Still No Apple Mobile Wallet, But A Card-Number Keychain That May Be Just A Bit Too Clever

Anyone who was expecting Apple (NASDAQ:AAPL) to jump into in-store mobile payments this week is probably feeling...well, comfortably disappointed. The big keynote speech at Apple's Worldwide Developers Conference contained, as usual, no sign of the "iWallet" that some Apple fans insist will be coming any day now. But there was something just a little bit like a mobile wallet, and that's sure to keep the wishful thinking alive.

That something was the iCloud Keychain. Put simply, it's a cloud-based feature of Apple's new iPhone operating system, iOS 7, that lets users store passwords, logins and payment-card numbers for use with mobile commerce sites. Yes, it does all the things password managers do these days, including automatically filling in the forms that make online retail so much more miserable for customers on a phone than on a PC. But it's adding card numbers that makes this interesting.

Apple didn't spill many details about the new feature except to say that the card numbers will be delivered with 256-bit AES encryption (we're guessing that means an encrypted connection, but Apple didn't say), the numbers will only be sent to "trusted devices," and the feature will suggest specific card numbers when an order form calls for them.

Now, Apple has been running a retail chain for more than a decade, and it understands PCI. It also understands that the PCI Council still hasn't nailed down the requirements for mobile POS devices handling payment-card numbers. But that's not Apple's problem here. Apple users won't need to use iCloud Keychain to order anything from Apple—Apple already has their credentials. It's only other retailers that Apple will be serving up card numbers for.

So when the iCloud Keychain is being used, it won't be in PCI scope for Apple, because Apple won't be acting as a merchant—just a cloud storage provider and phone maker. For other chains, the customer's phone is out of PCI scope too, just as a mag-stripe card would be when it's sitting in a customer's wallet.

This system is designed so that any security problems are always somebody else's problem—and never in scope for PCI. It's probably the cleverest PCI workaround ever by a retailer. And it will dodge PCI responsibility for what could become the largest cache of payment-card numbers outside the banks/processors/card brands system. Very clever, Apple.

Unless, of course, there's a major breach of Apple's iCloud that releases payment card numbers into the hands of cybercriminals. Does anyone think that cleverness will actually help Apple when Visa and MasterCard decide the distance between Apple's left hand and its right isn't so far after all?