Apple Pay pushes payment security forward If adopted, trusted
Apple Pay, the new payment service Apple recently unveiled, is being heralded by some security experts as a positive step forward in eliminating plastic and reducing fraud. While it is no silver bullet, it can make mobile payments more secure for users of iPhone 6 and iPhone 6 Plus if it is widely adopted, said Kevin Grieve, a payment industry veteran and partner at consulting firm Strategy&. He leads the firm’s payments business.
Apple's mobile payment implementation eliminates the credit card number altogether and instead assigns a unique number to the device enabling payment to take place using a method associated with the user's account. Google Wallet, by contrast, stores the user data on the mobile device and transmits the cardholder data via near field communications to the merchant, a security risk, say experts. Here are 10 reasons why it pushes the envelope.
Apple replaces the 16-digit credit card number and other data associated with the magnetic stripe on standard credit cards by using tokenisation. Apple generates a one-time-use token with every transaction. The token is created in a way that makes it impossible for an attacker to reverse.
However it isn't foolproof, security experts say. An attacker could theoretically gain access to a token system that processes the transactions to glean some information. Still, tokenisation removes the point-of-sale system fraud (think Target and Home Depot breaches), by eliminating the credit card from the merchant's systems altogether.
2. Secure element
Apple is using a process that assigns a unique Device Account Number for each credit card that is added using its Passbook application. The unique number is encrypted and stored on a dedicated chip in the iPhone 6, iPhone 6 Plus and Apple Watch called Secure Element.
Apple pledges that card numbers will never be stored on Apple servers and, as an extra privacy measure, individual transactions will also not be viewed or logged by Apple. The credit card numbers never reach merchant systems either, Apple said.
The unique device token is coupled with a dynamic security code to process the transaction properly. The randomly generated number would be useless to credit card thieves without a variety of other information about the user, according to Apple. Security experts say this could increase the risk of Apple device theft. Other mobile security experts tell CRN US the new payment method may fuel account hijacking attempts against Apple cloud services.
Apple is using a communication protocol that is supported in widely deployed payment terminals in Europe and Canada called EMV, which stands for Europay, MasterCard, and Visa.
The terminals support chip-and-PIN technology to cut down on card fraud. Target and Home Depot, two large retailers in the US that are reeling from massive data breaches, indicated they will have terminals in place supporting EMV. Other large retailers are expected to replace outdated terminals with new EMV-enabled equipment by October 2015.
The latest EMV terminals are encrypted and support NFC, contactless payments, said Ruston Miles, a PCI compliance expert and chief innovation officer at systems provider Bluefin Payment Systems.