Apple Wallet VISA card users started receiving ‘Enhanced Fraud Prevention’ notifications on 2022-04-22 that outlined changes how Apple shares ‘fraud prevention assessments’ with payment card networks based on analyzed information from user Apple Pay transactions (purchase amount, currency, date, location, very likely more). The changes apply to Apple Pay in-app and web purchases with VISA brand cards.
Apple has been doing most of this already. The April 2022 Apple Pay and Privacy text expanded upon earlier iOS user guide text:
Previously: If you have Location Services turned on, the location of your iPhone at the time you make a purchase may be sent to Apple and the card issuer to help prevent fraud.
April 2022: For cards with certain enhanced fraud prevention features, when you attempt an online or in-app transaction, your device will evaluate information about your Apple ID, device and location (if you have enabled Location Services) to develop fraud prevention assessments, which are used by Apple to identify and prevent fraud. Apple will share the fraud prevention assessments as well as information about your transaction (such as purchase amount, currency and date) with your payment card network for fraud prevention. You will receive notice that your card has enhanced fraud prevention when you first add it to Apple Pay and when you first attempt an online or in-app transaction with the card. To prevent the sharing of fraud prevention assessments with your payment card network, you may select another card.
For VISA Enhanced Fraud Protection, Apple changed ‘may be sent’ to ‘will be sent’.
The start of Enhanced Fraud Prevention (EFP) coincided with Apple Pay problems for traveling abroad using In-App purchase to add money to Suica and PASMO transit cards. After the April 2022 EFP rollout, ‘I can’t use my home issued Apple Pay card to recharge PASMO’ complaints started appearing social media. This trouble was previously unheard of for inbound Apple Pay Suica • PASMO users, recharge just worked for any Apple Pay card that supported In-App payments.
The big change came in August 2022. Apple Pay In-App use in Japan suddenly went from working across the board to working selectively, some apps work others do not, including Apple’s own Wallet app. We got a sense of what was happening behind the scene when VISA blocked foreign issue VISA cards for Suica and PASMO (and now also ICOCA) for Apple Pay In-App recharge use, exactly when VISA is making a huge push for open loop transit in a bid to marginalize Suica payments share, aka more contactless payment turf wars. Officially there has been no explanation or clarity as what works with Apple Pay In-App, what doesn’t, and why.
What is VISA trying to achieve with EFP and why now?
My first thought was this was partly a response to bad publicity from the silly, sensationalist ‘Apple Pay Express Transit has been hacked!‘ VISA story that make the rounds in October 2021. However I now think it boils down to VISA wanting to obtain more customer transaction details with Apple Pay In-App and web purchases, and other digital wallets like Google Pay as well. They want to obtain the same customer VISA card transaction information with Apple Pay/Google Pay In-App and web transactions that they get from store readers. All non-store Wallet VISA card transaction info is used for ‘fraud prevention’.
I have doubts about the whole fraud prevention security angle because digital wallets are much more secure than plastic. Right? If Apple Pay is highly secure as Apple says it is, why does it need EFP? The only potential weakness we’ve seen so far is VISA failing to fully implement EMV transaction guidelines for transit transactions using Express Mode. Right? Whatever security risk EFP is supposedly addressing is clear as mud.
Fortunately we do have clarity on the timing of the Enhanced Fraud Prevention rollout: Wallet notifications went to VISA card users in various Apple Pay regions (US, Japan, Australia and more) the same day Apple switched their Apple Cash card brand from Discover to VISA. Kissing the Green Dot Bank and Discover backend goodbye for VISA was the smart thing to do if Apple wants to take Apple Cash international at some point. Obviously Apple had to implement Enhanced Fraud Prevention for the Apple Cash switch to VISA to happen.
Now you see it, now don’t
Unfortunately Wallet doesn’t always show you which VISA cards use Enhanced Fraud Prevention and which do not. Immediately after the April 2022 rollout, Wallet EFP cards explained it in card details. EFP Wallet credentials disappeared later that year and have not come back, except on iOS 17 beta devices which also display the EFP banner when adding a VISA EFP card in Wallet for the first time.
The Apple Pay Enhanced Fraud Prevention (EFP) legal blurb has changed significantly since the April 2022 rollout. The February 2023 updated text now references on-device fraud prevention assessments, cards that have it list EFP in their Wallet credentials on iOS 17. There is also a new text string in iOS 17 B3 that Steve Moser discovered with slightly updated wording of the February 2023 text referencing the Apple Cash backend Apple Payments Inc: “If you have enabled Location Services for Wallet, your device will also evaluate information about your device’s location to develop on-device fraud prevention assessments. The output of the assessments, but not the underlying data, will be sent to Apple Payments Inc.” Apple Cash and VISA again.
VISA is pushing for more Apple Pay In-App/Online customer transaction data, Apple is pushing back with on-device assessments. That much is clear. What’s not clear is if EFP VISA cards are fully cleared across the board for Apple Pay In-App and web purchases, or not.
2023-07-27 Update
This page is suddenly slammed with search hits as Apple Pay is rolling out EFP to all VISA cards in Wallet regardless of iOS version. The EFP blurb was added to my Wells Fargo VISA in the past 12 hours. Not confirmed for all Apple Pay regions but USA, Europe, Japan, Singapore confirmed. New Apple Pay hash flags have also appeared on Twitter/X. Coincidence? Connected? Will update as details emerge.
You must be logged in to post a comment.