Apple researching how to enhance security of future QR code Apple Pay transactions

article thumbnail

Apple Pay transactions could take place without needing to use NFC, as more evidence surfaces that Apple is strongly considering allowing in-store purchases to take place by securely scanning QR codes.

For years, Apple Pay's transactions with physical retailers relied on the use of NFC, with an iPhone coming close to a payment terminal to perform the purchase as if it is a contactless payment card. While such transactions are quite commonplace, the NFC method isn't the only way Apple is considering how to communicate the payments.

In July, a code leak from the second iOS 14 beta indicated Apple Pay had a new feature on the way for "Code Payment," which would enable Apple Pay transactions to take place via QR codes. By scanning a code displayed in-store, this would instruct the Wallet app to perform the transaction via Apple Pay's servers over its own cellular system.

In a patent granted by the US Patent and Trademark Office on Tuesday titled "Effecting payments using optical coupling," there is more evidence that Apple has considered using the technique for some time.

The filing describes the entire process for a secure transaction, where there isn't any direct communication of sensitive data between the user's device and a retailer's system. Apple reasons that the use of Bluetooth and NFC are still at a potential risk to privacy breaches, due to actively broadcasting a user's transaction data.

There is also the concern that contactless payments are not supported by every payment terminal. For example, retailers who do not have a payment terminal capable of accepting NFC communications.

In the system, Apple proposes a camera could be used to scan and decode "optical codes," which can take the form of a QR code. The code contains a claim number, which the user's device can use to transmit to a clearing house server electronically.

A QR code transaction would be an indirect transaction between customer and retailer, via a clearing house.
A QR code transaction would be an indirect transaction between customer and retailer, via a clearing house.

The clearing house system uses the unique claim number to cross-reference with purchase orders placed into the same system by the retailer. A file is sent back to the customer's device containing another code, either as a barcode or another QR code, with a number of identifiers relating to the order and associated data.

At this point, the user is then presented with an authorization screen to confirm they want the transaction to take place, which is then sent back to the clearing house. After that, the clearing house then sends the merchant a communication that the invoice was paid.

With the code being transmitted to a clearing house, Apple suggests there would be a level of anonymization in the process, as it would inform the merchant that the invoice was paid, but not the payer's identity. It is likely that the need for privacy is included is in part due to the original implementation of the patent as being intended for the payment of prescriptions at a pharmacy.

The list of claims includes references to whether a prescription was filled, the anonymization of the prescribing doctor, and the use of pharmacy systems. There are even references to adjusting the number of pharmacy refills in confirmation messages, the issuing of additional instructions from doctors in transmissions, and other medical-related details.

Though the claims largely handle a medical-related transaction, descriptions of the patent further down the filing also talks about more general transactions.

The patent, originally filed on August 18, 2016, lists its inventor as Binu K. Mathew.

Apple files numerous patent applications on a weekly basis, but while the existence of a patent filing indicates areas of interest for Apple's research and development teams, they do not guarantee the existence of a feature in a future product or service.

Aside from the leaks of Apple's potential Apple Pay addition, QR codes are already being used for some payment transactions. Retailers such as Walmart and Kroger have come up with their own mobile wallets and QR-based payment systems, though they are largely only for use via one retailer instead of working for vast numbers, as Apple Pay currently does.

This is also not Apple's only visual code transaction patent. In 2015, it gained patents for an "Invisible optical label for transmitting information between computing devices," namely embedded machine-readable codes that can be captured by another device's camera.

It is thought the patents in that filing explained how the particle cloud pairing system of the Apple Watch worked.

 

Latest News