Apple Pay: How It Will Work

A Look at Secure Card Transactions Strategy
Apple Pay: How It Will Work

The new Apple Pay mobile payment system isn't going to kill credit cards. But when it launches next month in the United States, the payment system - in which users tap a compatible Apple device to a contactless payment terminal - could help improve payment security.

See Also: The Vulnerability Epidemic in Financial Services Mobile Apps

Apple's new system is designed to work with contactless payment terminals that include near-field communication technology. At launch, only iPhone 6 devices will be compatible with Apple Pay. After the Apple Watch gets released next year, it can be paired with iPhone 5 - or newer devices - and used with Apple Pay too.

For the system's launch next month, Apple has already secured the backing of the three major payment networks - American Express, MasterCard and Visa - and it's in talks with Discover. Bank card issuers that collectively control 83 percent of all U.S. card purchases, by volume, have also signed up, including the country's four biggest banks. Companies on board range from Staples and Starbucks to Disney and Target, collectively comprising 220,000 locations.

Step by Step

To use Apple Pay, a user must first add a card to the Passbook app. This can be done by importing any card that's already registered with iTunes, and reentering the card's security code. Or users can enter new card data, either by capturing it via the built-in camera or typing it in.

For every card added, a dedicated chip inside the iPhone - called the Secure Element - assigns, encrypts and stores a unique Device Account Number. So the real card number is not stored nor transmitted. Instead, the Device Account Number gets sent through the POS device and payment network when a user taps their fingerprint to authorize the transaction, then taps their iPhone against an NFC-compatible terminal.

Apple didn't invent any of the underlying technologies or standards. With the Secure Element, for example, "the standard that Apple has implemented is - if we oversimplify - basically the same as what you have on your EMV card," Mung Ki Woo, executive vice president of digital platforms for MasterCard, tells Information Security Media Group. "The chip inside the phone is essentially bank-grade," and used to create a unique cryptogram that gets attached to each transaction, to prove to the bank that it's authentic.

Meanwhile, the payment card industry's tokenization standard underpins the 16-digit code Apple refers to as the Device Account Number, which is its version of a personal account number. "In the payment industry, we call that a payment token, and therefore this is not your real card number," Woo says. "When you transact, you send to the payment system this payment token, and this payment token gets converted back into your real card, within the payment system."

That's a point worth emphasizing: these tokens don't get converted back into real card numbers at the point of sale, or on Apple's servers. In fact, under Apple Pay, neither POS devices nor Apple will handle real card numbers. Instead, that conversion occurs between the card network and the card-issuing bank in back-end systems that aren't visible to anyone else.

"When you're using Apple Pay in a store, restaurant or other merchant, cashiers will no longer see your name, credit card number or security code, helping to reduce the potential for fraud," says Eddy Cue, Apple's senior vice president of Internet software and services. "Apple doesn't collect your purchase history, so we don't know what you bought, where you bought it or how much you paid for it." While the Passbook app on a device does keep a list of transactions, Apple says it's limited to just listing recent transactions.

Protecting Card Numbers

The move away from transmitting real card numbers has obvious security upsides. "You read about all of these breaches, and the breaches take place because currently we're using the real card number, and therefore you have to protect the real card number," Woo says. With Apple's system, however, if there's a breach, the criminal gets access only to the unique payment token, not the real card number, thus providing a second layer of security, he explains. Furthermore, the payment token is locked to the Secure Element inside one specific Apple device, and can only be used for payments from that device if a user first verifies their identity via the built-in Touch ID biometric fingerprint scanner. While the device could get lost or stolen, a user can also remotely wipe everything on the device.

Of course, it remains to be seen if Apple Pay will prove to be hacker-resistant. One thing is for certain: Researchers - and hackers - will be testing the payment system as soon as it debuts. "All of your bank details are on that device, so it's more of an attractive target," Michael Sentonas, vice president and global CTO for Intel Security, tells Information Security Media Group.


Michael Sentonas, Global CTO at Intel Security, discusses Apple Pay security questions.

But at least for now, Apple's Secure Element will be closed to third-party developers, the company tells Cult of Mac, which means only Apple-developed apps will be able to use it - adding a further measure of security. That's the same implementation strategy Apple followed with Touch ID, which only became accessible to third-party apps with the introduction of iOS 8, which debuted this week.

Apple Pay can be used for POS transactions as well as App Store purchases, for example, to recharge a Starbucks app. Here again, the system will eliminate the use of real credit card numbers in place of the tokens generated by the user's own iPhone.

Fraud-Battling Power

At least initially, Apple Pay will only be the domain of anyone who can afford an iPhone 6 or iPhone 6 Plus, and thus it won't be available to the vast majority of the world's card-using consumers. "Apple can certainly ride the security wave and offer merchants and consumers more secure payments," says Gartner analyst Avivah Litan in a blog post. "But they are still just a fraction of the shopper base and the other fraction still has to be protected."

Apple Pay will also debut only in the United States, although Apple has global expansion plans, and has reportedly already secured backing from China UnionPay, which operates China's interbank network.

For systems such as Apple Pay or Google Wallet to meaningfully replace physical credit cards, the world will need more NFC-compatible smart phones. But after Apple Pay debuts, Litan predicts Google will quickly follow Apple's lead, and persuade manufacturers to link Google Wallet to NFC chips in their devices. "Once Google gets in the game and Android phones are enabled with more secure payments, we may actually see mobile NFC payments catch on. Better yet, we may actually see the criminals and payment card data breaches start to go away - or at least migrate to something else," she says.

World Shipments of NFC-enabled Cellular Handsets (in millions)


Source: IHS Inc., February 2014

From a usability standpoint, however, the simplicity of paying with plastic trumps even the most well-designed smart phone interface or secure payment app. "Plastic is not going to go away, consumers love plastic - because it's so simple, and with us all the time - and there are no batteries," says MasterCard's Woo. "We sometimes drop our phones and bad things happen. You can drop your piece of plastic, and it still works."

Principal Correspondent Varun Haran contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.