Apple Launches Payments PlatformEnables Use of New iPhones, Apple Watch to Make Payments
See Also: Secure Access in a Hybrid IT World
"Apple Pay is going to change the way you pay for things forever," said Tim Cook, Apple's CEO, during a live event Sept. 9 in Cupertino, Calif.
Security and payments experts say Apple's announcement may be the catalyst to legitimize near field communication technology and improve security.
"This has the potential to change the payment landscape, at least in the U.S. where merchants are being breached every other day and are up to their eyeballs in security issues and expenses," says Avivah Litan, an analyst at the consultancy Gartner.
Apple Pay Participants
Apple Pay will work with the three major payment networks - American Express, MasterCard and Visa. In addition, the top bank card issuers that handle 83 percent of the credit card purchase volume have signed up to support the technology. Those include Bank of America, Wells Fargo and JPMorgan Chase plus eight other financial institutions.
More than 220,000 merchant locations are ready to accept payments using the new technology, Apple says. Companies on board with Apple Pay so far include Target Corp., Starbucks, Disney and Staples, to name a few.
Apple Pay will be available in the U.S. in October and work is under way to take the technology worldwide soon, the company says.
How It Works
The payment technology is included in the iPhone 6 and iPhone 6 Plus, to be released Sept. 19, as well as Apple Watch - coming early next year. Apple Pay will enable users to pay for products in person using near field communication technology, while utilizing the security features that come equipped on the iPhone, such as Touch ID, a fingerprint identity sensor, and a Secure Element chip.
Those using Apple Pay will be able to utilize the pre-existing payment information stored on their iTunes accounts or add new credit and debit card numbers using the Apple iSight camera, the company says. Apple then will verify the accounts with the issuing banks.
According to Apple, when a user adds a credit or debit card with Apple Pay, the actual card numbers will not be stored on the device nor on Apple servers. "Instead, a unique device account number is assigned, encrypted and securely stored in the Secure Element on your iPhone or Apple Watch," the company says. "Each transaction is authorized with a one-time unique number using your device account number and, instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction."
Eddy Cue, Apple's senior vice president of Internet software and services, says: "Security is at the core of Apple Pay, but so is privacy. We're not into the business of collecting your data."
For payments conducted online, customers will go through a one-touch checkout, which eliminates the need to enter card numbers, type addresses or share card information with the merchant. Instead, the one-time payment number will be used, Cue says.
Apple's announcement of the incorporation of NFC technology in their phones legitimizes the technology as the contactless platform for the foreseeable future, says Thad Peterson, a payments expert for the consultancy Aite Group. "Expect to see a rapid expansion of NFC-enabled payment terminals," he says.
"There's very little risk with the NFC platform," Peterson says. "It's proven and it's secure enough to be the only mobile payment technology that is accepted as a 'card present' transaction."
Payment fraud expert Tom Wills says NFC available with other smart phones has failed to gain traction in the past year following several years of hype, so Apple Pay could serve as a major boost.
"The other strong feature is that Apple Pay is designed to work with both physical point-of-sale and e-commerce transactions via a single consumer wallet," Wills says. "This is a very credible move to change the payments landscape."
By bringing Apple into the NFC fold, he says, "we will quickly see contactless mobile payments achieve critical mass and, since it's a significantly more secure technology than card-based platforms, the risk of fraud should decline overall."
One concern yet to be addressed, Peterson says, is whether the Touch ID biometric feature is as secure as it needs to be.
Wills, the payment fraud expert, notes: "When it was first released in the iPhone 5S, it was successfully hacked within a couple of weeks. But exactly for that reason, I have to think that Apple has given special attention to upgrading the security of Touch ID in the iPhone 6."
Preventing Data Breaches
Litan of Gartner says Apple's use of a payment card tokenization scheme that financial services companies endorse and recognize means consumers don't have to store their payment card data in their mobile wallets.
"When the consumer is ready to pay, their financial service provider would issue them a one-time token number that would initiate the payment process," Litan writes in a blog. "Token numbers are not considered credit card numbers and there are lots of security benefits to merchants when they do not accept, store or transmit actual credit card numbers."
Those benefits, Litan argues, include reducing the scope of PCI compliance audits and avoiding payment card data breaches.
Still, successful implementation of Apple Pay isn't a given, Wills says.
"Mainstreet merchants will have to adopt NFC, which represents a cost for them, while they are under pressure at the same time to 'invest' in EMV smart card technology," he says. "Expect some pushback there, at least initially."
Also, consumers will have to adopt NFC en masse, Wills explains, "which means Android devices will have to support the same payment mode."