MCX, the retailer consortium behind the CurrentC mobile payment system, has responded to the controversy over its members being required to block Apple Pay or face fines with some unconvincing ‘assurances.’
The first sign of trouble between MCX and Apple Pay was when CVS disabled NFC functionality from its payment terminals. When Rite Aid joined in, consumers responded by threatening to boycott MCX members.
In a blog post which MCX says is designed to “set the record straight,” it appears to do anything but …
Responding to the fines issue, it makes an extremely disingenuous statement, even using bold type to do so.
Importantly, if a merchant decides to stop working with MCX, there are no fines.
Nobody has suggested there are. What has been suggested–and which MCX has not denied–is that members are fined if they accept other forms of mobile payment, like Apple Pay, alongside CurrentC.
The consortium gets off to a marginally better start on privacy, with a statement that consumers “can choose to limit the information they share through our privacy dashboard, which means they will have the ability turn off location based services and opt out of marketing communications in our app.” However, that does nothing to limit the storage of other sensitive information, nor to address claims that merchants will share purchasing data amongst themselves.
Claims that pharmacies would collect health data, which would be stored in the CurrentC system, were met with another disingenuous response:
CurrentC does not collect any information from any other apps, or health information stored in the mobile device.
Most laughably of all, MCX issues the following ‘assurance’ about data security.
We want to assure you, MCX does not store sensitive customer information in the app. Users’ payment information is instead stored in our secure cloud-hosted network.
So, they are assuring us that the data isn’t stored in the app–where we control access to it–but in their cloud system, where we don’t. Given past credit card hacks at major retailers, including a huge one at MCX member Target, consumers are unlikely to consider this good news.
Apple Pay, in contrast, doesn’t even store your credit card number, as the company explains on its webpage.
With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone, iPad, and Apple Watch. These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number, along with a transaction-specific dynamic security code, is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment.
In forcing a battle between CurrentC and Apple Pay, MCX seems to be guaranteeing there can be only one winner – and it’s not going to be CurrentC.
Update: MCX has already been hacked.