denverpilot
Tied Down
Could also be completely unrelated, and tied to the recent attacks on the readers themselves... Intuit may be covering their assets....
CVS and Rite Aid turn off NFC readers
- Thread starter rpadula
- Start date
Could also be completely unrelated, and tied to the recent attacks on the readers themselves... Intuit may be covering their assets....
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
Especially considering that if they move to EMV Chip +PIN debit cards, using the debit card itself to access your checking account will be as bulletproof as it currently gets, whereas using CurrentC would add an additional layer of vulnerability.
Rich
JeffDG
Touchdown! Greaser!
One thing I've wondered is why Visa or MC or AMEX don't provide a site that you can go to that will generate one-time-use card number/expiration dates.
So, for example, if you have a CapitalOne card, you go to your account page, and click a button and voila, a card number is generated. You punch that in to Amazon or other online retailer, and the charge goes through. But after that the card number is invalid. Can only be authorized one time.
So, for example, if you have a CapitalOne card, you go to your account page, and click a button and voila, a card number is generated. You punch that in to Amazon or other online retailer, and the charge goes through. But after that the card number is invalid. Can only be authorized one time.
denverpilot
Tied Down
AMEX used to.
JimNtexas
Pattern Altitude
- Joined
- Dec 21, 2006
- Messages
- 2,259
- Location
- Austin, Texas
- Display Name
Display name:
Jim - In Texas!
CurrentC is a joke. It bypasses banks, so banking laws don't apply, so you as a consumer have no recourse if the system is hacked. Using CurrentC involves three or four steps that are sure to enrage anyone standing behind you in the checkout line. From the merchant point of view there are two advantages:
1) No banking charge.
2) The user can be tracked.
Apple pay and the other NFC systems are much safer. Apple pay is the best one because of the very clever way it is implemented.
For ease of use, Apple pay is up there with my Mobile Speed Pass, but with much better security. That's because to pay with Apple pay you put your finger on the fingerprint sensor and tap the point of sale device. The phone does NOT have to be unlocked.
Note that if I pick up your iPhone I can't use it pay for things unless I also steal your fingerprint.
Apple Pay does NOT retain your credit card information anywhere in the phone. Instead a 'token' is created when you input your credit card (by taking a picture of it). Creation of this token is done using the hardware encryption chip in the iPhone. This chip contains a unique number that cannot be accessed.
When you tap your iPhone6 the point of sale device and the iPhone perform a handshake that results in the POS device receiving a 16 digit number that is a real credit card number, this is called a 'PAN' (primary account number). The PAN includes a token flag, that tells the system that this is a one time use number. The credit card processor uses a third party service called a 'token service provider'. This third party knows how to translate the one time use PAN into a 'real' PAN that is passed to the card issuer.
This protocol is a standard, it is used by both Apple and Google Wallet. The Apple implementation seems to me superior both user interface and security points of view.
Note that every time you pay with Apple Pay all the merchant knows is that one time use PAN. So they can't track you as an individual.
I've obviously oversimplified a lot, you can dig into the gory details here:
Clover Developers
1) No banking charge.
2) The user can be tracked.
Apple pay and the other NFC systems are much safer. Apple pay is the best one because of the very clever way it is implemented.
For ease of use, Apple pay is up there with my Mobile Speed Pass, but with much better security. That's because to pay with Apple pay you put your finger on the fingerprint sensor and tap the point of sale device. The phone does NOT have to be unlocked.
Note that if I pick up your iPhone I can't use it pay for things unless I also steal your fingerprint.
Apple Pay does NOT retain your credit card information anywhere in the phone. Instead a 'token' is created when you input your credit card (by taking a picture of it). Creation of this token is done using the hardware encryption chip in the iPhone. This chip contains a unique number that cannot be accessed.
When you tap your iPhone6 the point of sale device and the iPhone perform a handshake that results in the POS device receiving a 16 digit number that is a real credit card number, this is called a 'PAN' (primary account number). The PAN includes a token flag, that tells the system that this is a one time use number. The credit card processor uses a third party service called a 'token service provider'. This third party knows how to translate the one time use PAN into a 'real' PAN that is passed to the card issuer.
