Our Blog

Geo-political issues and Apple Pay

Back in March, at the height of the Crimean crisis, Visa and MasterCard blacklisted certain Russian banks and prominent Russian businessmen.

They did so at the behest of the White House. Certain Russian banks and figureheads were on a US sanctions list. Visa and MasterCard followed through with the requests from 1600 Pennsylvania Avenue by blacklisting cards from specific Russian issuers and rescinding card privileges for certain Russian businessmen, predominantly oligarchs with alleged close links to Russian President Vladimir Putin.

Apple Pay


These acts infuriated the Duma. They were, in effect, the catalyst for plans to create a Russian national payments system. The law was passed on July 1 giving the green light for the implementation of this system, delayed until October 31 depending on Visa and MasterCard’s response to certain Russian demands.

When the US sanctions were announced thousands of Russians were stranded abroad when their cards were rejected as their issuing banks were blacklisted. The domino effect of these sanctions is that Russian businesspeople are now transferring their allegiances from Visa and MasterCard to UnionPay, that is until Russia’s mooted national payments system is up-and-running. It will be 2016 before this system is implemented, as some 100 million cards will need to be issued to Russian consumers.

Given UnionPay’s startling rise over the last decade this card migration solves one problem for Russian tourists and businesspeople: that of card acceptance outside Russia. Gazprombank has also started to issue UnionPay cards to its customers as replacements to Visa and MasterCard.

Using UnionPay provides flexibility. UnionPay is now accepted in over 140 countries worldwide, while banks in more than 30 countries now issue UnionPay payment cards.

Russian authorities viewed the sanctions and blacklistings as a national security threat. In retaliation Russia placed a $2.9 billion security deposit demand upon Visa and MasterCard – it was initially estimated at $3.8 billion – with Bank Rossiya, one of the banks on the US sanction list. This security deposit figure is estimated to be the equivalent of two days worth of transaction processing between Visa and MasterCard in Russia. The deposit can be avoided if the card schemes set up card processing centres in Russia.

Sanctions and blacklistings are the tactics of geo-political disputes. Despite their far-reaching ramifications there is a system that is known and followed. All involved know what is happening and who is doing it – but what if there was no control? What if there was a payment processing system where no-one knew who owned a certain payment card? Enter Apple Pay.

Apple Pay to muddy the waters

Visa and MasterCard’s decision went to the heart of the Russian economy. It was a US tactic carried out by the card schemes. But what happens when the US government – or any other government for that matter – cannot identify the cardholders that they wish to blacklist? This is where Apple Pay muddies the waters.

Apple Pay – as per Apple’s launch press release – does not store card numbers on the device nor on Apple servers. Instead, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element on your iPhone or Apple Watch. Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.

The problems arise for acquirers (and their associated national governments) as Apple Pay never deals with the actual card PAN, only a token of the PAN. Acquirers, for example, will often use the first six digits of every card PAN (known as the BIN) for identification and currency conversion purposes. Card schemes and acquirers use BIN tables to identify and make processing decisions on card transactions. The BIN identifies the card issuer’s nationality as well as the card currency. No access to the PAN will mean that this method of selection is rendered redundant when using Apple Pay.

The FBI have already expressed concerns over the security of Apple’s new iPhones (“too secure,” they have wailed!) but perhaps it is this loss of card identification that is the real issue.

Geo-political fall-outs

It is a fact of life that countries have political rows with others. Sometimes – as was the case between the US and Russia – these rows escalate to the point where one sanctions institutions or citizens of the other.

In some cases acquirers can be asked to block certain BINs in order to stop citizens from certain countries from transacting. This has also happened recently to Syria and Sudan.

While the US can still do this through the card schemes, as Visa, MasterCard and American Express are all effectively US companies, no other country will have the power to control what transactions its national acquirers can accept if the transactions are authorised via Apple Pay.

Of course, this can be viewed as a good or a bad thing. It does, however, put a lot of power into the hands of Apple and the card schemes at the potential expense of acquirers, issuers, and payments services providers, who are the mainstay of the electronic payments business today.

That being said, Aviso have ‘heard on the street’ that the card schemes will apply specific BIN ranges for tokens to mirror ‘real’ BIN ranges (i.e., a specific token BIN will be assigned to a specific issuing country). If this is the case, then it is likely that the schemes will issue BIN files containing both the existing BINs, as well as token BINs (with additional information related to that token BIN, for example the country and currency of the token). If so then some of the problems we have explored in previous articles in this blog series may be solved.

This policy itself would bring its own complexity. For example, today we are talking as if Apple Pay will be the only Token Service Provider (TSP). If specific ‘token BINs’ are assigned in order to retain additional cardholder information for tokenized transactions, how will this scale as more TSPs are added to the mix? What is to stop two separate TSPs from assigning the same token to different transactions that happen to hit the same acquirer?

There is no doubt that these issues are real, and will cause problems for different acquirers in different parts of the world. While the problems presented are significant, Aviso believes they are not insurmountable.

Ultimately, the potential value of driving transaction acceptance through a smart device like a mobile phone will lead to a far more compelling user experience than we are used to today.

Aviso is working with our acquiring partners to shape this more exciting future of electronic payments, and we’ll be excited to share some of these insights in the not too distant future.

New subscribers/readers

This is the final post in our four-part series on the introduction of Apple Pay.

Related posts

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.