The looming launch of Apple Pay and its promise of secure payments "in a single touch" is the latest attempt to use emerging technology to remake a U.S. retail payment infrastructure fraught with gapping security holes that have led to a series of massive breaches.
Despite Apple Inc.'s recent iCloud security compromise involving hacked celebrity photos and video, Apple appears poised to assume a leadership position in the emerging U.S. mobile payments market, even though security analysts and industry groups are already struggling to lock down a transaction ecosystem plagued by flaws at the point of sale.
The Apple Pay software enables payment card data to be transmitted from an iPhone to a payment terminal wirelessly via near-field communications (NFC). Though details remain unclear, according to Securosis analyst Adrian Lane, Apple Pay will not actually store payment data on the iPhone, but instead will rely on payment tokens to represent payment card data, providing a level of security abstraction.
Apple is leveraging a chip-based security feature widely used on NFC-based networks in Europe called EMV (for Europay, Mastercard and Visa). Backers of the technology claim it could help reduce point-of-sale hacks that have plagued retailers like Target and Home Depot.
So far, Apple has lined up a decent list of retailers that will support Apple Pay, including McDonalds, Macy's and Whole Foods, along with the industry's biggest card brands: American Express, Mastercard and Visa.
But other large retailers have reportedly resisted Apple Pay, including Wal-Mart. The world's largest retailer -- along with Best Buy, Target and lengthy roster of U.S. merchants -- is instead backing a retailer-owned Merchant Customer Exchange. The group claims its "CurrentC" mobile wallet app can be used at more than 110,000 locations.
Apple Pay: Hope for secure mobile payments?
While many note that the Apple Pay scheme is still too new to draw firm conclusions about transaction security -- Apple Pay won't be available until October -- security experts believe it has a better chance of succeeding than previous attempts by device makers to launch wallet services.
A key security concern is the inherent risk of transforming a consumer device, the iPhone 6, into a payment mechanism that not only stores a payment token, but also serves as the authentication platform via Apple's proprietary Touch ID fingerprint authentication feature.
The new phone's NFC antenna is said to allow users to make purchases by holding the phone near a contact-less reader with a finger on the Touch ID button. Touch ID then verifies purchases. It is believed the iOS app Passbook will store the token-based payment information.
Jonathan Cassell, a consumer electronics industry analyst with market researcher IHS Inc. in Englewood, Colo., noted Apple's penchant for "tight software and hardware integration," along with vast retail experience with iTunes, has allowed the company to amass millions of payment card data records via Apple ID, "which users can choose to simply add to Apple Pay."
Will lost iPhones threaten Apple Pay security?
Others are less sanguine, noting that Apple and other device makers still don't have a convincing answer for the most obvious security issue: What happens if a user loses his or her phone?
Apple said this week consumers could use iCloud's "Find My iPhone" feature to disable Apple Pay remotely. Apple CEO Tim Cook also stressed no payment information would be stored on iPhones or company servers. Observers said the new iPhone likely contains a token used for payments, but not a payment key that hackers could exploit.
Nevertheless, some security experts worry that even if Apple is acting merely as a conduit between retailers and credit card companies, the device itself may be Apple Pay's weakest security link.
"I think there are risks," said security specialist Dave Shackleford, principal consultant at Voodoo Security LLC in Atlanta, explaining that it's a step in the wrong direction to lower protections to the point where being able to answer an Apple ID security question is all that may be needed to compromise payment data.
Still, the iPhone has proven more resistant to viruses and hacks than Android phones, and Shackleford said Apple has demonstrated the ability to perform adequate security testing before releasing new consumer products. Apple Pay, he predicted, is "not going to be riddled with [security] holes coming out of the gate."
Apple Pay: Obscuring data a good step
Meanwhile, industry groups like the FIDO Alliance are embracing the efforts of Apple and other payment ecosystems in allowing customers to strongly authenticate in a simple and secure fashion.
Phillip Dunkelberger, CEO of Palo Alto, Calif.-based authentication vendor Nok Nok Labs Inc., a founding member of FIDO, called Apple Pay "definitely a step up from current credit card security."
While Dunkelberger and other security experts stressed that Apple has released few specifics on how its authentication scheme will be implemented, he said Apple Pay's ability to "obscure" users' identities and payment data was a "step in the right direction."
Apple said it wants to expand its payment scheme overseas as quickly as possible. That will be a challenge considering differing technology standards (iPhones are not as ubiquitous in Europe as they are in the U.S.) and regulatory regimes. Some of those hurdles could be overcome by the fact that Apple avoided proprietary security technology and is relying instead on industry standard technologies like NFC.
Apple Pay is "not a panacea, it is one part of a larger payment ecosystem," Dunkelberger stressed. "The devil is in the [implementation] details, the devil is in the ease-of-use details."
Apple Pay will be available in October as an update to its iOS 8, which is scheduled to debut Sept. 17.
Learn what to do to prep for iPhone 6 and iOS 8 in the enterprise.