When Samsung Pay launched in the U.S. on Monday, it did so on schedule but with less issuer support than had been expected, with only Bank of America, Citi, American Express and U.S. Bank announced as participants.
"The number of merchants is outweighed by the limited issuer list," said Richard Crone, of Crone Consulting. "The interesting thing is this limited list of issuers, which is not as long as Apple Pay's was when launched. Unlike Apple Pay, there was no last-minute fire-drill with invitations to all of the other financial institutions. Apple Pay created a feeding frenzy” among issuers.
Samsung Pay’s technology was obtained by buying payments vendor LoopPay, which argued its payments mechanism could effortlessly work on more than 90% of all card swipes by wirelessly mimicking mag stripe communications. In other words, if the card swipe would accept a magstripe card—with the exception of insert models popular at gas stations—it would work with LoopPay.
The Samsung model, however, integrates with mobile wallets, thus requiring issuer support as a key part of the broad reach a wallet can deliver. The LoopPay technology deployments were just "proof of concept," Crone said.
Hence, Samsung's statement on Monday that said that "Samsung Pay works almost anywhere you can swipe or tap your card," was a bit of a reach.
That short list of issuers comes with a more fully-featured mobile wallet, with a particular focus on security. Unlike LoopPay before acquisition, Samsung Pay uses the same biometrics (fingerprint) authentication as Apple Pay.
But Samsung Pay is differentiating itself from Google Pay on security. Samsung Pay will not work if the handset has been rooted (aka jailbroken), according to posts from a Google security engineer named Jason D. Clinton. That is in contrast with Google Pay, which "worked pretty smoothly on rooted devices," according to a story in Tech Times. Samsung did not return a request for comment by deadline.
"Google is absolutely committed to keeping Android open and that means encouraging developer builds. While the platform can and should continue to thrive as a developer-friendly environment, there are a handful of applications (that are not part of the platform) where we have to ensure that the security model of Android is intact. That ensuring is done by Android Pay and even third-party applications through the SafetyNet API," Clinton wrote. "As you all might imagine, when payment credentials and--by proxy--real money are involved, security people like me get extra nervous. I and my counterparts in the payments industry took a long, hard look at how to make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model. We concluded that the only way to do this for Android Pay was to ensure that the Android device passes the compatibility test suite--which includes checks for the security model."
Samsung Pay will function initially on Galaxy S6, S6 edge, Note5 and S6 edge+ devices operating on the AT&T, T-Mobile, Sprint and U.S. Cellular networks in the United States. The U.S. launch follows a successful move into South Korea, where the vendor saw $30 million worth of transactions in one month.
Although Samsung Pay has been described as a placeholder payments method until EMV becomes dominant in the U.S.—which could take several years—Samsung argues that its use of tokenization means that "as terminals are upgraded to EMV, that security is leveraged too."
Crone agreed, saying that Samsung Pay could deliver some of the EMV-level security benefits to retailers who have yet to upgrade their card swipes and whose customers have yet to use EMV cards. "By only rendering tokenized credentials, whereas LoopPay didn't have that, merchants get EMV without [requiring] an EMV card. They can do some of this without having the delays of the old technology" where EMV cards had to be inserted and stay inserted throughout the transaction, Crone said.