November 2nd, 2007
Why Apple only takes credit cards for iPhones & the legal questions raised
Earlier this week, in a post headlined Apple, hackenomics, and the waning anonymity (and obsoletion) of cash, I warned of how Apple’s practice of requiring credit cards to purchase iPhones wreaks of a future where our cash is no good and our privacy is sacrificed as a result of dealing in the far more trackable (and far less anonymous than cash) currency of plastic (credit cards, debit cards).
As I reported in that first piece, Apple hasn’t been very forthcoming about its reasons for requiring a credit card to purchase an iPhone. So, I came up with a list of my own possibilities, all but one of which were big brother-esque in nature. After all, why else would Apple require a credit card if it wasn’t going to retain that information which includes your identity for some reason? There is no information for a merchant to retain when you buy something with cash. Apple must want that information for something. Perhaps even more worthy of scrutiny, according to some members of the credit card industry that reached out to me, is whether Apple’s practice violates any legal agreements, standards, or laws when it comes to credit card processing.
That post drew a flood of Talkbacks; privacy is clearly a topic that people are passionate about and there’s nothing that outrages consumers more than an attempt to track them. But is it true? Is Apple not accepting cash for iPhones? And if so, are Apple Store personnel offering any explanations to customers? To find out, I paid an visit to a nearby Apple Store and we captured most of the conversation on video tape (show in the attached video). [Editor's Note: The video is not currently available. We apologize for the inconvenience.]
So, what did I learn. First, it is true that if you walk up to a cash register at an Apple Store with $399 in cash, you will be told that you need a credit or debit card. You can see this happening to me at the cash register in the Apple Store. As I’m taking four $100 bills out of my pocket, the clerk informs me that I must pay with a credit card.
Just as interesting however is the fact that you don’t need a credit/debit card for the entire purchase. When it became clear that my $399 in cash was no good at the Apple Store (for an iPhone), the clerk that I spoke with suggested that I pay $1 of the purchase price with my credit card and the rest in cash. This of course makes it clear that Apple needs the information on your credit card for something important. But what?
As you can see in the video, I asked the clerk as well as a manager for some explanation of the policy and all they would tell me is that it’s just the company’s policy. There was no explanation. Apple stores even have a small sign at the cash register that mentions the credit card requirement when it comes to iPhones. But this is where it got very interesting. When I pushed a little harder, the manager went over to a terminal near the cash register and said that there might be something he could do for me. He had to look something up. The line behind me was growing and it was at this point that I said I’d come back.
When I went back (we don’t have this part on video), I asked for the same manager. But this time, a woman came out and I told her that the first manager I was dealing with had offered to look something up. Before I could finish, she said “Your name.” She went on to explain that I was only allowed to buy a maximum of two iPhones and that, if they could determine with some confidence that I had not already reached that quota, that they could sell me one for cash. She did not however comment on the credit card requirement or explain the point of that policy. But Apple apparently is in a bind right now. It’s in a cat and mouse game with hackers who have made it possible to divorce (”unlock”) Apple’s iPhones from the AT&T wireless service that Apple is contractually bound to keep the phones married to. Why would hackers do this? One reason is that there’s a healthy gray market for unlocked iPhones in Europe where the handsets are fetching some steep prices that are very profitable to anyone who has a supply.
You don’t have to be a rocket scientist to connect the dots. Apple has relationships that its contractually bound to protect and must do whatever it can to eliminate the gray market. As far as unique indentifiers go, credit cards are a pretty good token for authenticating someone’s identity. At the very least, Apple is probably retrieving (from the credit card) and keeping the name of every person who buys an iPhone. This way, when you go to buy another one, they can see if an iPhone has already been purchased by someone with the same name. But then comes the question of whether they are retaining your credit card number as well. How could they not?
After all, there are lots of people with the same name and the odds are pretty good that certain names have already exceeded their quotas. But certain names coupled with certain credit card numbers. No way. The credit card number is quite unique and if Apple’s database shows that two iPhones have already been purchased by someone who’s identity was authenticated with the same credit card, that would be a red flag against selling them a third phone. Are there ways to beat the system? Probably. All you need is another credit card. What isn’t clear though is the extent to which Apple’s system tries to determine a match. For example, if it does a credit card lookup and there’s no match on credit card, will it fall back to your name and geographic area (somewhat reliable, but not totally)? But then, there are more questions about the legality of what Apple is doing.
After publishing that first blog post, I heard from the credit card industry (in that post, I wondered aloud what Visa’s policies were with respect to Apple’s practice). Although nobody has yet to go on record, as it turns out, there’s a security and privacy standard called PCI DSS that practically every participant in the credit card ecosystem is required to adhere to. As far as I can tell, the standard policy potentially yields two important results. First, it protects the privacy of cardholders. Second, it helps merchants and card issuers manage risk. It does this by spelling out in fairly detailed terms what can and can’t be done with the information that’s retrieved off a credit card’s magnetic stripe and the lengths to which IT systems must go to protect data (eg: it talks about firewalls, encyrption, etc.).
While the PCI DSS documentation is vague about what data can be retained by a merchant and for how long, the explanation I got made it clear that if Apple is using credit card numbers for reasons other than completing monetary transactions — in other words, if Apple is using credit card numbers for the purpose of tracking (as seems to be the case here) — that Apple might not only be in violation of PCI DSS, it could also be breaking some laws (some of which are based on PCI DSS) as well as breaching the terms of its agreements with card issuers and credit card companies such as Visa, MasterCard, and American express (who, as you can see by the fines that Visa levied against TJX for the “worst data breach in the payment industry’s history,” guard the privacy of cardholders with relatively bloodthirsty lawyers).
Although my contacts at Visa say they’re working on it, several days have passed since that conversation began: more than enough time to answer the question of whether Apple has violated the company’s policies or credit card industry cardholder privacy standards. My educated guess is that Apple’s practices have kicked off a shitstorm of an inquisition in the credit card industry that has lawyers on both sides poring through the PCI DSS documentation, merchant contracts, and state/federal laws and that this isn’t the last we will hear of this.
