CNET también está disponible en español.

Ir a español

Don't show this again


Apple and the mysterious case of the iPhone purchase requirements.

ZDNet blogger is willfully obtuse.

Sometimes it seems that ZDNet drives around in big vans, catches those prone to willful obtuseness with nets and takes them immediately to its headquarters where they're each given a blog.

This time ZDNet's David Berlind is hot on the trail of the hideous secret behind Apple's requirement that iPhones be purchased with a credit card.

And he's got a camera. The Macalope just bets Apple sales associates and holiday shoppers alike were just thrilled to see him coming.

"Oh, hell, Mabel, it's another one o' them ZDNet bloggers. Maybe we should head over to the food court until he clears out."

In fairness to Berlind, it does appear that he was sensitive to the length of the line behind him. But does he really need a camera crew for this? This isn't exactly and episode of To Catch A Predator. He hasn't even posted the video and the Macalope is perfectly willing to concede that everything he says happened did, in fact, happen. Do we really need to see all the annoyed glares and exasperated sighs of those around him?

As you can see in the video, I asked the clerk as well as a manager for some explanation of the policy and all they would tell me is that it's just the company's policy. There was no explanation.

It is truly shocking that Apple retail sales associates are somewhat reticent to accuse walk-in customers -- particularly ones with video cameras pointed at them -- of wanting to resell its products for a markup. Or get into an argument with well-gelled ZDNet bloggers over it.

Berlind then grandly comes to the realization that, well, the rest of us came to over a month ago. [UPDATE: The Macalope mistakenly thought this was a recent piece as it was included in one of ZDNet's daily emails, however it was written in early November. So, Berlind was only a week behind the curve instead of over a month.]

You don't have to be a rocket scientist to connect the dots. Apple has relationships that its contractually bound to protect and must do whatever it can to eliminate the gray market.

No, you certainly don't have to be a rocket scientist. You just have to have a fourth grade reading level and access to teh Googles because back in October Engadget quoted an Apple spokesperson saying the reason was "to discourage unauthorized resellers".

What really has Berlind's stylish taupe suit pants in a bind is the insinuation by an Apple retail associate that the company could use your name and credit card number to determine how many iPhones you'd purchased.

When I went back (we don't have this part on video), I asked for the same manager. But this time, a woman came out and I told her that the first manager I was dealing with had offered to look something up. Before I could finish, she said "Your name." She went on to explain that I was only allowed to buy a maximum of two iPhones and that, if they could determine with some confidence that I had not already reached that quota, that they could sell me one for cash.

Why is this a problem according to Berlind? After talking to some Visa contacts, he believes Apple may be in violation of the PCI DSS, a credit card industry standard for maintaining data security.

Berlind describes the PCI DSS thusly:

As far as I can tell, the standard policy potentially yields two important results. First, it protects the privacy of cardholders. Second, it helps merchants and card issuers manage risk. It does this by spelling out in fairly detailed terms what can and can't be done with the information that's retrieved off a credit card's magnetic stripe and the lengths to which IT systems must go to protect data (eg: it talks about firewalls, encyrption, etc.).

The Macalope is not a lawyer or an information security expert (although he has dealt with information security issues in the financial industry), but he read through the PCI DSS (you can click through the summary to get a PDF of the detail -- it's riveting) and he thinks Berlind's reading (assuming he read it and didn't just rely solely on the summary he got from someone at Visa) is off here. From the brown and furry one's reading, the PCI DSS is almost solely concerned with physical and logical security and restricting access to "those with a need to know". It tells companies what they must do to protect customer data, but says almost nothing about what the company itself can do with the data.

There may very well be other legislation and requirements that restrict the types of lookups Berlind is concerned with, but the PCI DSS doesn't appear to be one of them.

Berlind's point is that Apple has to tie a customer name to a credit card number to get a valid key to figuring out whether or not someone has previously purchased an iPhone. It's also possible, however, to do that with just the last four digits of the credit card number. That may not be any better from the perspective of someone concerned about Steve Jobs sitting in his super-secret lair beneath an island volcano and poring over customers' purchases -- "Aha! He has an iPhone and likes Pushing Daisies! I have you now!" -- but it might be enough to obviate the credit card companies' concerns over storing personal account numbers.

Heck, they print that much on your receipt when you buy a pecan log roll at Stuckey's.

While the PCI DSS documentation is vague about what data can be retained by a merchant and for how long, the explanation I got made it clear that if Apple is using credit card numbers for reasons other than completing monetary transactions ? in other words, if Apple is using credit card numbers for the purpose of tracking (as seems to be the case here) ? that Apple might not only be in violation of PCI DSS, it could also be breaking some laws (some of which are based on PCI DSS) as well as breaching the terms of its agreements with card issuers and credit card companies such as Visa, MasterCard, and American express (who, as you can see by the fines that Visa levied against TJX for the "worst data breach in the payment industry's history," guard the privacy of cardholders with relatively bloodthirsty lawyers).

It's funny that Berlind would mention the TJX case as it involves data security lapses by the company that led to hackers acquiring card numbers. It doesn't allege that the company itself was misusing customer data, but that it allowed others access to it.

[UPDATE: it's even funnier considering it looks like the TJX case just fizzled.]

My educated guess is that Apple's practices have kicked off a shitstorm of an inquisition in the credit card industry that has lawyers on both sides poring through the PCI DSS documentation, merchant contracts, and state/federal laws and that this isn't the last we will hear of this.

Again, from the Macalope's inexpert (but also educated) reading, Apple could satisfy every one of the PCI DSS requirements and still allow someone with the proper access controls -- like a store manager -- to view your purchase history. Maybe there's some other requirement Apple's in violation of here, but Berlind seems to be barking up a stump rather than a tree.

ADDENDUM: Commenter qengho points out:

You forgot to point out that he has no evidence that they've retained his CC number in the first place. The manager retrieved his info by asking for his name, and he goes on to say "But then comes the question of whether they are retaining your credit card number as well. How could they not?"

In other words, he pulled that supposition out of his ass and THEN went a rampage.

Including calling Visa and throwing around loose charges of violating laws he doesn't actually cite. Remember, you can't spell "supposition" without many of the same letters it takes to spell "suppository".