Apple Pay: The 5 lessons it teaches IT and business alike

When Apple Pay was announced last week, I very quickly saw IT folks at retailers and elsewhere saying it was old technology. Platform partisans were quick to point out that Android phones have had the required NFC chips for several years, and Google has its own wallet technology. I also heard CIOs quickly declare that because Apple was a technology company, Apple Pay would not be secure.

Those reactions were, to be blunt, stupid. And they’re emblematic of the dilemma that IT finds itself in: unloved by users, distrusted by managers, considered an incompetent, expensive, yet necessary evil to keep thing running. InfoWorld’s editor in chef, Eric Knorr, was asked at a recent VC conference about IT’s role in this era of cloud computing and technology-savvy users, and the question brought him short, as it did his fellow panelists. Houston, we have a problem.

Although the “think different” theme is now cliché, it does speak to a core reason why Apple is Apple and no one else comes close. If IT organizations and their management partners understood the Apple way, perhaps they could become Apples in their spheres: groups that make real money even without majority market share, loved by their customers, and able to drag much of the industry along. I’ve followed Apple as a user, reporter, and editor for 23 years, and what makes Apple Apple is quite clear.

Lesson 1: Work through the whole problem

There are no silver bullets. Yet so many people think adding this technology or that business relationship will magically make them succeed. When Google convinced its Android makers to add NFC to phones, the banking industry and retail industry ignored it. Many phone carriers even blocked the service from using their networks. An NFC chip may be useful as the communications mechanism, but the issue is deeper.

The payments issue is complex, but a key challenge was that the customer credit card data was being stolen both at the point of sale through magnetic skimmers and shifty employees, as well as from the data centers by insiders working with cyber criminals. Moving the credit card data from a magnetic strip to a chip-and-PIN to NFC does you no good if the sales terminal is compromised, as we saw with Target last year and with Neiman Marcus and Home Depot this year.

If you move valuable information through lots of networks and accessible devices, you have an indefensible perimeter. Apple Pay does away with that issue by sending one-time codes from the iPhone to the sales terminal, matched to a unique user ID. The reconciliation happens on the back end through presumably highly secured, low-footprint connections.

On the phone, the unique ID is stored on the Secure Elements chip, inaccessible from apps. The fingerprint in the Touch ID is likewise stored in that chip. Thus, the attack surface is smaller and hardened, and the data is abstracted from the credit card itself. (John Beatty has written a great technical description of what Apple is doing on the security front for Apple Pay.)

To develop Apple Pay, Apple had to work through several issues: the communications technology, the security issues (on the device, at the sales terminal, and at the data centers), the user experience, and the card collection method (through the Passbook app, in this case).

Note “user experience” — this is an area where IT usually fails. Technical persona are different than business persona, but that’s become a convenient “why we can’t” explanation to keep IT down. People use technology, and it needs to feel and work “right.” As long as IT ignores this or pays lip service to it, it won’t be working through the whole problem it needs to.

Lesson 2: Think for the long term

If you’ve been to an Apple event, it may seem as if the new whatever came out of nowhere. In fact, it usually has been in development for years. The iPad project, for example, predated the iPhone project at Apple, though it was released three years later. The necessary actors came together first for the iPhone, so it shipped first.

Apple spends a lot of effort looking at new and emerging technologies, usually while they’re still in research and incubation phases. Its own engineers try to figure out both how to exploit and how to improve these technologies. It also has the patience to adopt technology “late” if not all the pieces are ready. That’s key: It’s not one technology, but usually a constellation of them that’s necessary to make the fundamental improvement paying off big.

Remember: Apple was “late” to the MP3 player game, except the existing ones were terrible, and when the revelatory iPod shipped, it ended the rest. Same with the iPhone: In a few short years, it destroyed the old model of the BlackBerry and Palm Treo. (Android leveraged the iPhone’s approach, as Windows did Mac OS’s, but in both cases Apple still makes more actual money than the higher-market-share competition.)

Too many companies look at technologies when they’ve become trendy, or they look at them in isolation. The fact that competing phones have had NFC for a couple years is a great proof point: Who cares if they were first? They’re not actually used.

IT and business alike should be continuously exploring new technologies and business approaches, regularly investigating what might have use in the future — and for what reasons. That way, you’re more ready to do it right when the time arrives. And you’re more aware of ways to make your business better at any time.

Lesson 3: Tackle intractable dysfunctions when the nadir is near

Why Apple did this for payments while the banking, credit processing, and retail industries — and vendors like IBM, Microsoft, Google, and so on — have not is a major mystery to me. Except it isn’t — it’s the usual case of an industry or company getting comfortable in its incompetence and past methods. Remember all the ERP failures in the early 2000s? They were driven by companies that wouldn’t rethink what they were doing and instead used new technology to perpetuate existing bad practices and protect existing fiefdoms. The same often happens in VDI deployments today.

The retailers and bankers all want the other guy to foot the bill for new systems, and they’ve successfully punted the issue by allowing insecure systems to remain in use for decades (magnetic stripes — really?) by having us customers pay through hidden fees in every transaction. Frankly, had Congress not started sniffing around the issue after the Target breach, it’s possible Apple Pay would not have gained many banks’ and credit card processors’ quick support.

And retailers still seem unwilling to invest in modern payments technology, as a Reuters report shows. That’s because they bear the cost of the technology upgrade, but they’ve already shifted the cost of fraud to customers via the banks and credit card processors. They have no strong incentive to fix their part of the broken system.