This protocol is a standard, it is used by both Apple and Google Wallet. The Apple implementation seems to me superior both user interface and security points of view.
Note that every time you pay with Apple Pay all the merchant knows is that one time use PAN. So they can't track you as an individual.
I've obviously oversimplified a lot, you can dig into the gory details here:
Clover Developers
denverpilot
Tied Down
http://arstechnica.com/security/2013/09/defeating-apples-touch-id-its-easier-than-you-may-think/
The Apple fingerprint reader is a speed bump.
The Apple fingerprint reader is a speed bump.
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
The problem, again, is that these layers of security are actually layers of vulnerability. They're not in series, as it were, placing additional obstacles in the way of miscreants. They're parallel branches that add additional potential pathways for breaches.
My most recent compromise was through Home Depot's system. They kindly enrolled me in yet another identity-theft protection program, which I decided to activate because the one provided by the previous company through whose system my information was compromised is expiring in a few months.
The problem is that they can't activate my credit monitoring because they can't verify my phone number, and the reason they can't verify my phone number is because it's a Magic Jack number. It's the only number that anyone except family and close friends get, mainly because it's cheap; and I don't care about the call quality because I never answer it, anyway.
So now this identity theft company wants me to fax them copies of various documents to prove my identity -- so they can protect it. They assured me that only "two or three" individuals have access to this information. That, to me, means "two or three" additional people will have that information who didn't have it before. How do I know that one or two of them aren't themselves crooks?
It's another parallel vulnerability. It does nothing to place an obstacle in the path of an identity thief. In fact, it opens up another potential route for compromise. I told them to forget about it. The insurance and repair services don't require the monitoring and alerts, anyway.
No matter how many different ways these systems are encrypted and munged, at some point the system has the ability to charge a card; which means that at some point, there's a vulnerability, and that vulnerability, slight as it may be, applies to any card the system is capable of charging.
Maybe the risk is quite slim, but it exists. So as a consumer, I have to consider that risk against the benefits: And frankly, I just don't see the benefit as being worth even a slight risk.
It's frivolous.
It's trivial.
It's more about being cool than anything else.
It adds a parallel path of vulnerability in return for ... what? Being able to use my phone to pay for my groceries?
That's simply absurd, in my opinion.
CurrentC is even more absurd because, as mentioned, the consumer has practically no route of redress if it's compromised. And again, what do consumers get in return for adding a parallel path through which their information might be compromised? Nothing except a "cool" checkout experience -- assuming that you consider adding a few more steps to the process and irritating those behind you in line to be "cool."
Oh yeah, there's that, plus even more user tracking and more targeted ads. Can't underestimate the value of those things.
I'm seriously starting to think that our technology is making us stupider as a specie.
Rich
Captain
Final Approach
As opposed to giving your credit card to some $600/week waitress with a $700/week drug habit. You understand that with a credit card your handing over EVERYTHING required to make a purchase. Number, exp date, CSV and a signature sample...all right there in someone else's custody out of sight. Super design that...
With Apple Pay and Google Wallet two things are required...a chip and a PIN. Your fear is baseless and smacks of techo-fear. Odd given I know you're into technology...but hate Google for some reason.
Disclaimer: I am an admitted Google fan boy. I've given my entire identity over to Google and I couldn't be happier with what I've received in return. On the flip side I absolutely HATE a handful of companies. AT&T, Verizon, and ComCast come to mind...
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
I don't hate Google. I just have no delusions regarding what business they're in. I don't hate rabid raccoons, either. But I keep my distance from them, too.
As for restaurants, you're absolutely right. The system is idiotic. But I rarely eat out, anyway, so it's not an issue for me. When I do, I bring enough cash with me to pay the bill -- for exactly the reasons you cited.
Rich
JimNtexas
Pattern Altitude
- Joined
- Dec 21, 2006
- Messages
- 2,259
- Location
- Austin, Texas
- Display Name
Display name:
Jim - In Texas!
Actually, Apple Pay completely hides the users identify. The actual credit card information is not stored anywhere in the iPhone or in any merchant system. The map from token to account number is not directly available on the internet, and is held in a very secure cryptological vault, not accessible by the merchant or user.
There are no 'parallel path' vulnerabilities in the Apple Pay system.
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
Well, let's hope you're right. We need some positive history made, and the world's first truly perfect, truly bulletproof, truly un-hackable system, operated by a company where's there's not a shade of a chance of an inside job because all the employees are perfect and saintly and would never think of aiding a compromise, would do as well as any.
In the meantime, I'll plod on in my skepticism, thank you.
Rich
Highly doubt that. Last time that happened a couple years ago with PCI-required upgrades, they made the merchants pay.
Perezhr
Pre-takeoff checklist
You just made the point why Apple pay is better. With Apple pay neither the merchant nor Apple sees your credit card info. Only a one-time use token is passed to the merchant which contains none of you credit card info. That is why NFC is popular in Europe and Asia (everywhere) except in the states were we still cling to credit cards with magnetic strips that are so easy to compromise
Sent from my iPad using Tapatalk HD
jesse
Touchdown! Greaser!
Industry is requiring everyone be EMV compatible by Oct 2015 which requires new terminals for everyone. That has nothing to do with Apple or Google. I'm sure the new reader you have is EMV capable.
See: http://en.wikipedia.org/wiki/EMV#United_States
Last edited:
jesse
Touchdown! Greaser!
I am the CTO of a start-up payment gateway that was built specifically to store credit cards. I've been working on it for years and we are in production with hundreds of clients currently.
I'm quite familiar with how credit card processing works. There is no API I'm aware of to just send a number to visa and get a hash code back. Could you point me to it? How about Discover, American Express, etc? I've done integrations with multiple APIs on the largest processors.
Plus you still have to SEND the number with what you propose. That's quite often where they're getting stolen. **INSTEAD** what needs to be done is the terminal needs to encrypt the card number in hardware BEFORE it's sent anywhere. That encrypted data is then sent to a gateway which will decrypt it, handle business logic, and ultimately hand that card off to a processor over a secure channel. Sadly there is typically no good way for the gateway to hand the original encrypted card from the terminal over to a processor directly without first decrypting it.
It's amazing how complicated the credit card network actually is.
Last edited:
Nope, that isn't the reason. The reader I have that they are replacing is EMV compatible already.
jesse
Touchdown! Greaser!
Close, but not exact. Apple does in fact get your credit card number when you setup Apple Pay. They need it to get things setup with the upstream issuer. Once it is setup they don't need it anymore, and they claim they discard it. But they do have your card number for a bit.
That said, I would trust Apple with my credit card number for a brief moment in time more than I would trust about any other company other than my own
warthog1984
Cleared for Takeoff
- Joined
- Jul 22, 2013
- Messages
- 1,447
- Location
- Chicagoan exiled to California
- Display Name
Display name:
LanCA'r
Any word on when we might get EMV cards and catch up to the rest of the world?
I hope soon, because it causes problems.
jesse
Touchdown! Greaser!
Well in theory everyone should be issuing them within the next year or two but I doubt that will happen. There are some issuers that are issuing EMV cards today. When I attend the credit card conferences a vast majority of the content is about EMV. Lots of panels with "industry experts" talking about how it has to be done. Problem is nobody seems to be sure how to get it done exactly..and the timeline keeps getting closer with little progress being made. We shall see.
I'm not currently very involved with the card present aspect of the credit card business. I work much more in the card-not-present arena. Although that will change in the future.
denverpilot
Tied Down
When it happens a second, third, fourth time, you buy the new readers for the big places. Or you should.
You're probably right though. No merchant of any size can reasonably just say "screw it, we're cash only" and survive anymore. So they probably pay through the nose for these screwups.
How difficult could it be? It's happened everywhere else, perhaps they could follow an industry playbook?jesse
Touchdown! Greaser!
The U.S market is VERY different from the rest of the world with a LOT more players involved in damn near everything. There are SO MANY middle men involved in a credit card transaction from beginning to end here. The more layers the harder it is.
At the end of the day though it's due to cost and this big catch 22 system. We also have so much more legacy stuff in the U.S. with so many different companies running them all with different agendas.
