Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly and Kevin Woodward
Just hours after Merchant Customer Exchange LLC (MCX), the retailer-backed developer of the CurrentC mobile-payments service, posted a response to reports about some of its members dumping Apple Inc.’s rival Apple Pay service, the company notified customers that “unauthorized third parties” had obtained email addresses linked to some of them.
MCX is testing CurrentC with some merchants and has email addresses for test participants as well as consumers who want to be updated about the service. In a notice sent to one of those customers Wednesday morning, MCX said: “Within the last 36 hours, we learned that unauthorized third parties obtained the email addresses of some of you. Based on investigations conducted by MCX security personnel, only these email addresses were involved and no other information.
“In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties,” the notice continues. “Also know that neither CurrentC nor [MCX] will ever send you emails asking for your financial account, Social Security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
“MCX is continuing to investigate this situation and will provide updates as necessary,” the notice concludes. “We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.”
A spokesperson for Needham, Mass.-based MCX would not say how many email addresses were stolen or how the data breach happened. “Many of these email addresses are dummy accounts used for testing purposes only,” the spokesperson tells Digital Transactions News by email. “The CurrentC app itself was not affected.” In addition to consumers, MCX has notified its merchant partners and is continuing to investigate, she says.
Payments security analyst Julie Conroy, research director at Boston-based Aite Group LLC, says it’s been a “rough month” for MCX, which is planning a mobile-payment system that, unlike Apple’s, will not use near-field communication (NFC) technology. Instead, the system will use QR codes to tap consumers’ bank accounts or private-label store accounts, and will be available on a wider range of smart phones than just Apple’s iPhone 6 and iPhone 6 Plus.
“I think CurrentC already was facing an uphill battle in its planned efforts to try to get consumers to share their bank-account data—its consortium is comprised of a number of merchants that have been breached themselves, and now CurrentC has a breach before they’ve even processed their first payment,” Conroy tells Digital Transactions News by email. “Consumers tend to be more concerned about a breach with the potential to touch their bank account than one that involves credit cards. The former affects the consumer’s own money, whereas credit card breaches just touches on open to buy, and the potential hassle of re-setting a few recurring billing relationships.”
The one positive aspect of the breach is that CurrentC has very little brand recognition at the moment, Conroy notes. “Consumers’ memories for these things are short, but I think this breach does underscore the future challenge that MCX will have in getting consumers to trust a consortium of retailers with such highly sensitive data,” she says. Some press reports have said that in addition to bank-account numbers, CurrentC is asking test participants to provide Social Security numbers for verification.
The breach news overshadowed the blog post the secretive firm made earlier Wednesday addressing the many media reports about it in the past week after drug-store chains Rite Aid and CVS, both MCX members, turned off contactless NFC technology in their stores so that they can’t accept Apple Pay. In the post, MCX called some of the comments “misinformed” but confirmed publicly for the first time that it indeed has an exclusivity policy. The policy requires members to accept only MCX if they want to accept mobile wallets.
The post also hints that CurrentC users someday might be able to fund their purchases with general-purpose credit cards. One of the main objectives of MCX’s 50-plus announced members, which in addition to CVS and Rite-Aid include Wal-Mart Stores Inc., Target Corp., and many other national retailers, is to escape what they say is the high cost of accepting major-brand payment cards. One of the “key benefits and features” of CurrentC listed in the post is to “provide consumers with multiple ways to pay at their favorite merchants, including merchant gift cards, credit cards, and debit accounts and personal checking accounts. MCX has plans to add additional forms of payment, including credit cards.”
MCX did not say when or under what terms CurrentC would take general-purpose cards, notes Rick Oglesby, senior analyst at Double Diamond Payments Research, Centennial, Colo., but he predicts it will seek agreements with card issuers that agree to reduce MCX members’ interchange costs. Merchants pay interchange to issuers in bank card transactions, but Apple has persuaded issuers to give it a cut of their payments revenues.
“If MCX can achieve a degree of consumer adoption and scale, then it will be a space where banks will be losing business,” Oglesby says by email. “The banks will therefore want to get their cards into the MCX wallet and may be prepared to negotiate for that under a more competitive environment than what currently exists in the network/acquirer-facilitated model that requires all cards to be honored. Apple Pay has completed bank-by-bank agreements with specific financial arrangements for each; MCX will seek to do the same.”
