But I also tried adding a few cards that were not mine. I attempted to add multiple cards from two colleagues at Consumer Reports, and while at first it looked as if those cards were going to be approved, the issuing banks ultimately requested additional verification via either a text message, e-mail, or customer service call. That's what's known as two-step or two-factor verification, and it's generally considered to be a higher standard of security for consumer transactions. To import those cards, I would have to be in possession of the card owner's phone, have access to his or her e-mail account, or be able to answer extra security questions.

Then I tried adding my wife's Citibank MasterCard, and it was added to Apple Pay with no request for additional authorization. That was unexpected, since it is my wife's private card, and she has never authorized me as a user. Also, that card isn't associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all.

I was then able to spend freely with my wife's MasterCard. I took the iPhone to McDonald's and bought five cheeseburgers and fries (which I didn't share with my wife), and I went to Walgreens and bought some cleaning supplies. All the transactions were quick and seamless with the Apple Pay system.

Now, my wife and I love and trust each other, and I did this experiment with her complete cooperation. But it doesn't take too much of a stretch of the imagination to see how the ability to secretly vacuum up your partner's credit card credentials onto your phone could be a problem between spouses in the midst of a breakup or troubled relationship.

I wanted to confirm that I hadn't just experienced a one-time glitch, so I asked one of my married colleagues to try the same experiment. He and his wife also share an iTunes account, and she also has a Citibank MasterCard. He was able to add her card to his account with no additional verification, and he bought several items using Apple Pay with her card. (His wife did get an e-mail from Citibank welcoming her to Apple Pay and letting her know that she could remove the card from the system if she had concerns.)

Why were my colleague and I able to load these cards on our iPhones without additional verification? I contacted Apple, and a representative emphasized that the banks are the entities that authorize a card for use on a customer's iPhone.

So I reached out to Citibank, and a representative there pointed out that I had provided all the important information from the card—card number, expiration date, and card verification value, or CVV, and that the address on my family's iTunes account was the same as the address on my wife's Citibank MasterCard. Also, as part of the authorization process, I had agreed to the terms and conditions, certifying that the card was mine and the name on the card was my own.

To see how some of the other major financial entities involved in Apple Pay dealt with the provisioning process, I reached out to MasterCard, Visa, Chase, and Bank of America, and it was clear that no one really wants to provide too much detail about how provisioning works. MasterCard and Visa never replied, Bank of America sent us back to Apple and the card issuers for information, and Chase considered the information proprietary, and said only that Chase does provision for Apple Pay and that it had additional methods to verify its customers.



To be sure, once you have someone else's credit or debit card in your hands, you can do quite a bit of damage without needing an iPhone or Apple Pay. For instance, I could have simply added my wife's credit card to my Amazon account. But if I had used her card without her knowledge or attempted to impersonate her for personal gain, I would have been committing credit card fraud, and she would have been guarded by all of the existing fraud protections that are already available to credit card customers.

And the Apple Pay system did prevent me from committing egregious acts of card theft. But if this really is the future of credit card commerce, there's one aspect of the card provisioning process that could be done better. Since the system already has the ability to do two-step verification, why didn't the banks and Apple make it the only way to authorize a card for use? It's hardly an inconvenience. I tried it with a legitimate card and it took a few extra seconds. Sure, it's not as convenient as simply pointing a iPhone camera at your credit card and instantly authorizing it for use, but I know that my wife would have appreciated the extra verification step—and she also wishes I had brought her home at least one of those cheeseburgers she paid for.



—Glenn Derene