Issuers haven't wanted to spend the money to issue the cards (which is extremely expensive) because their customers as a whole don't care about EMV and also because hardly no merchants are EMV capable.
Merchants haven't wanted to spend the money to do it either as no one has EMV cards and their customers aren't asking for it.
Last edited:
I can't say much due to confidentiality agreements I've signed....
But let's just say I have a more than an inkling that major retailers are storing your credit card numbers for long periods... possibly even years in backup data storage... Encrypted, behind a few layers of security to be sure but it's there.
And based on my... more than an inkling of how this stuff works... I'd say they actually pretty much have to store it for a while.
If you want to think about why, go buy some self-serve avgas. Note that you have to indicate how much gas... in dollars or gallons you think you may buy. You will probably buy less gas than this amount. Now go check your credit card statement online shortly afterwards. You may note a pending charge for the maximum amount you put in at the beginning. Some time later... likely a day or more it will show up for the actual purchase amount. Hmm... almost as if the card company was contacted to authorize a max amount they would reimburse the FBO for. Then sometime later the FBO transmitted a big file of the actual charges they needed to be reimbursed for. Naturally such a file would need to include the card number so the credit card issuer would know who to charge it to.
Now imagine the same model at... your favorite chain retailer. The authorized amount is actually the purchase price.... but the settlement is run through separately. Ever return something at a store a couple of days later... and they put it back on your card... without the card number? Might they be looking up the transaction, pulling up your stored card number, and sticking a reimbursement in that day's settlement? Could be.
But let's just say I have a more than an inkling that major retailers are storing your credit card numbers for long periods... possibly even years in backup data storage... Encrypted, behind a few layers of security to be sure but it's there.
And based on my... more than an inkling of how this stuff works... I'd say they actually pretty much have to store it for a while.
If you want to think about why, go buy some self-serve avgas. Note that you have to indicate how much gas... in dollars or gallons you think you may buy. You will probably buy less gas than this amount. Now go check your credit card statement online shortly afterwards. You may note a pending charge for the maximum amount you put in at the beginning. Some time later... likely a day or more it will show up for the actual purchase amount. Hmm... almost as if the card company was contacted to authorize a max amount they would reimburse the FBO for. Then sometime later the FBO transmitted a big file of the actual charges they needed to be reimbursed for. Naturally such a file would need to include the card number so the credit card issuer would know who to charge it to.
Now imagine the same model at... your favorite chain retailer. The authorized amount is actually the purchase price.... but the settlement is run through separately. Ever return something at a store a couple of days later... and they put it back on your card... without the card number? Might they be looking up the transaction, pulling up your stored card number, and sticking a reimbursement in that day's settlement? Could be.
jesse
Touchdown! Greaser!
Pretty much every major processor API supports tokenization for settlement. That said this probably didn't exist even 5 years ago and rewriting payment systems is not something that is typically done without a damn good reason. Much of the credit card infrastructure is running on 30 year old or more code and traditional mainframes still.
The way to properly do it, and is not terribly difficult, is as follows:
1.) submit card and authorization amount to processor for authorization.
2.) if authorization is successful processor returns a token
3.) when submitting the batch (which is what clears the transaction) you reference the token and the amount you want to actually charge the card (which should be less than or equal to what you authorized).
You can also use that token to issue refunds later if need be.
IME, though, most people don't bother. But credit card security is our business so we most certainly bother.
However, there are plenty and plenty of valid reasons for having to store credit cards (recurring is one such reason). If you have any scale your PCI auditors will require that you justify why but it's not terribly difficult to justify if you have a business reason to do so.
rpadula
En-Route
When one of my cards expired recently, the replacement I received had a chip on it.
rpadula
En-Route
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
It just goes to show you how complex all of this really is, and how perfectly implemented the systems must be. The bank's implementation was flawed, some smart miscreants suspected as much, and they exploited the hole.
Perfection is an unreasonable expectation as long as humans are part of the equation. That's why I believe that consumers have the responsibility to minimize their exposure.
Living cash-only is one way to do that, but it's kind of extreme. Minimizing the number of entities who have access to my financial information is more workable, which comes back full circle to my thesis, namely, that being able to use my phone to buy a jug of motor oil simply doesn't provide sufficient benefit to me to justify yet another entity's having access to that information or the purchase process. I still see it as being mainly a "cool factor" thing with no real advantage -- especially once EMV is fully (and properly) implemented.