A few dozen retailers, led by Walmart, had been promising for two years their own mobile wallet system called MCX, which will launch as CurrentC next year. It supports bar codes and QR codes to work with much existing equipment, similar to Starbucks’ mobile wallet. The app stores no credit cards on the phone, using a connection to the retailer to generate a token that the app presents and the retailer then validates through its payment system. That’s similar to Apple Pay but without the tap-and-pay convenience nor the fingerprint sensor validation.

By disassociating the credit card data from the transaction and using disposable transaction-authorization data, schemes like Apple Pay, MCX, and Google Wallet save the retailers from having to implement onerous PCI requirements to ensure that credit card data are kept secure. That should be an incentive for them to adopt such systems, except they need PCI infrastructure in place for old-fashioned credit card transactions that will be around for years, thanks to the years of avoidance, even in the coming chip-and-PIN era.

Thus, you have an industry that has built in the cost of fraud into every transaction, allowing everyone in the industry to avoid doing the right thing. Instead of tackling the fundamental issue collectively, each segment has tried to duck the issue where it could. That’s led to a higher price for us all: Customers pay more than they should, and the compliance and recuperation costs every year only climb for retailers and banks.

We’re paying more as a result of not seriously tackling the problem than it would cost to solve it. But we pay in drips and drabs, so we can ignore the sad truth. We’ve reached a point — thanks to the massive breaches of late — that the public and government are now really worried, threatening the business of the industry that couldn’t get its own act together and instead pretended.

That’s a great opportunity for a provider — I mean you, IT — to come in and solve the problem the participants couldn’t or wouldn’t. In this case, Apple is acting as proprietary as MCX and Isis, but Apple has something no one else has: a huge, loyal customer base that spends money. It leveraged that fact to get rapid (by banking standards) adoption of its offering.

Apple did the same with the dysfunctional music industry via iTunes and the iPod. It did so with dysfunctional cellular carriers, by forcing them to let Apple manage the upgrades, preventing carriers from imposing or messing with services, and even convincing the carriers to support pay-as-you-go iPad plans. It may do the same with payments, using existing methods in a better package. (My prediction: Apple’s gearing to the do the same to at least part of the highly dysfunctional health care industry.)

Chances are the dysfunction you can address is nowhere as gnarly as what Apple faced in the payments and music industries, but the approach is the same. Still, few others will really try.

Lesson 4: Disrupt inclusively

When an industry is so badly broken and the pain has grown unbearable, an outside knight can come in and not only fix the problem but do so largely on its own terms — as Apple did with iTunes, the iPhone, the iPad, and now Apple Pay. But the knight has to have solved the whole problem and in a way that doesn’t eviscerate the existing industry. My friend Bud Mathaisel, former CIO at Disney and Ford, calls that “inclusive disruption.”

In the case of iTunes, Apple provided the digital rights management the industry demanded, a key concern in that Napster era, and the music industry felt its property ownership was being maintained. For the iPhone, in return for Apple controlling the environment, the carriers gained a passionate audience and assurance from Apple that no updates would go out that broke their offerings. With Apple Pay, the retailers and the banks make the same money as before, even after Apple’s cut (the reduced fraud pays for Apple), and they probably will get the public and politicians off their backs.

Contrast this to Google Wallet: Each carrier decided whether it supports Google Wallet, there’s no standard, assured security system on the devices themselves, and Google wanted to get the transaction data that retailers fiercely guide for their own use. Although its HCE token approach was similar to MCX’s and Apple Pay’s, Google had neither a whole solution nor the leverage needed in any part of the affected markets — even a dysfunctional market will try to keep to the failed status quo rather than give up control. You need both the solution and the leverage.

The other industry efforts’ business models are more poisonous, designed for the interests of one party, not the whole ecosystem. That means there require immediate, clear losers to gain adoption.

The telco-led effort called Isis Softcard that is similar to Google Wallet technologically but charges banks each time a user loads a credit card, rather than each time it is used. That greed has alienated major issuers like Capital One.

Worse, MCX members are forbidden from using other mobile payment systems in their stores, and some such as a Best Buy are actually removing their NFC terminals as a result. To add insult to injury, MCX’s CurrentC system won’t work with credit cards or debit cards; you have to link it to your bank accounts directly. Why? So the retailers avoid paying processing fees. How many people do you know who will jettison those cards? In this case, retailers’ greed has caused banks to ignore it (they lose credit and debit fees if they adopt CurrentC) and will cause users to ignore it (bank transfers have fewer consumer protections and are less convenient).

And Google Wallet required merchants to share transaction data with Google (remember, Google makes money through data mining), which made Google a competitor to those retailers’ own data-mining efforts.

Apple is no angel: Competing payment systems can’t use its Secure Element chip nor infrastructure, and retailers can’t use Apple Pay on non-Apple devices or in their own apps (for physical transactions) to create a universal standard. But they can use standard terminals, mine transaction data, and keep their same profits.

What Apple knows how to do that you should, too: Disrupt inclusively.

Lesson 5: Technologists shouldn’t solve just technology problems

If you work in IT, you probably don’t pay much attention to the business issues notes in Lessons 3 and 4. But that’s one of the key lessons from Apple: Problems are rarely only technological; therefore, their solutions aren’t either.

Your approach should be multidisciplinary, even when technology-centered. I don’t mean the usual nonsense about getting close to the business, embedding IT in the business, and bridging the IT/business gap — at most companies, those have become meaningless phrases for pretend efforts.

If you’re a real team, you have specialists in the appropriate disciplines working together as a real team, not as simply a collection of agents for others. That true team will propagate and involve the departments representing the various affected disciplines. But it has to be an empowered team, not a committee.