions Apple Pay uses Near Field Communication (NFC) technology between the device and the payment terminal. NFC is an industry-standard, contactless technology that’s designed to only work across short distances. If the device is switched on and detects an NFC field, it will present the cardholder with their default card. To send the payment information, the cardholder must authenticate the transaction using Face ID, Touch ID or a passcode.

Once the transaction has been authenticated, the Secure Element provides the Device Account Number and a dynamic, transaction-specific security code to the shop’s point of sale terminal, along with additional information needed to complete the transaction. Neither Apple nor the device sends the actual payment card number. Before they approve the payment, the bank, card issuer or payment network can verify the payment information by checking the dynamic security code to make sure it’s unique and tied to the cardholder’s device.

Card Not Present transactions can also be made on the cardholder’s mobile device using Apple Pay, initiated online in Safari and authenticated using Face ID or Touch ID.

Card Not Present transactions can also be made on Mac models that have the Touch ID facility or for Mac models without this facility through the use of Bluetooth with their mobile device nearby.

The cardholder has the option to set up Apple Pay on more than one mobile device. This requires separate set up for each card on each device. On Apple Watch 3 and later and iPhone 8 and 8 Plus and later up to 12 cards can be added to a device. For all earlier devices up to 8 cards can be added.

ARE THERE TRANSACTION AMOUNT LIMITS?

There is no standard global limit to Apple Pay transactions. Limits may vary according to merchant, issuer, network, or country/region. While some stores that have no limit at all, generally, the transaction amount limit aligns with the contactless card payment limit for each country. In certain circumstances if the transaction exceeds the limit, additional verification may be required such as the entering of a PIN.

Back in 2022, Mastercard stated:

“You can now make secure purchases above the £45 contactless limit in participating shops across the UK using your Mastercard with Apple Pay.”

Additionally, HM Treasury and the Financial Conduct Authority sanctioned the increase of the contactless payment amount limit in the UK to £100 from the 15th October 2021.

So, in terms of transaction limits, there is no standardisation across the globe.

APPLE PAY AND THE MOBILE PAYMENT ENVIRONMENT

The use of cash is clearly on the wane. Cash purchases have decreased by 35% since 2019. The pandemic accelerated this decline by 3 years, this decline will increase to 42% in 4 years, cash will by then become the least used method of payment.

WHAT WILL FILL THE GAP?

Card payment volumes will continue to dominate however mobile wallets are on the rise, the biggest of these being Apple Pay. In 2022 $6 trillion worth of payments were processed by Apple Pay across the globe. Last year Apple Pay processed 12.6% of all online transactions with Apple Pay accounting for 92% of those transactions, Google Pay and Samsung Pay trailing behind in their market share.

In the UK it’s a similar story, the popularity of Apple Pay continues to increase with 35% of all online purchases being made through mobile wallets in 2022 which was higher than the 22% made using debit cards, three years earlier than expected according to Worldpay. A surprising statistic but a clear indication of the increased popularity of this method of payment. Cards were however the most popular method of payment for in-store transactions, accounting for 47%, with digital wallets at 10%.

HOW DOES APPLE PAY AFFECT THE PLAYERS?

The Cardholder

Apple Pay is convenient and more secure than traditional cards. With biometric security rather than a PIN or signature, Apple Pay should give cardholders the reassurance of the latest secure authentication technology when making transactions.

The Issuer

Issuers maintain their current role in owning the account holder relationship, as well as having authorisation and ongoing risk management responsibilities. Issuers decide which payment solutions they would like to participate in, and control token provisioning decisions.

The Acquirer

Acquirers process Apple Pay transactions the same way they process card account numbers­­. This includes authorisation, clearing, settlement, and exception processing. Acquirers may need to support additional data included in tokenized transactions.

The Merchant

Apple Pay transacts and processes identically to traditional PANs, so there are typically no required changes to the underlying payment infrastructure that merchants support.

Apple Pay and Chargebacks

We’ve seen that overall, making a payment using Apple Pay is a secure way to transact for all parties. How has this affected the chargeback world?

Chargebacks resulting from an Apple Pay transaction are dealt with in exactly the same way as other transaction methods. When it comes to fraud type chargebacks, in theory, an Apple Pay transaction is considered inherently more secure than other types due to the use of biometric authentication. In fact, Visa have stated that biometrics is the most secure method of authentication available.

It would seem therefore that a cardholder trying to file a dispute against a transaction authenticated using Apple Pay would find it harder to convince their issuing bank that it was a fraudulent transaction and not unreasonable to presume therefore that the liability ought to shift to the issuing bank. Much depends on the issuing bank’s approach and policy around potential fraudulent Apple Pay chargebacks.

It would seem reasonable that from an Acquiring and merchant point of view there would be an expectation on the issuing bank for a robust challenge process when faced with these kinds of cardholder disputes. Indeed, if the merchant is able to supply proof that the transaction took place using Apple Pay and therefore biometric authentication one would feel that the merchant ought to be on reasonably solid ground when contesting any potential fraud related chargebacks.

There is no guidance for merchants from the networks specific to fraud related chargebacks on Apple Pay transactions. However, according to Visa, token fraud can occur as the result of:

  • Provisioning Fraud: Fraudulent use of card data and personally identifiable information (PII) to circumvent the issuer’s authentication process and enable provisioning of the payment card onto a mobile device / digital wallet that is subsequently used for fraudulent purchases.
  • Compromised User Credentials: Fraudulent use of the cardholder’s digital wallet via stolen user credentials (i.e., mobile passcode, wallet login information).

This isn’t exhaustive presumably but the opportunities to carry out fraudulent transactions using Apple Pay are limited.