With the introduction of Apple Pay, mobile wallet payment systems promise to disrupt long stagnant payment card status quo. But will these new services make our data and transactions safer?
Lets look under the hood. Apple Pay uses a microchip in Apples iPhone 6, iPhone 6 Plus, and the impending Apple Watch to encrypt account information for up to eight cards. To keep transactions secure, Apple implements "tokenization." This replaces the actual card data with a unique token (i.e., Device Account Number) that is submitted at the time of purchase, along with a one-time dynamic security code unique to each transaction. The dynamic security code replaces the credit cards CVV and is used to ensure that a transaction is being conducted from the device containing the Device Account Number.
With Apple Pay, retailers and their employees are neither seeing nor storing any credit card information (e.g., card number, name, address, or any other personal information). This prevents would-be-attackers from stealing the data needed to commit fraud. All of the users payment information and credit card numbers are stored in the iPhones Secure Element and gets never uploaded to a centralized server.
Beyond leveraging tokenization, Apple added a second security layer to its payment service to minimize the risk of unauthorized transactions. The built-in Touch ID uses two-factor authentication to decrease the risk of a stolen iPhone being used to make fraudulent purchases. In case of device theft, users can also remote wipe their smartphone to mitigate any risks.
Tokenization is not a new concept. As a matter of fact, the majority of credit cards in Europe and newly issued cards in the United States contain an EMV chip that in combination with a personal identification number (PIN) has led to improved security against fraud compared to magnetic stripe card transactions. However, Apple Pay replaces the entry of a PIN with its Touch ID, which overcomes the risk of PIN harvesting and binds the authentication to biometrics. The result is even safer transactions in a card-present scenario. For card-not-present purchases, the end user would have to rely on the online merchants adoption of Apple Pay as a custom application.
On paper, Apple Pay greatly improves data and transaction security, but its not foolproof. As usual, hackers are not standing still. A researcher at the Chaos Computer Club in Germany recently demonstrated how to replicate fingerprints with a high-quality photo of a users fingers, which could presumably be used to gain access to anything protected by biometric data. This is not the first time Chaos Computer Club has targeted fingerprints. A week after the Apple iPhone 5s launched last year, the club successfully unlocked the device using a fake fingerprint.
Nevertheless, Apple Pay could one day go a long way towards putting a dent into payment card fraud. The technology faces some substantial immediate barriers though due to the costs associated with installing new wireless-enabled point of sales systems needed to support the service. In addition, despite its early success in signing up banks and stores to accept Apple Pay, theres still a long way to go before the payment system becomes a global standard. The company also faces stiff competition from Google Wallet and the Merchant Customer Exchange (MCX). MCX is a consortium of retailers, including giants like Walmart, Best Buy, and Gap Inc., working on their own payment platform. Fragmentation and non-standardization will definitely slow down adoption.
Meanwhile, retailers and the payment card industry will have to continue to harden security around credit card data. They are getting some additional incentive this year since the new Payment Card Industry (PCI) Data Security Standard (DSS) 3.0, goes into effect in January. So while Apple Pay and other mobile wallet payment systems may one day make it more difficult to commit credit card fraud, they will never abdicate the need for data security.
Torsten George is Chief Security Strategist for risk management software vendor Agiliance.