By Paul Ziobro and Suzanne Kapner
A retailer-backed rival to Apple Inc.'s new payment system said
hackers stole email addresses for some people participating in a
pilot.
The consortium, called the Merchant Customer Exchange, said the
intrusion by unauthorized third parties compromised the email
addresses of some people who were testing out its payment system,
called CurrentC, as well as some people who had expressed interest
in it.
The breach didn't affect the CurrentC app itself, and many of
the email addresses were for dummy accounts, MCX spokeswoman Linda
Walsh said. Still, it comes at a sensitive time. Retailers are
already under scrutiny for a string of security lapses, and Apple
has just launched its new Apple Pay system, which promises to be
harder to hack than existing systems because it doesn't share
users' account data.
MCX members are at risk if Apple Pay takes off. Their contracts
oblige them to sit out Apple Pay and other mobile payment systems
that could compete with CurrentC, which isn't expected to launch
until next year. Drugstores CVS Health and Rite Aid, both members,
recently turned off the wireless NFC payment terminals that allow
shoppers to use their iPhones at checkout.
Kohl's Corp., another member of MCX, finished rolling out NFC
terminals to all of its stores this month but hasn't turned them
on, fearing it would confuse customers into thinking they could
check out with Apple Pay, said Ratnakar Lavu, who oversees digital
technology for the nearly 1,200-store chain.
MCX has notified the merchants in the consortium and the people
whose email addresses were compromised, and is continuing to
investigate the hack, Ms. Walsh said. The consortium includes other
major retailers like Wal-Mart Stores Inc., Best Buy Co. and Target
Corp.
The security breach comes just a week after Apple launched its
Apple Pay contactless payment system, which lets people use their
iPhone to buy things in stores like Macy's Inc., McDonald's Corp.
and Walgreen Co.
CurrentC works by pulling up a scannable code each time a
shopper makes a purchase. The extra steps of unlocking a phone and
opening the app have slowed adoption of other mobile payment
systems, such as the one rolled out by Google Inc.
Apple Pay smoothed the process by relying on an fingerprint
scanner that can process a payment without having to unlock the
phone or open an app.
CurrentC aims to give retailers a way to cut out credit-card
companies by linking the app with checking accounts, gift cards,
and some plastic issued by merchants. Doing so saves money by
eliminating the 1% to 3% fee that retailers pay every time they
process a credit card transaction via Visa Inc., MasterCard Inc. or
American Express Co.
It is also part of a battle to control data. Instead of getting
it from the credit card companies, retailers can have access to the
data themselves. They say they will be able to better tailor
coupons, promotions and other shopper rewards to their
customers.
Security is an issue with all payment systems, but CurrentC's
plans to directly access users' checking accounts raises the level
of sensitivity.
Apple, which declined to comment Wednesday, has had to cope with
its own security questions. Weeks before the company announced
Apple Pay, hackers were able to gain access to some celebrities'
iCloud accounts, including private photos.
The company has said its systems weren't centrally breached;
instead, it said the hackers successfully guessed or obtained
passwords. Apple has said it has taken additional steps to keep
hackers out of user accounts.
Robin Sidel contributed to this article.
Write to Paul Ziobro at Paul.Ziobro@wsj.com and Suzanne Kapner
at Suzanne.Kapner@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires