Samsung Out Apple'd Apple
"It just works everywhere" is a claim normally reserved for Apple. When my wife came home talking about a co-worker's phone which had a version of Apple Pay "that actually worked everywhere", I was skeptical.
Initial thoughts: holy shit, Samsung Pay is manipulating the magnetic card reader wirelessly? That's awesomely clever! Followup thought: oh, god, the security implications. So my card's magnetic data is being broadcasted wirelessly for anyone to grab?
Then someone on Twitter prompted me to reconsider my default "Samsung is an idiot" mentality [^1], so I did some research.
Samsung Pay uses Magnetic-Secure-Transmission (MST)[^2]. Much like Apple Pay, it doesn't actually store your original credit card information on the phone [^3], and it doesn't broadcast the original CC information wirelessly. Samsung Pay uses tokenization to ensure what is broadcast is good for a one-time use: terminals receive a 16-diget code that represents the card being used, and a cryptographic one-time use token for that transaction.
Now, I'm not making any claims that this is as secure as Apple Pay, but they weren't the idiots I thought they might be. I'm not an expert in wireless payments, but I didn't see any red flags as I was researching the tech behind this. This seems reasonably well thought out.
Apple Pay 2
Apple Pay's rollout has been rocky in the US. Apple banked on the required adoption of chip to drive merchants to upgrade to terminals that also included NFC.
But they underestimated just how lazy, and self-interested, US-based merchants are. In the suburbs of Philadelphia I can use Apple Pay at roughly 25% of the places I shop. That's not always because the hardware isn't there: a lot of my favorite places, like Wawa, are part of CurrentC, so they've disabled NFC in favor of QR codes.
But it isn't just NFC that's lagging behind. Despite the fact most places I shop now have chip readers, a surprisingly (and annoyingly) large number of them have a gift card shoved in the chip reader with a sharpied "Please Swipe!" written on it. Since last year they've been required to support chip or be liable for fraud, but they don't care. Merchants don't have the consumers' interest in mind, and they're holding Apple Pay back.
That's gotten many people, like my wife, to just stop trying to use Apple Pay. It doesn't "just work" enough of the time to be worth trying.
So if Apple came out with Apple Pay 2.0 this September at the iPhone event and "brought Apple Pay to all those merchants that haven't gotten on board yet", the crowd at the event would give them a standing round of applause.
Yes, this tech isn't forward-looking like Apple Pay over NFC is. MST will be phased out as NFC is slowly adopted over the next 5 years. It's also a very US-centric problem to solve - when I was in Canada NFC was everywhere. Same for a lot of Europe.
It's a stop-gap, but in the mean time Apple pay would become ubiquitous in the US.
Kudos, Samsung. Lets hope Apple copies you this time around.