After characteristic Apple grandiosity at press shows in September and October, Apple Pay quietly went national on Monday with the promise to "transform mobile payments" by enabling Apple afficionados to finally use their iPhone 6 or iPhone 6 Plus to pay for purchases at retail store cash registers.
Continue Reading Below
But Android users have been able to do that since 2011, and the virtual wallets that made that possible have been slow to catch on. Meanwhile, our hands-on testing and review have found that, overall, this latest virtual wallet is merely on-par with its two big predecessors, Google Wallet and Softcard.
That's not to say Apple Pay doesn't bring anything new to the table–it does, and we'll get to that. But worthwhile product innovations can't simply ignore fundamental product handicaps, and Apple Pay doesn't grapple with a biggie:
A critical drawback of all three smart phone wallets is that shoppers can use them at only 220,000 merchant locations in the U.S. That represents a tiny 2 percent of the 12 to 15 million retailers who accept plastic credit and debit cards. Merchants have been reluctant to incur the cost of adding the special near field communications (NFC) radio equipment needed to receive payment information from NFC-based wallets.
You've heard of the quest for a killer app that will sell a billion. Extremely low merchant acceptance of virtual wallets is an app killer.
Get the full details and scoring of our head-to-head comparison: Apple Pay vs. Google Wallet vs. LoopPay vs. Softcard.
Continue Reading Below
When we field tested Apple Pay at a wide range of eight different retailers in the San Francisco Bay Area this week, it worked at only two–McDonald's and CVS. So we had to complete our purchases with plastic. Apple Pay didn't work at major retail chains where lots of consumers would probably love to use it: Target, Starbucks, Seven-Eleven, a Lucky supermarket, and a Shell gas station, as well as at one mom-and-pop produce store. Apple Pay is also useless at Walmart, though our evaluation didn't include this biggest national retailer.
By contrast, LoopPay, a much-less-famous virtual wallet that doesn't rely on NFC, can be used at 90 percent of retailers who accept plastic, the company says. LoopPay uses a technology that mimicks a payment card swipe in the magnetic stripe readers that retailers already have. Our own field test found that LoopPay worked at seven of the same eight retailers where we tested Apple Pay.
Although Apple suggests that its billion-dollar brand name will take Apple Pay viral, this mobile wallet suffers from another major disappointment that may limits its potential. It can only be downloaded to two phone models, vs. 80 for Softcard, 268 for Google Wallet, and a wide range of models for LoopPay.
Yes, there will probably be 30 million iPhone 6 and iPhone 6 Plus handsets in use by the end of this year, but Apple Pay doesn't work on earlier iPhones (until the Apple Watch comes to market and enables those models with an encrypted SIM card, NFC, and a hefty pricetag). In all, 300 million cell phones in the U.S. are not the iPhone 6 and 6 Plus.
The Cupertino computer maker did not respond to our more than two dozen direct questions about Apple Pay, except to point us to press releases, Apple Internet ad copy and promotional materials, and one refreshingly detailed Apple white paper about its wallet security.
On the plus side, Apple Pay offers improved security, particularly with its Touch ID fingerprint authentication, that can take the place of a PIN to unlock the phone and wallet. That's important, because users soon tire of having to constantly punch in a PIN and surrender to the temptation to disable the auto locks altogether. The convenience of Touch ID should boost security, even though it can be disabled for both the phone and Apple Pay.
"The fingerprint is far superior to a username and PIN, because four-digit PINs rely on a limited number of values, 9,999, whereas you are the only one with your fingerprint," says Satnam Narang, the research security response manager at Symantec, the security software company. By contrast, Apple says the chance of a random fingerprint match with yours is 1 in 50,000, when only 1 fingerprint is registered to the iPhone. (The phones can recognize up to five fingerprints.)
Touch ID also enhanced Apple Pay's ease of use, which makes it the only mobile wallet–in our estimation–that's easier to use than a credit card. The need to key in PINs when the phone and wallet auto-locks are enabled–as they should be for security–contributes to our conclusion that Google Wallet and Softcard are merely equally convenient as paying with plastic, not more convenient.
Apple Pay also provides great security by generating a unique code or "token" for each transaction, which can't be re-used, and by storing "device account numbers" on the phone's encrypted chip, in place of your actual payment card account numbers. Even if a hacker gets those numbers, they can't be used outside of Apple Pay.
But Google Wallet and Softcard also use dynamic transaction tokens, and Google generates and stores "virtual card" substitutes for your real payment card numbers. So Apple Pay tokenization is not the innovation it's been tricked out to be. "Tokenization is a Visa and Mastercard standard that Apple adopted. Anyone can use it," says Avivah Litan, a financial fraud analyst at Gartner Research. LoopPay says it will have tokenization in 2015.
All four wallets also check to make sure that the card properly belongs to the owner of the phone and virtual wallet, to prevent crooks from adding your card to their wallet.
Take steps to prevent fraud
Consumers should not allow the better security of mobile wallets lull them into letting down their consumer protection guard. The federal loss liability limits of unauthorized transactions made using a mobile wallet are the same as those that apply to the underlying credit or debit card you use in the wallet transaction. So we and our colleagues at Consumers Union, the advocacy arm of Consumer Reports, recommend that you load credit cards onto your wallets rather than debit or prepaid cards, because credit cards have the best consumer fraud protections.
Apple Pay does well here, too, because you can only load debit and credit cards onto it, not prepaid debit cards, which come with the lowest levels of consumer protection.
In today's era or daily data breaches, virtual wallets provide better security than hackable credit and debit cards. The shame, however, is that this protection isn't worth much if there's lots of places where you can't use that super secure payment technology, because that forces you to ultimately make payment with less-secure plastic payment cards.
—Jeff Blyskal (@JeffBlyskal on Twitter)
Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.