My opinion is admittedly influenced by having been bitten in the ass enough times that I have less-than-absolute confidence in the security of electronic financial transactions in general. I probably have an exaggerated opinion of the risk. I'll own that. No argument from me whatsoever. Nonetheless, I still consider the benefits to me, as a consumer, of using Apple Pay, Google Wallet, CurrentC, etc. to be basically nil, and therefore not worth assuming any additional risk whatsoever, no matter how slight.
Rich
Last edited:
JeffDG
Touchdown! Greaser!
If I didn't make myself clear on this matter, I'm speaking theoretically, not based on existing systems.
Captain
Final Approach
The benefit of Apple Pay, Google Wallet, and the like is that it moves from a card and signature (easy to duplicate) to a chip and pin (harder...damn near impossible). In order to hack the later you need to hack Apple or Google. In order to hack the former you need to get the carbon copy out of a trash can, or have the user GIVE YOU THE FREAKING CARD which we all do when the check comes.
To recap: Card / Signature = Bad
Chip / PIN = Good...borderline awesome
Cash only is not practical for me or nearly anyone else.
When it comes to trust you have to trust your system. Apple? Google? I trust them both a metric (curseword) ton more than I do AT&T or ComCast. I trust them both more than I do any random waitress / bar tender / website and right now I use all of those with my CC from time to time. So....this is a step forward. That's good.
Between Apple and Google I trust Google 10 fold more than Apple. Remember the celebrity photos recently leaked? How about Mat Honan's hacked account? Apple simply gave the password out. Nice, eh?
Google, on the other hand, stands up to the US government, China's government and in general protects it's users on a fundamental level. Do they harvest data? Of course! You WANT them to! How else can they give you directions unless they harvest your location data? How can they give you relevant ads unless they harvest your interest data? How else can they notify you of your upcoming flight and give you a boarding pass unless they harvest you email data?
It's not like some human is pouring over your personal email, location, and browsing history. Trust me, nobody here is that important or interesting. Computer algorithms do it and it's automatic. Is it perfect? No, but it's the closest to perfect I've ever seen looked at a whole. Google is an amazing company and I have zero problem letting them handle just about every facet of my digital life.
To recap: Card / Signature = Bad
Chip / PIN = Good...borderline awesome
Cash only is not practical for me or nearly anyone else.
When it comes to trust you have to trust your system. Apple? Google? I trust them both a metric (curseword) ton more than I do AT&T or ComCast. I trust them both more than I do any random waitress / bar tender / website and right now I use all of those with my CC from time to time. So....this is a step forward. That's good.
Between Apple and Google I trust Google 10 fold more than Apple. Remember the celebrity photos recently leaked? How about Mat Honan's hacked account? Apple simply gave the password out. Nice, eh?
Google, on the other hand, stands up to the US government, China's government and in general protects it's users on a fundamental level. Do they harvest data? Of course! You WANT them to! How else can they give you directions unless they harvest your location data? How can they give you relevant ads unless they harvest your interest data? How else can they notify you of your upcoming flight and give you a boarding pass unless they harvest you email data?
It's not like some human is pouring over your personal email, location, and browsing history. Trust me, nobody here is that important or interesting. Computer algorithms do it and it's automatic. Is it perfect? No, but it's the closest to perfect I've ever seen looked at a whole. Google is an amazing company and I have zero problem letting them handle just about every facet of my digital life.
Last edited:
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
- Joined
- May 18, 2007
- Messages
- 6,822
- Display Name
Display name:
jsstevens
Having just been on a trip in Sweden I like the system there: They use the credit cards with a chip embedded (USAA provided us cards with both chip/PIN and mag strip). They bring the card machine to the table rather than take the card away.
John
denverpilot
Tied Down
I'm getting a kick out of the restaurant examples. No food joint is going to take Apple Pay at the table nor any other tech solution. They could ALREADY be doing that with mobile card readers if they chose to protect their customer's regular cards. They don't.
