How Google took a page from Apple to secure Android Pay
That's a good thing. Google Wallet required you to wake your phone, open the Wallet app, and enter a pin number if you decided to protect the app with a passcode, all before waving your phone near the payment terminal. That's a lot of work.
Android Pay will work just like Apple Pay: Upload your card information to the app, and Google will create one-time account numbers to represent your actual card number, so merchants never see your information. Then hold your Android phone near a payment terminal and watch the screen come to life with your cards already stored inside. Tap the card you want to use, and authenticate your purchase with your fingerprint (a feature like Touch ID that's new to Android M).
Sounds more than a little familiar.
Google gets serious about security--sort of
But Google was years ahead of Apple when it came to NFC payments, you say Well, yes, but it certainly didn't perfect them. First, Google lacked support from three of the four big carriers, which were backing their own mobile payment service called Softcard, which recently folded into Google. The company also found a rival in Visa, which was also developing its own NFC payment option. And at last count just a few months ago, Google Wallet had support from just over 300,000 retail locations, a far cry from the 700,000-plus that are on board with Android Pay, plus the 1,000 apps that support Android Pay purchases.
Then there's the not-so-small issue of security, which Apple went to great lengths to perfect. Android Pay uses tokenization to create virtual representations of your real card numbers, just like Apple Pay. The big difference between the two services is that Apple uses a Secure Element, a physical chip inside your phone, to store your encrypted financial data. Android Pay, like Google Wallet before it, uses Host Card Emulation, storing your encrypted data in the cloud.
That can be off-putting. Google Wallet also stored all of your transaction information, including time, date, and geolocation, within the Wallet app. So helpful! And so creepy. Android Pay is now far more secure than its predecessor, thanks to tokenization and fingerprint authentication, though it sounds like the service still stores information on what you bought and when--you'll be able to see "transaction details right on your phone," Google said in a blog post announcing the new service.
No fingerprint No problem
Google's biggest Android issue is fragmentation--the fact that not everyone can install the latest version of its OS at the same time--so it made Android Pay backward compatible to devices running KitKat and up (two OS versions ago). But only the latest version of Android supports fingerprint authentication for purchases, and not all Android phones have fingerprint sensors. If a phone lacks a fingerprint sensor, or if the phone isn't on Android M, then Android Pay reverts to a passcode or pattern unlocking mechanism, losing the security inherent in fingerprint authentication to begin with--and basically making the new feature new in name only.
Apple has the advantage of being able to push out software upgrades instantly, which means every iPhone owner with compatible hardware (6, 6 Plus, or Apple Watch) could immediately start using Apple Pay on launch day. And while it would be great if Apple fans with older iPhones could use Apple Pay, too, the security features just aren't in place (unless you have an iPhone 5, 5s, or 5c and an Apple Watch). Don't have a fingerprint sensor in your iPhone Sorry, no Apple Pay for you. Better safe than sorry.
But Google beefing up its mobile payment service to compete with Apple is good news, because it forces both companies to improve. For instance, Android Pay works with your rewards cards and loyalty programs, which Apple is reportedly planning to add to Apple Pay. Once retailers finally move to NFC payment terminals, paying for stuff with your phone instead of a physical card will at long last become the norm.