Instead, what will happen is they will broaden the scope of the capability while maintaining positive control over the secure element lines of communication. Currently this is strictly excluded to anyone except the financial institution.
The reason why Apple created ApplePay, was because they are interested in the reduction of fraud that is perpetrated against their iPhone customer. By providing a method of payment where the only record of the transaction is created for the financial institution exclusively, that mitigates the fraud that is enabled by merchant or third-party record-keeping
Usually merchants and third-party application developers are not experts in database security. And until merchants are willing to take full responsibility for the extent of the damage that is done when their databases get hacked and their customers private information is used and the result is the customers Credit and their good name are damaged, then Apple should never open up their secure element API to anyone that is not willing to fully compensate their iPhone customer.
That means 3 or 5 or even 10 years of ‘identity theft’ protection is NOT SATISFACTORY.
What needs to happen, is the defrauded iPhone customer should never need to call anyone, or email anyone or even think about their private information that was compromised because a dumbass merchant created a record of the transaction for no…good…reason.
The Merchant should be responsible for proactively keeping the victim informed with human operated phone calls every month or bi monthly, reporting on the progress that the negligent merchant has made in regards to their victims credit and identity. The merchant should bear full responsibility for costs, logistics, and should meet an acceptable level of progress every month. If that level is not met, then they should be required to pay a fine equal to the monetary equivalent of what a merchant would penalize a customer for not paying their bill.
Merchants should also be rated by a system that is functionally similar to the credit bureau. Consumers should be able to check the ‘Security Rating’ of a merchant based on their their level of performance. Their customers who have been victimized due to the incompetence of the merchant in the context of security, would be able to affect their security rating based on whether an acceptable level, as dictated by their victims, has been met. Merchants are given a score, and their ability to acquire new customers and take their business should be commensurate to that score.
If a merchant is a piece of shit, they wil get no new business until they have achieved a level of competence that shows they are ready to focus on new customers…which would be defined by achieving a satisfactory level of service by the customers they already have that been abused by that merchant by not securing their personal data.
If a merchant has a great security rating, they should be allowed to accept new customers until that point of incompetence is reached. They would then relegate their focus to existing customers, until those customers have indicated a satisfactory level of service has been given.
When the iPhone customers private and personal information are compromised due to focus being placed on making money first and protecting the customer second, the environment is not ripe. Until that shift in priority occurs, APPLE should be the exclusive DRI for information security in the context of Apple Pay and fraud.