News Stay informed about the latest enterprise technology news and product updates.

How Apple Pay security controls may mitigate payment card breaches

The newly launched Apple Pay mobile payment system could deliver the most secure shopping experience for U.S. customers yet, though it still may not be perfect.

In recent years, U.S. retailers including Target, Home Depot and countless others have been subjected to massive data breaches largely due to a reliance on outdated payment processing systems that can be easily breached by RAM-scraping malware like Backoff.

Tech giant Apple Inc. touts its newly launched Apple Pay mobile payment system as a more secure way to shop for U.S. customers, but can it stem that tidal wave of card breaches?

Available today as an update to iOS 8, Apple Pay is certainly not a novel offering, but it may be the first mobile payment system capable of gaining traction among users and vendors. Google Wallet entered the space back in September 2011 and was immediately beat back by wireless carriers, who eventually released their own NFC-based payment system called Isis Wallet. Vendors such as Square and PayPal have forged similar offerings as well, but none have gained widespread adoption -- Google's Wallet may be the most successful, though its U.S.-only presence has limited download to fewer than 20 million of the nearly 100 million Android users worldwide.

Apple itself previously failed to get its Bluetooth-based iBeacon payment platform off the ground, but the new near-field communication (NFC)-based Apple Pay system has already resulted in wider adoption among card brands, issuers, processors and retailers than any previous venture: Visa, MasterCard and American Express are all on board, as are Bank of America, Wells Fargo and hundreds of thousands of stores.

However, some question whether Apple Pay will be quickly adopted among the masses as the consumer tech giant, based in Cupertino, Calif.,- hopes. Troubling signs include that the world's largest retailer, Wal-Mart Stores Inc., is notably absent from Apple's partner network as of now, many retailers that have pledged support today lack the point-of-sale systems and NFC technology to accept Apple Pay, and it only works on Apple's latest iPhone 6 or 6 Plus smartphones.

Apple Pay's differentiator: Security

Apart from promising widespread adoption, Apple has also pledged to differentiate its mobile payment system by offering a more secure experience than its competitors.

For one, unlike Google Wallet's need to store a user's payment card data on Google's servers, Apple has promised that no card data will actually be stored on any of its devices or servers. Apple devices will serve more as a conduit for mobile payments, receiving a tokenized Device Account Number from payment networks that will unlock that ability for a user to pay.

The Device Account Number is stored in the Secure Element -- a new feature for Apple's devices but one that has long existed in other SIM-based smartphones -- which provides the ability to encrypt and decrypt sensitive information in an enclosed environment. Apple Pay's reliance on its Secure Element does mean that only the most recent iPhone 6 and iPhone 6 Plus, as well as other Apple devices released this fall, will gain access to new payment capabilities.

According to Apple's Oct. iOS security guide, a successful payment will also require a transaction-specific dynamic security code, which will only be known by the relevant payment network and card issuer, and user authentication via the Touch ID fingerprinting system built into the latest Apple devices.

"Security and privacy is at the core of Apple Pay," said Eddy Cue, senior vice president of Internet software and services for Apple, in a statement. "When you're using Apple Pay in a store, restaurant or other merchant, cashiers will no longer see your name, credit card number or security code, helping to reduce the potential for fraud."

Is Apple Pay security the real deal?

While one would certainly expect Apple to tout the security of its own payment platform, a variety of security experts have also endorsed the company's efforts.

Aaron Cherington, a senior cyberthreat intelligence analyst with advanced threat detection vendor FireEye Inc., based in Milpitas, Calif., said in a blog post that NFC-based payments are inherently more secure than those using typical credit and debit cards, mainly because a new string of numbers is created for each individual purchase. As a result, current attacker techniques like skimming are rendered useless because magnetic stripes play no part in the payment process.

The same holds true for the point-of-sale malware that has plagued retailers recently, said Cherington, because POS systems would no longer be responsible for storing card information, even in an encrypted form. He added that hackers may capture communications between a mobile device and an NFC reader using a small antenna but Apple's use of tokenized Device Account Numbers rather than card numbers should deter such attacks.

"Even if threat actors are able to access the retailer's network, the one-time-use-only nature of the information makes it essentially useless for their purposes," said Cherington. "It appears Apple Pay and other NFC mobile payment systems in general offer enhanced security against traditional retail credit card breaches."

In a blog post, Avivah Litan, vice president and distinguished analyst for research firm Gartner Inc., based in Stamford, Conn., agreed with Cherington's assessment that the use of tokens rather than card numbers makes the payment process more secure, as attackers are "not going to bother stealing" a token that can't be reused. Apple's choice of tokenization could also reduce the burden placed on merchants that accept cards, added Litan, because tokens aren't considered to be the same as card numbers under PCI DSS regulations, potentially reducing the scope of a PCI audit.

Litan cautioned that Apple Pay will only be successful in the long run if merchants choose to accept it. Considering that Android continues to outpace iOS in mobile adoption, she said that most stores will likely continue rolling out point-to-point-encryption for POS terminals to enhance security, unless Google can also improve the adoption of its NFC-based Wallet offering.

"Apple can certainly ride the security wave and offer merchants and consumers more secure payments," said Litan in her blog post. "But they are still just a fraction of the shopper base and the other fraction still has to be protected. So Apple will need to offer more than just security features to gain all-important acceptance. IMHO, lower fees are key to Apple Pay success."

Next Steps

Still need more info on mobile payment security? Resident compliance expert Mike Chapple explains the implications of the PCI council's Mobile Payment Acceptance Security Guidelinesfor merchants.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Sounds promising. The only thing I can see as a problem is it only only being available with those i-phone devices. I know some people who refuse to use Apple products. If they roll this technology out to other platforms, I think they will be on to something good. 
Building on Todd's point, I can see Apple Pay growing in adoption, but the team at Apple has to ensure it's going to work well on their systems first. If you look at what they did with iTunes, it's a similar approach. Make it functional, fast, safe and desirable and then roll it out more widely. Since this is a security discussion, I'll leave my comment at that. Though this could become a business process discussion where Apple might have a desired functionality that is only good with their devices and therefore will be used to move people to them instead of sharing it widely.
I can see some brand loyalty. If someone has a better plan or idea I am not so inflexible to change. In the case of security and the possible prevention of identity theft people should be more receptive.
I used the Apple Pay yesterday and it worked fine. I think there is always a need to change as the hackers get smarter.
It's great to see that there may be a more secure way to shop, but like the other commenters, I'd worry about that more secure experience being limited only to iPhone owners. Hopefully this would be just the first step toward a wider rollout of secure features so everyone can benefit. 

Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.  It is the same with the biometrics operated without passwords altogether. Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password. It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.