As you’ve probably heard, Apple flipped the switch on it’s new payment system that it hopes will replace all the plastic cards in our wallets with virtual ones that live within our phones (note: card data is not actually stored there, but more on that later). Many analysts have said that this new payment system will revolutionize how we pay for things.
A Little History
Before we dive into how Apple Pay actually works, let’s look at why it’s necessary. I say necessary because Apple Pay is not some fancy new feature to impress your friends with. No. Apple Pay is the first step in making paying for things more secure. The US has been lacking in payment card security as of late. The number of breaches this year alone has drastically increased. These breaches, like Target and Home Depot, are a result of poor security around their respective payment application (the software the runs on the checkout terminals and the central servers). So, you may ask, why is Apple Pay the first step in payment security? Shouldn’t we focus on security around payment applications? I can’t disagree with you. In fact, there is an entire governing council that sets requirements on how to secure said systems and the processes around them. But these requirements have been around for years…and clearly it’s not enough. Countries other than the US have moved to securing payment cards by adding a small computer to them. You may have seen cards with a small chip embedded in them. This chip contains a information that changes each time you use the card and is used to verify the physical card is the one tied to your bank account. The information on the chip is cannot be stored in any payment application so should a store be compromised, your card is safe. Adoption of this technology is growing rapidly outside the US, but US banks are reluctant to support it. Doing so would require reissuing cards, upgrading banking systems, and upgrading the terminals at retail locations. It’s certainly not impossible, just expensive.
Why Apple Pay Is Different
Apple Pay is not the first wallet replacement solution to hit the market. A few years ago, Google launched Google Wallet that attempted to do the same thing. So why didn’t it catch on? Arguably, for the same reason Chip-and-PIN (or EMV) cards haven’t caught on in the US. Money. Phones running Google’s Android OS have long supported NFC technology (the short-range radio technology that makes Google Wallet and Apple Pay work), but many retailers have only just begun to roll out terminals that support the technology. Because this adoption was low, many people never knew it was an option. Apple has been known to not do something first, but to do it right. If you’ve seen the demo’s and reviews of Apple Pay scattered all over the web, you will see that simplicity is what Apple was after. It’s a beautiful meld of hardware and software that is so intuitive anyone can use it. But why won’t Apple Pay fall to the sidelines and join Google Wallet. Well, frankly, because it’s Apple. The company has nearly endless resources and if they want something, they’ll make it happen. Visa, MasterCard, and American Express have already signed on with Discover working to roll out support soon. In addition, 9 of the largest banks in the US have enabled Apple Pay support on their credit and debit cards (see here for an updated list: http://support.apple.com/kb/HT6288). As you can see, this is no small feat and begins to highlight just how complex paying for something with a small piece of plastic really is.
So Just How Secure Is It?
I’m glad you asked! In the last few years, many companies have tried to reduce the amount of cardholder information stored in their own systems. This information can include full name, account number, expiration date, and CVV (not the CVV2 which is found on the back of your card). One way companies have accomplished this is through the use of tokenization. Tokenization is a process that assigns a unique code to your transaction that is then stored in a companies system for use in the event of a chargeback or refund. When you swipe your card at a terminal, the information on the magnetic stripe is sent to a payment processor (a company that facilitates transferring funds from your bank to the company). The processor then sends back the unique code to be stored and used at a later date to recall the transaction if necessary. Notice that your information is never stored with the company itself, meaning, if the company were to be compromised, the hackers would only obtain a bunch of useless codes.
Apple has taken a similar approach in developing Apple Pay. As outlined above, multiple levels of the payment network need to be on board to support Apple Pay. That’s because Apple uses a tokenization process to add payment cards to your device. Each device is assigned a unique identifier that can be used to determine which device was used to complete a transaction. Second, each payment card that is added to your device is also assigned a unique identifier. Here’s where the banks and the card brands come in. When you add a payment card to your device, Apple contacts the issuing bank (Chase, Capital One, Wells Fargo, etc.) to create a unique identifier that is then store on the device. Your full name, the card number, expiration date, and CVV2 are not stored on the device once the identifier has been acquired. This combination of device and card identifiers allows for the quick deactivation should either go missing. If the physical payment card is lost, your bank can suspend the card which will make the card useless (both the physical card and the virtual one in Apple Pay). If your device is stolen, putting the phone in Lost Mode or erasing the phone remotely will delete the device’s unique identifier making all the payment cards on the phone useless.
So, that explains how your bank accounts are protected against loss or theft of your payment cards and devices, but what about from retail stores. Good news! Apple has you covered there too. Each time you complete a transaction with Apple Pay, both your device and payment card identifiers are transmitted to the terminal at a retail store. The terminal or payment application then contacts the processor, and subsequently your bank, to validate the information. Notice, your actual card number is never transmitted to the company. Should the company be breached, hackers would not be able to obtain the information necessary to create a fake payment card.