As security breaches go, the attack on CurrentC was small potatoes. According to an email sent out by the payment card service, someone broke into their email system and stole a bunch of email addresses. CurrentC followed standard practices and notified anyone who might be affected that the breach had taken place.
CurrentC is the payment card service started by Merchant Customer Exchange (MCX), which is a group of major retailers that had started the mobile payment service, reportedly as a way to cut down on credit card processing fees while also gaining the ability to track consumer purchasing practices.
CurrentC has drawn a great deal of criticism recently because it includes contractual requirements that prevent member companies from accepting any other form of mobile payment.
These contract terms prompted merchants that initially accepted Apple Pay to suddenly reverse course and block that service as well as Google Wallet. To accomplish this, two major drugstore chains, CVS and Rite Aid, turned off their near-field communication (NFC) terminals and in the process prevent customers from using contactless credit cards to pay for their purchases.
The actions of the two drug chains to cut out NFC payments predictably enraged users of the other mobile payment systems and in the process kicked off a nascent boycott movement to protest the refusal to accept such mobile payments. To date, the boycott has demonstrated little in the way of support, but some have suggested that the hack of the CurrentC site may be a form of retaliation.
According to CurrentC, the information taken only included a subset of email addresses they had in their records. In a letter to those affected, CurrentC said, “You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the email addresses of some of you. Based on investigations conducted by MCX security personnel, only these email addresses were involved and no other personal information.”
One significant result of the theft of the email addresses is that MCX, the company behind CurrentC, decided to open up about its practices in a press conference on Oct. 29. According to MCX CEO Dekker Davison, the theft of email addresses actually came from the company’s email provider, not from MCX itself. Davison stressed that the CurrentC app and related cloud services were never breached.
CurrentC System Attacked Soon After Some Merchants Block Apple Pay
During the press conference Davison also went to great lengths to describe how CurrentC worked, and exactly what information consumers were asked to provide. He also said that merchants who are part of MCX and CurrentC were free to work with Apple Pay if they chose to do so. He also said that CurrentC was already being set up to work with two national credit card systems and that he expected the payment system to work with all major credit cards.
Perhaps more important to many critics of CurrentC, Davison said that consumers are free to determine how much or how little information is provided to merchants. When CurrentC launches in early 2015, the app will allow consumers to be totally anonymous if they wish, just as they can be with Apple Pay, he said.
Davison also claimed that merchants would be free to accept Apple Pay and Google Wallet along with CurrentC. He said that MCX chose the QR code as the means of identification for CurrentC because it would work with nearly any device and does not require NFC. However, he said that MCX currently doesn’t support Windows Phone or BlackBerry OS.
While discussing MCX’s plans for CurrentC, Davison also noted that MCX has been on the receiving end of recurring cyber-attacks over the past seven or eight days, which would be since it was first reported that CVS and Rite Aid had blocked Apple Pay. He said that MCX had anticipated the attacks and was prepared for them. “We’re challenging the status quo,” Davison said. “When you poke at a large ecosystem, you expect attacks.”
What’s unclear about the current situation with MCX and CurrentC is whether the company has decided to change its approach in the face of growing criticism, or whether the company simply failed to communicate about its plans to the public before taking action. At the press conference, the company tried to project an image of providing a service that seeks to make things better for both merchants and consumers.
That later picture was in sharp contrast to the impression made by the initial reports that indicated that MCX and its merchant backers were engaged in a totally self-centered effort to save the cost of credit card processing fees by forcing consumers to use only debit cards.
If the MCX effort with CurrentC was one of easing transactions all along, then much of the criticism may be due to the company simply not being willing to talk about what it was up to.
The real test will come when retailers take the next step. Will CVS and Rite Aid start accepting payments by NFC again? Will retailers participating in the CurrentC system start working with Apple Pay? MCX indicates that its efforts were misunderstood. Perhaps that’s the case, and if so, it’s good that there wasn’t some sort of action against Apple Pay. But actions speak louder than words.