[edit: in the U.S. obviously... Re: Sweden post... The fact is, U.S. Merchants care significantly less about customer data.]
[edit: in the U.S. obviously... Re: Sweden post... The fact is, U.S. Merchants care significantly less about customer data.]
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
Restaurants don't like taking plastic to begin with. Aside from the fees consuming a significant percentage of their profit margins, it's been rumored that some of them actually don't report cash income.
So they're not going to be especially enthusiastic about spending money on equipment to make it easier for guests to use plastic. They'd rather install an ATM in the lobby so they can be paid in cash -- and rape you on the ATM fees, besides.Europeans tend not to be quite as reticent about making a stink if they're not happy with the service in an establishment. They're also not as clueless as most Americans about data security (as evidenced by the fact that they've been using EMV for, what, 20 years now?). Many merchants in Europe won't even accept magstripe cards. They know better.
The only way U.S. restaurants will change their policies is when they're forced to do so by consumer demands -- and that's not likely to happen as long as Americans are both clueless and passive about it.
In the meantime, I just give the restaurants what they want and pay in cash on those rare occasions when I eat out. When I have no choice but to pay with plastic (a large party, unexpected situation, etc.), I insist on walking the card to the terminal myself. (But I also leave a generous tip -- in cash -- to make up for the server's hurt feelings.)
Rich
Neal Howard
Cleared for Takeoff
denverpilot
Tied Down
McDonald's is taking Apple Pay at the drive-thru
Sweet! Fingerprint tech to get a McMuffin!
Captain
Final Approach
Makes sense. Have you seen how expensive those things are? High dollar items deserve the best security!
warthog1984
Cleared for Takeoff
- Joined
- Jul 22, 2013
- Messages
- 1,447
- Location
- Chicagoan exiled to California
- Display Name
Display name:
LanCA'r
Nobody's asking, *Except* anybody who has ever tried to use an automated kiosk overseas. You'd think the people with $$$ to travel internationally asking for something would get the banks' attention, but not yet, I guess.
denverpilot
Tied Down
Watched some more stuff on this last night. Those merchants that turned off ApplePay had signed agreements they would not use another vendor. So they're kinda stuck, until the contracts expire. Those who signed in the last year or so have an "out" clause. Those who signed earlier don't but are closer to their three years.
Additionally the only way they could stop it, since NFC is a standard, was to turn the readers off. This shut down users who already had the more secure credit cards with the technology and lowered their overall security for those transaction. Many card holders are back lashing against it. Especially sight impaired or otherwise disabled card holders who found the new tech far easier to use.
Basically, they all signed agreements to screw their existing NFC customers until they devise a way to only accept the "approved" NFC stuff and deny Apple devices.
It's utterly brain dead. The whole thing. Offer multiple forms of payment to customers and take the legal hit now, while you can still prove the other system wasn't operating well. Pay a fine and move on.
I know if I ever do upgrade to an iPhone 6 or 6+ I'll naturally gravitate toward merchants who di accept them. Even if it means slight inconvenience. If most do that, it'll hurt the bottom line enough to pay attention to it at those businesses. There's a Walgreens everywhere you can find a CVS, for example. Not hard to avoid the retailer who won't play.
Additionally the only way they could stop it, since NFC is a standard, was to turn the readers off. This shut down users who already had the more secure credit cards with the technology and lowered their overall security for those transaction. Many card holders are back lashing against it. Especially sight impaired or otherwise disabled card holders who found the new tech far easier to use.
Basically, they all signed agreements to screw their existing NFC customers until they devise a way to only accept the "approved" NFC stuff and deny Apple devices.
It's utterly brain dead. The whole thing. Offer multiple forms of payment to customers and take the legal hit now, while you can still prove the other system wasn't operating well. Pay a fine and move on.
I know if I ever do upgrade to an iPhone 6 or 6+ I'll naturally gravitate toward merchants who di accept them. Even if it means slight inconvenience. If most do that, it'll hurt the bottom line enough to pay attention to it at those businesses. There's a Walgreens everywhere you can find a CVS, for example. Not hard to avoid the retailer who won't play.
darrell
Pre-takeoff checklist
The MCX application (CurrentC) doesn't use NFC at all.