Apple Pay Competitor Exposed Customers’ Email Addresses Before Launch

Retailers’ attempt to offer a competitor to Apple Pay and other contactless-payment systems is off to a rough start: The email addresses of beta testers and customers who expressed interest in the system have been accessed before the offering makes its official debut.

Merchant Customer Exchange, a consortium of retailers more widely known by the acronym MCX, sent out an email Wednesday morning informing customers who had signed up for its CurrentC system that their data may have been accessed, a spokeswoman confirmed.

“Within the last 36 hours, we learned that unauthorized third parties obtained the email addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app,” Linda Walsh said in an email on behalf of MCX. “Many of these email addresses are dummy accounts used for testing purposes only. The CurrentC app itself was not affected.”

Some MCX members, such as drugstore chains CVS and Rite-Aid, turned off their contactless-payment systems after Apple Pay launched last week, refusing to accept the new service that allows users of certain newer iPhones to pay by placing their phone near the terminals and proving their identification through Apple’s fingerprint reader. Other MCX retailers — including Wal-Mart, the largest retailer in the United States — refused to accept the service from the outset, as they wait for the CurrentC system to launch.

MCX is currently testing the CurrentC system, in advance of a planned rollout in 2015. The system connects directly to a customer’s bank account, instead of using credit cards like Apple Pay, and seeks to add other options such as coupons and loyalty programs.

“The technology choices we’ve made take consumers’ security into account at every aspect of their core functionality,” MCX CEO Dekkers Davidson said in a blog post meant to answer questions about the service since MCX retailers cut off Apple Pay.

Davidson stressed that customer information was safe because it is not stored on the device.

“Users’ payment information is instead stored in our secure cloud-hosted network,” he noted. “Removing this sensitive information from the mobile device significantly lowers the risk of it being inappropriately disclosed in a case that the mobile device is hacked, stolen or otherwise compromised.”

Retailers have struggled with data breaches that target customer data, with high-profile successful attacks at Target, Home Depot and other large chains being widely publicized. Apple has attempted to make security a selling point for Apple Pay, which joined Google Wallet and Softcard as options for customers looking for a contactless payment option.

Apple CEO Tim Cook said Monday that Apple Pay had signed up 1 million customers in its first three days of availability.

“We’re already No. 1. We’re more than the total of the other guys, and we’ve only been at it a week,” Cook said at a conference in Southern California.

This article appeared in print in the October 30th, 2014 edition of Hamodia.