[In Depth] How Secure Is Apple Pay? Should Apple Be Trusted More With Your Information?
At it’s September 9 event at Flint Center, Apple also announced Apple Pay – which is the company’s first entry into the mobile payments platform. Prior to the launch of the iPhone 6, there was much debate about the high possibility of Apple adapting the platform. This was partially supported by the fact that the company already has a significant amount of credit card data o it’s servers.
With Apple Pay however, not only does the nature of this information change, but the way merchants and bank interact and use it is also altered. So with Apple Pay rumored to be announced in a couple of days, let’s take a look at how the platform works – and more importantly, how secure your data really is should you decide to make the switch.
An important factor to be kept in mind when talking about Apple Pay is that mobile payments, or NFC in particular is not a very highly adapted platform in the US currently. So while Apple customers might face lesser hesitation to switch, the merchants and vendors with whom transactions are conducted might have different thoughts on their minds altogether when choosing to implement NFC enabled terminals.
But before we talk about that, let’s first take a look at how Apple Pay works. Apple Pay differs significantly when it comes to making purchases and transactions using your credit card information. For the sake of simplicity, let’s divide the process into stages. The entire process starts when you sign up for Apple Pay and enter your credit card number to activate the service.
When you enter your card number for Apple Pay’s activation, your card credentials are immediately send to the appropriate card company by your device. The company, for example American Express, then proceeds to authenticate the information it has received. Upon validation, the company then proceeds to issue a token to your device.
This token represents your information, through your Apple device instead of a credit card number. It is a unique 16 digit number which will be used by your device in transactions which are carried out through Apple Pay. So, when you proceed to use Apple Pay, instead of transferring your credit card number or data to the vendor, the device will instead send this token instead.
While this 16 digit number represents your account and other details, to a third party this is essentially useless. Considering the parameters involved around Apple Pay and token generation, it can be considered that this number can not be decrypted back into your card number, which renders it useless to anyone who might come across it.
Courtesy of your Apple Pay token, the merchant in your transaction never receives your card details. Which means that these will never be in your vendor’s possession and therefore the risk of having this data compromised through a large scale breach or hack is reduced significantly. So how does the vendor then proceed to authenticate the information provided?
Simple. When you use your iPhone or Apple Watch on an NFC enabled, the device sends your token instead of your card number to the vendor, who in turn sends this information to the appropriate company. Once the company confirms that the date provided is legitimate, your transaction is authorized, and viola; you’ve just made a payment using Apple Pay. Once authorized by the company, the only piece of your card information that the vendor sees are the last four digits of your credit card number.
The iPhone/Apple Watch – The iPad?
After looking at the process outlined above, where does your Apple device fit into the mix? If tokens are taken to be the only means of authentication on Apple Pay, then your device does have a very limited role to play in the entire process. The first part of the answer to this question lies in Touch ID. To authenticate your Apple Pay transaction, you are required to use Touch ID on your device. This starts the entire process of carrying a transaction out with Apple Pay.
But the token is not the only thing which your device sends to your vendor – and ultimately to your company once your Apple Pay transaction starts. Alongside your token, a unique cryptogram and CVV are sent from your device to the terminal. The CVV is the string of three digits which you can also find on the back of your credit card. The cryptogram on the other hand is a piece of transaction specific information and is generated each time you use Apple Pay to undertake a transaction.
This cryptogram, according to the EMV Payment Tokenisation Specification Technical Framework is expected to be composed of data from the token, the device and the transaction data. For security reasons or otherwise, the exact components of this cryptogram aren’t known as of yet. This might change after Apple makes more details known about Apple Pay however.
After looking at these basic components of Apple Pay, the question still remains: How secure is the platform and what changes does it offer from the existing system of payments in place? Well, starting from the Token principle, the elimination of one entire level of information storage ends up lending more security to your payments. As mentioned above, since the vendor/merchant simply receives the token stored on your Apple device and does not come in contact with your complete card details.
This token is effectively useless without the cryptogram and the CVV sent alongside it. So should a malicious party ever gain possession of your token, they will not be able to use the information in a similar manner to credit card information. Tokens can also be rendered useless in case you end up loosing your Apple device. As far as their storage goes, a token and the elements responsible for the cryptogram are both stored in the secure element found in your device.
The secure element is a separate piece of hardware on your device which executes code only signed by the proper credentials. So it can not be accessed through any conventional means of software that you choose (or not) to install on your Apple device. How secure this secure element really is will be found out after Apple Pay is launched and given some time to settle.
Receipts for your transaction will not be showing your credit card number either. Instead of your credit card number, the last four digits of your device’s Apple Pay code will be shown. This follows the principle of the vendor not having access to your credit card number/data at any fixed moment. 9to5Mac even has a demo receipt for the service.
So what are your thoughts about Apple Pay so far? Sounds good? A flop? Not sure? Let us know in the comments section.