Merchant Customer Exchange (MCX), the consortium of big-name retailers currently working on a mobile payment system to rival Apple Pay, may include support for Apple's electronic payment solution after all.
Not only has MCX received widespread criticism from Apple Pay users after several MCX members, such as Walmart, Rite Aid and CVS disabled support for Apple Pay -- they were supposedly waiting for the rollout of MCX's CurrentC -- but the consortium has also been infiltrated. MCX reports that hackers have run off with the email addresses, and possibly other information, of users participating in CurrentC's pilot program.
In a blog post, MCX defends its member merchants for disabling Apple Pay, saying they make their own decisions about which payment solutions to offer. MCX, however, says merchants join the consortium "exclusively." It also says that "there are no fines" for merchants who wish to leave the group, but two sources close to the company tell the New York Times that MCX imposes financial penalties on anyone breaching the contract.
Still, MCX CEO Dekkers Davison says it's a "mistake" to focus exclusively on the technology and not the business solution that CurrentC is trying to provide.
In a hastily called press conference on Oct. 29, Davison announced that MCX is working on incorporating Bluetooth and "many other" short-range technologies such as NFC, the cornerstone of Apple Pay's technology, into CurrentC. Davison also says MCX has already "made arrangements" with two credit card providers to link CurrentC to credit cards in the future, though, he did not provide a timeline of when users can expect credit card support. CurrentC will be officially available in 2015.
Davison has also tried to allay long-existing security fears about the use of CurrentC, which stores users' information, including their bank details and other sensitive data, on the cloud. This is after a blog post reported "unauthorized third parties obtained the email addresses of some of our CurrentC pilot program participants." MCX stresses that the email addresses and ZIP codes obtained were dummy accounts and numbers used "for testing purposes only."
Davison says the security breach, which he refuses to call a "breach" because "it was only email addresses" that were affected, was not done on MCX's own servers but on the servers of its email provider. The MCX chief declined to name the provider. MCX also says attacks like this are "expected" because it is "challenging the status quo."
"When you poke at a large ecosystem, you should expect attacks," Davison says. "None of this comes as a surprise."
In fact, Davison himself says MCX has "repeatedly" been the subject of attacks "in the last seven or eight days."
