Apple Pay is a dumpster fire

One of the things that is often on my mind is, "How do I make my ticket store a more effective Money Vacuum?" (Less self-aware people might prefer some horseshit euphemism like "removing friction from the transaction".)

So with the understanding that the best login system is the one to which you're already logged in, I thought, "Maybe I should support this Apple Pay and Google Pay nonsense." Let people check out with the card that's already loaded into their phone instead of making them type in the card number again, or create a new account on my site.


I've put about 16 hours into the Apple Pay side of this already, and I'm not sure I'm even halfway done.

Getting a credit card nonce from is like, 20 lines of code. Getting a nonce from Apple is hundreds, and takes multiple round-trips. Plus it requires managing a whole new set of certificates that expire once a year. I haven't even started on Android yet, but it looks to be equally complicated but of course in utterly different ways.

I think it might be time to just say "ha ha ha, no" and just delete all this code.


Tags: , , , ,

16 Responses:

  1. Nick Lamb says:

    Not sure it's a dumpster fire, but it definitely looks like cargo cult cryptography. It keeps relying on a PKI which is almost never what you want. We get lulled into thinking it's what you need because of the Web, where any of billions of people can visit any of billions of web sites and so yup, you need a PKI. Every Apple Pay : Merchant relationship is a boring 1:1 relationship which doesn't need all these extra moving parts (multiple 25 month renewing certificates!) that don't add any value.

    To me the Google solution looks both technically simpler and more amenable to just being dropped into an existing payment system you built, but YMMV.

  2. CdrJameson says:

    'Think Different!' is a threat, not an inspirational slogan.

  3. Ever tried to send apple notifications? It's the computer equivient of screaming into a black hole.

    Their entire API is the worst sort of bullshit and nonsense ever created.

    • jwz says:

      Shit, I can't even get to consistently notify me. What year is this?

      • It's truly amazing how their products get consistently worse with every iteration. I particularly love how they can't seem to keep iPhone and Messages contact lists in sync.

        • Jim says:

          if ($portion_done >= 1.0) {
            printf "You are 100%% vested. Why are you still here?nn";

        • Elusis says:

          I particularly love how they can't seem to keep iPhone and Messages contact lists in sync.

          Oh good, so that's not just me then?

  4. Are you using Apple Pay JS, or Payment Request API? Payment Request API is supposed to be reasonable.

  5. Jim McGuire says:

    Thanks, I'm glad I read this. Like, REALLY fucking glad. I'm a computer-illiterate 70 year old artist, on the verge of setting up the proverbial website to "get the work out there" and maybe even make a living. The plethora of options has me paralyzed, and I was thinking, just yesterday, "Well, at least Apple Pay is probably easy since I'm already part of their ecosystem." Buddy, you're a lifesaver.

    • Pauly Sharr says:

      Suggest you consider using Wix. Or WordPress + WooCommerce with a hosted solution that takes care of security updates etc.

      The gal who was selling her bathwater uses Wix. Considering that she likely has access to unpaid web development exterprise vastly dwarfing what JWZ has already sunk into his site, she might be onto something.

  6. jwise says:

    I have had very good luck using Stripe for both sites that I needed "really easy payments" on, and it looks like they integrate with Apple Pay. There is maybe some argument in favor of delegating payment capture to someone who has a financial incentive in you using their service, rather than to someone who does not give a sixteenth of a shit whether you support their service. If you get too frustrated, you might find adding their layer of indirection to be a breath of fresh air...

    (As a disclaimer, I haven't tried Google Pay or Apple Pay integrations with Stripe myself yet. But I would be quite surprised if they were bad.)

    • jwz says:

      Yeah, I'm sure Stripe spent the several days it took to get Apple Pay limping along.

      Certainly, many people choose to implement their store by just letting someone else run it for them. Many people also decide that hosting their own photos is too hard, so they just used Flickr. Or that hosting their own blog was too hard, so they just used Tumblr. Or that mailing lists were passé, so they just let Facebook be a gatekeeper between them and their customers and their entire social circle.

      What could go wrong.

      It may not surprise you to learn that I have opinions about these sorts of shortcuts.

      • jwise says:

        Hmm, I'm not sure I agree with your characterization of Stripe as similar to those cloudy things. For one, for all of those services, they steal your data and then sell it to someone else to fuck you (you are, after all, the product), but in the case of Stripe, you pay them to provide a service for you.

        But moreover, the way I've used their stuff in the past should be basically identical to how you use now: you build the store, you tell them how much you want to charge a credit card, they charge the credit card, they give you money. I think the biggest difference is that the API is designed by someone who had to compete for customers, rather than someone from the dark ages of credit cards where there was only one game in town for card processing.

        Suit yourself, though... I have no dog in this, I've just used their APIs and liked them...

  7. tfb says:

    I once slightly knew someone who worked for a company that dod early internet paymenty things, and wrote some stuff about it. One of the things they talked about was the horrid nightmare of dealing with antique bank systems, almost certainly involving X25. For years, I quietly assumed that this ancient cruft would eventually die out and be replaced by modern, simple, sane, secure interfaces.

    What a stupid, naive thing to have thought: 'modern' & 'sane, simple, secure' don't really go together, at all.