German Govt to force Apple to open NFC

From the German IT new site, the German Government have extended the money laundering laws to state that payment providing platforms have to be open to all comers in the finance industry.

In this special case, it is aimed at Apple, who do not let banks and credit institutes to use their NFC API for mobile payments. This is something Google’s Android already supports.

ApplePay was released in December 2018 and it immediately got bad press, because people couldn’t use their own banks payment app and Apple only supported credit cards from 6 banks (mainly minor players) in Germany (in fact, 2 weren’t even German banks and not at all present in Germany!). There was no option to pay using a debit card/checking account with the iPhone (credit cards are still not owned/used by a majority of people in Germany).

The banks, specifically Sparkasse and Volks- und Raiffeisenbank lobbied Apple and the Government to get access to the contactless payment interface. Sparkasse is a co-op type bank and one of the largest networks in Germany, Volksbank and Raiffeisenbank is in the top 5 German banks.

The German banks have had contactless payment with debit cards for many years now and have had mobile payment apps since at least 2016 on Android. Apple iPhone users were left out in the cold by Apple, no ApplePay and the banks couldn’t use the NFC interface to support the existing NFC payment networks.

The law says that Apple (or other payment service providers) have to give access to their technology to other credit institutes.

Apple’s main claim was that it would compromise security and data privacy. The latter is complete tosh, IMHO. The German banks are held to a much higher standard than Apple, they are legally not allowed to sell or share payment data with third parties and if you use the bank’s own app, only the bank, you and the retailer know about the transaction, if you use ApplePay, Apple are also in the chain.

The other point is, financial data about Germans is, generally, not allowed to leave the country, it has to be stored in Germany and cannot be stored in the cloud, unless the company gets a special dispensation from the German Inland Revenue (Finanzamt).

The law has been passed by the government, but the Bundesrat still has to clear it, but this is expected to be a formality. Even so, Apple could still take this to court.

The question is, whether this will harm its already small market share (around 16% last time I saw any figures for Germany), or whether the principle of being the only payment service allowed to use the NFC on the iPhone is even more important to Apple than its reputation and sales in Germany…

But have they got themselves an out by bringing 3rd-party NFC and FIDO2 token support to iOS 13.3 this past week?

Not if it doesnt’t allow the bank apps to make payments, no.

This is purley for NFC payments using third party applications (specifically banking apps).

I’ve been using my bank’s mobile payment app for a few years now, long before either Goolgle Pay or ApplePay appeared over here. Why would I want to put yet another third party in the chain, when I can pay directly from my bank account?

But as I understand it, that’s what 13.3 facilitates: 3rd-party dongles w/ 3rd-party apps, totally independently of Apple ID’s and on-device authentication. It seems to be what you’re after. I myself was waiting for this before enabling any 2-factor and plan to purchase keys soon. I don’t understand how it’s not what you’ve described. Is it that you want 3rd-party apps to trigger Apple ID purchases? If so, then why tout excluding Apple from transactions as a plus to native banking apps? I apologize if I’ve misunderstood… That it took this long to arrive is pretty inexcusable, in my book, BTW.

This is not triggering ApplePay, this is using, for example the Sparkasse app instead of ApplePay at an NFC terminal in a shop to make a payment. You hold up your phone to the terminal and the phone automatically opens your default payment app (Sparkasse in my case) and the Sparkasse app authorizes the payment and the money is transferred from the bank account to the merchant directly, no AppleAnything in the process.

No need for ApplePay to be configured on the device.

Edit: From what I can see, 13.3 allows NFC tags to be read or written to, but it doesn’t enable 2-way communication for payment authorization through third party apps, unless the article I read is missing something.

Oh, so you’re just talking about directing a Point-of-Service NFC trigger to a wallet or payment app of the user’s choosing, not unlike the “file types” “default app” setting still missing from iOS. Yeah, that should totally be a thing and because it doesn’t even involve Apple’s protocols other than passing the trigger to a 3rd-party, I don’t see how it could compromise security. In terms of privacy, yes, users are safer if only Apple responds inthat then malware can’t be aware of, log, and/or operate upon triggers, but we’re not to be made digital serfs in order to prevent that risk.

If Apple’s smart, I think they’ll seek to foster robust interoperability amongst a panoply of payment platforms in keeping with their “personal computing” roots rather than using their hardware as a cudgel upon software and financial services, because otherwise I see them on a collision course with regulation on the one hand, of which this instance in Germany is surely just the beginning, and costly, brittle uncompetitiveness relative to open-source and free-software alternatives on the other.

Australian banks tried to force Apple to open up NFC a few years ago and failed.

I don’t think Apple will ever give unfettered access to the NFC on iPhones, but maybe they will open up parts of I it using some controlled APIs akin to the Fido and adding of transit cards into the wallet.

The Germans aren’t really known for their willingness for companies to bend/break rules. If push comes to shove, would Apple give up the German market rather than capitulate to an order from the German government? More likely they would make some unreliable broken thing that technically meets the letter of the law, and only allow it to be used in Germany, while blaming any failures on the German banks, and blocking their apps from the store for various and sundry reasons.

I think you’re right about this

A good question. I doubt they’d pull out, but I do expect that they will waste time and money on lawyers trying to fight it.

Germany is a very different market to the USA, the UK and many others. Credit is still seen by many as bad, the younger generation are more open to taking on debt, but older generations learned to do without and saved up until they had the money to buy something. I grew up in the UK, but my parents were the same way, they never bought anything on credit.

Apart from cars/bikes to get to work, I’ve never bought anything on credit - well, I did save up for a new TV in the 90s and when I went to buy it, it was 0% interest, so I left the money for the TV in the bank account gaining interest and paid off the 0% credit over 18 months.

A lot of people in Germany still don’t have credit cards and businesses accepting credit cards (or even debit cards) isn’t universal. My wife bought a new neon bulb for the kitchen last week and didn’t have any cash, the business didn’t accept cards, so they are sending us an invoice for 10€!

Most supermarkets don’t accept credit cards or only started accepting them within the last couple of years. NFC debit cards have been around for a while now and wireless payment through mobile apps from the banks popped up a couple of years later. Google’s service came a couple of years ago, but I don’t know anyone who uses it, they all use their bank’s app, so Google doesn’t get any information on the payment transactions. The same is true for ApplePay, it only supports very few banks and none of the major banks, so Apple users still tend to pay with their NFC debit cards and moan that they can’t use their phones like Android users do, to make payments.

The mobile payments standards are the same as those used by Apple and Google, with the chip on the NFC card or the banking app on the phone making a one-time authorization token for the transaction.

The second thing is that Germany is much more privacy concious than many other countries, having lived through National Socialism and the Staatssicherheit (Stasi) in the last century and many older people see the likes of Google, Facebook & Co. as the Stasi on steroids. Luckily for Google & Co. many people, especially younger people, aren’t aware of the way these big companies are constantly spying on them. They don’t understand enough about how the web works and they don’t care how it works, so there is some acceptance of Google and Amazon assistants, for example.

Facebook is shunned by many and WhatsApp is prohibited is you use your phone for work purposes (it breaks GDPR rules), so Facebook’s payment service isn’t likely to make much headway here either.

The last thing they want is to share their purchasing data with yet another entity, whether that is Google or Apple. In fact cash is still very much loved. Card payments only approached 50% of all transactions for the first time in 2018 (payment apps on smartphones are considered a sub-category of card payments), cash and invoice payments still exceeded all other payment methods.

This makes it a very hard market for the Silicon Valley giants to break into. They are not trusted, they ignore local laws and they store their data in the USA. German Financial Regulation forbid the sale of transaction information, for example. Therefore most Germans are relatively happy to use a debit card (a majority still don’t have a credit card), because they know that the bank can’t do anything with it, they can’t sell the data and they can’t use it to upsell other services.

If I’m just looking at the headline, it sounds like once implemented, this means I’ll be able to reverse engineer any NFC system and use it for my own advantage even by cloning bank cards and terminals.

