Apple Pay Rival MCX Hit by Data Breach
They want to handle your money, but they can't hold on to your email address.
Merchant Customer Exchange (MCX), the consortium of major retailers developing the CurrentC smartphone-payment service, and which has emerged as a major obstacle to widespread acceptance of the rival Apple Pay service, appears to have its first major security problem.
'Thank you for your interest in CurrentC,' read an email sent out today (Oct. 29). 'You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the email addresses of some of you.'
MORE: Blocking Apple Pay Is Anti-Consumer (Op-Ed)
The message goes on to warn of phishing emails purporting to come from CurrentC, asking recipients 'not to open links or attachments from unknown third parties' and stating that 'neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, Social Security number or other personally identifiable information.'
A CurrentC help-line number was provided at 855-772-8773. The help-line technician who answered our call said that something had gone wrong with the third-party email-subscription service used by CurrentC, and that the investigation was continuing.
'The CurrentC app itself was not affected,' an MCX spokeswoman told Tom's Guide. 'We have notified our merchant partners about this incident and directly communicated with each of the individuals whose email addresses were involved.'
We received the email because we'd signed up for alerts about when CurrentC might be available in our area. The email sign-up page has disappeared from the CurrentC website.
MCX is a consortium of several dozen major retailers, led by Wal-Mart, who have been developing a smartphone-payment service called CurrentC.
MCX and CurrentC were thrust into the public spotlight earlier this week after two consortium members, CVS and Rite Aid, blocked Apple Pay at their retail locations after discovering that their Near Field Communication (NFC)-enabled credit-card readers were compatible with Apple Pay. CurrentC uses QR codes instead of NFC to authorize payments.
(The card readers would also have been compatible with Google Wallet, the wireless carriers' Isis/Softcard and PayPal's One Touch, but none of those existing NFC payment services have gained much traction with customers.)
MCX's real target is not Apple, but Visa and MasterCard, who take between 2 and 4 percent commission on every transaction involving one of their credit cards - including, presumably, Apple Pay.
CurrentC would bypass Visa and MasterCard altogether by debiting payments directly from customers' bank accounts, much like a debit card. It also app
However, CurrentC, which is being road-tested in a few metropolitan areas (CurrentC wouldn't tell us which ones), will not be widely available until early 2015. Until then, MCX's members, which also include ExxonMobil, Target, Sears, Kohl's, Best Buy, the Gap and Old Navy, among many others, will have to make do without any kind of in-store smartphone-payment system.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil