Apple Pay and security – what you need to know

Mobile payments look set to be one of the defining technologies of 2015, as the launch of Apple Pay catalyses a boom in cardless payments – both from Apple’s own system, and rivals playing catch-up.

The launch of Apple Pay has had a huge impact on this emerging technology – with Ars Technica reporting a huge uptick in demand for rivals such as Google Wallet, due to the excitement around Apple’s System.

What is it about Apple Pay that has fired people’s imaginations so much? And what does the new technology mean for your money – and your security?

We explain below.

Apple Pay – what you’ll need

Apple iPhone 6 Launch, London, Britain - 19 Sep 2014

Hardware-wise, you’ll need an up-to-date iPhone or iPad to use Apple Pay – either an iPhone 6, iPhone 6 Plus, or one of this autumn’s new iPads. You’ll also need a valid bank card (credit or debit) registered at an American bank which works with Apple Pay.

Apple Pay uses the Passbook app which comes pre-installed on all compatible iPhones and iPads.

Where your card details are stored

Unlike rival systems such as Google Wallet, Apple Pay does not store card details either in your phone, or on Apple’s servers (Google Wallet stores details on Google’s servers).

The key to this is ‘tokenization’, which replaces key details (credit or debit card numbers in this case) with different data generated by your bank. This allows Apple Pay to work seamlessly with existing payment systems without jeopardizing private data.

How adding a card works

When you add a card to Apple Pay, you either type in the number or scan it via the iPhone 6’s camera.

If you use the camera, the image is not saved to your phone’s camera app or photo library, and it’s sent in encrypted form.

The bank card number is never saved or stored on your phone, or on Apple’s servers. Instead, your bank generates a Device Account Number, which is stored on the Secure Element within your handset – a chip separated from the OS. The contents of the Secure Element are never backed up to iCloud or elsewhere.

When you add a card, your bank will ask you to verify this using a two-factor authentication system, which varies according to bank and card type.

Could I fall victim to a store data breach?

Apple Pay is built with a number of safeguards to prevent data ‘going missing’ in a breach – or to prevent malicious terminals in stores billing customers.

To activate Apple Pay in-store, you have to put the device within a few inches of an Apple Pay terminal, and then manually select a card and activate payment using either your PIN code or Touch ID. The system cannot make payments without this manual element.

When you pay via Apple Pay in store, you do not hand over your credit or debit card number – which have been stolen in vast numbers using POS malware in data breaches such as the Target breach.

Instead, your device transmits the Device Account Number generated by your bank. Because the number is device specific and card specific, it also can’t be remove from the device and used, for instance, as a magnetic stripe card number: it’s not the same as the card which generated it.

What about when you pay within apps?

applepaypaywithinapps

Apple Pay isn’t locked into Apple’s own commercial ecosystem on iPhone – you can also pay within apps for other e-commerce companies. Starbucks, Stubhub, Ticketmaster and Disney are just some of the companies signed up to use Apple Pay.

As with payment in shops, there are extra layers of security to protect card data when you shop – your device transmits the Device Account Number, rather than your card number, and it’s also encrypted with secondary, merchant-specific encryption to add another layer of security.

What about my data? Does iPhone harvest it?

Apple has said that privacy is paramount in Apple Pay – the system does not harvest information about purchases for advertising purposes, whether anonymously or not.

The system makes money by levying a fee on participating partners, rather than relying on monetizing information from users.

What about Apple Watch?

Apple Watch at Colette store, Paris, France - 30 Sep 2014

Apple Pay will work with Apple Watch – which Apple promises will be as seamless as touching the wearable to a payment terminal and double tapping the crown.

Details on how Apple Watch’s OS will work, and specifically how it will work with Passbook and Apple Pay are still scant.

What banks does Apple Pay work with

At present, Apple Pay works with a range of American banks such as Bank of America, Chase, Wells Fargo and Capital One, and specific debit or credit cards from those banks.

American Express
Bank Of America
Capital One
Chase
Citi
Wells Fargo
Coming later this year.
Barclays
Navy Federal Credit Union
PNC
USAA
US Bank

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.