That’s why I felt like the issue misses the mark: it’s nothing without FOB confirmation. Whether or not ApplePay is involved, I would only ever even consider it with a physical token 2nd factor (which also goes for banks’ own apps, in my book, NFC or no).

I only have one case of an insecure NFC instance in my possesion but it’s simply a fare card. I didn’t get as far as authentication schemes yet, nevermind, for my own use.

I’m curious, @big_D, when Germans talk about “opening up” ApplePay, is what I’ve described enough, where it directs what would have been an ApplePay trigger to the user’s app of choice? Because, I actually do still oppose forcing Apple to allow 3rd-parties to integrate within ApplePay itself.

It was already stated what is wanted. The banks want to use the hardware that already exists inside the phone to be able to communicate wirelessly with NFC merchant terminals, just exactly the way Apple Pay does. This is a perfectly reasonable expectation… “We want it to be possible for our bank software to be able have feature parity with Apple Pay, nothing more, and nothing less.”

It isn’t opening up Apple Pay, it is opening up the NFC interface on the iPhone, so that banking apps can make financial transactions, just like Android and Windows 10 Mobile can /could, just like the existing NFC card payment systems.

At the end of the day, they all use the same sort of process and the same terminals, connected to the same backend systems using the same sort of encryption tool ensure a secure transaction.

The banks and the users don’t want access to ApplePay, they want access to the NFC interface, so they can use the iPhone for payment, without it going over Apple.

You still need the same second factor that you need with the NFC debit and credit cards, i.e. The PIN for transactions over about 20€. It is also needs an application PIN or biometric authentication on the phone to enable the transaction in the first place.

Sounds like there’s a happy medium possible, then! Apple’s foolish to forego it, IMO, because I think there’s the potential that by trying to make of ApplePay The One True Currency they will instead see their marginal adoption in Germany writ large.

As I’m not an Apple phone owner, let alone user, I don’t know how Apple Pay works. Do you invoke the app first, and then attempt the transaction… or do you just touch your phone to the NFC transmitter and that automatically starts the Apple Pay process?

I am familiar with how I do it on Android, but my use case is probably not even typical. I run with NFC (and Bluetooth and WiFi and GPS and LTE data) disabled at all times, unless I am actively using them. So when I want to use my phone to pay I manually enable NFC and then manually launch the Google Pay app. I don’t know if “auto launch” is possible.

If auto launch is possible, then Apple would have an argument saying they don’t want confusion about which app to launch to complete a transaction… and I’m sure they don’t want to offer the option to disable Apple Pay so that something else would have preference.

I don’t have an iPhone either. I assume it works the same way as android, either automatic or manual. My banking app can launch automatically or I can set the os to not start any app and I have to do it manually.

In my case, I have my personal account open automatically, if no payment app is open, otherwise it uses the app that is open, e.g. the app for my joint account.

Edit: Damned auto complete changing words at random, again…

I think Apple should be fine having ApplePay as the default at installation, and let users pick if they want. I’m not sure how NFC works enough to be certain, but if there’s any way to track the tags, then not unlike the way IP addresses are divvied up or serial numbers for monetary bills work, institutions could publish or share their NFC tag domain so that Apple and other vendors could facilitate their users’ choice over how to handle any given token based on who it’s from and what they’re doing with it, even down to each instance with, say, the help of machine learning such that scanning at a restaurant during business hours pulls up your employer’s banking app for billing them, whereas off-hours or if you’ve set your status to off-duty then it opens instead your personal bank’s app to charge your own account there. Stuff like that.

For Apple to try to force everyone to use ApplePay all the time for everything is folly for anti-trust reasons if nothing else, it seems to me, if they actually do succeed in that. If ApplePay is the default, and specific user action is required to opt for something else, then I don’t think they would have a confusion argument. I’m glad Germany’s pressing them on this, and I hope they win, my worry is just that ApplePay itself would then be similarly in the cross-hairs, but I’m not worried enough to care since Apple would have very strong, direct arguments on grounds of compromizing the security of their product.