In recent years, U.S. retailers including Target, Home Depot and countless others have been subjected to massive data breaches largely due to a reliance on outdated payment processing systems that can be easily breached by RAM-scraping malware like Backoff.
Tech giant Apple Inc. touts its newly launched Apple Pay mobile payment system as a more secure way to shop for U.S. customers, but can it stem that tidal wave of card breaches?
Available today as an update to iOS 8, Apple Pay is certainly not a novel offering, but it may be the first mobile payment system capable of gaining traction among users and vendors. Google Wallet entered the space back in September 2011 and was immediately beat back by wireless carriers, who eventually released their own NFC-based payment system called Isis Wallet. Vendors such as Square and PayPal have forged similar offerings as well, but none have gained widespread adoption -- Google's Wallet may be the most successful, though its U.S.-only presence has limited download to fewer than 20 million of the nearly 100 million Android users worldwide.
Apple itself previously failed to get its Bluetooth-based iBeacon payment platform off the ground, but the new near-field communication (NFC)-based Apple Pay system has already resulted in wider adoption among card brands, issuers, processors and retailers than any previous venture: Visa, MasterCard and American Express are all on board, as are Bank of America, Wells Fargo and hundreds of thousands of stores.
However, some question whether Apple Pay will be quickly adopted among the masses as the consumer tech giant, based in Cupertino, Calif.,- hopes. Troubling signs include that the world's largest retailer, Wal-Mart Stores Inc., is notably absent from Apple's partner network as of now, many retailers that have pledged support today lack the point-of-sale systems and NFC technology to accept Apple Pay, and it only works on Apple's latest iPhone 6 or 6 Plus smartphones.
Apple Pay's differentiator: Security
Apart from promising widespread adoption, Apple has also pledged to differentiate its mobile payment system by offering a more secure experience than its competitors.
For one, unlike Google Wallet's need to store a user's payment card data on Google's servers, Apple has promised that no card data will actually be stored on any of its devices or servers. Apple devices will serve more as a conduit for mobile payments, receiving a tokenized Device Account Number from payment networks that will unlock that ability for a user to pay.
The Device Account Number is stored in the Secure Element -- a new feature for Apple's devices but one that has long existed in other SIM-based smartphones -- which provides the ability to encrypt and decrypt sensitive information in an enclosed environment. Apple Pay's reliance on its Secure Element does mean that only the most recent iPhone 6 and iPhone 6 Plus, as well as other Apple devices released this fall, will gain access to new payment capabilities.
According to Apple's Oct. iOS security guide, a successful payment will also require a transaction-specific dynamic security code, which will only be known by the relevant payment network and card issuer, and user authentication via the Touch ID fingerprinting system built into the latest Apple devices.
"Security and privacy is at the core of Apple Pay," said Eddy Cue, senior vice president of Internet software and services for Apple, in a statement. "When you're using Apple Pay in a store, restaurant or other merchant, cashiers will no longer see your name, credit card number or security code, helping to reduce the potential for fraud."
Is Apple Pay security the real deal?
While one would certainly expect Apple to tout the security of its own payment platform, a variety of security experts have also endorsed the company's efforts.
Aaron Cherington, a senior cyberthreat intelligence analyst with advanced threat detection vendor FireEye Inc., based in Milpitas, Calif., said in a blog post that NFC-based payments are inherently more secure than those using typical credit and debit cards, mainly because a new string of numbers is created for each individual purchase. As a result, current attacker techniques like skimming are rendered useless because magnetic stripes play no part in the payment process.
The same holds true for the point-of-sale malware that has plagued retailers recently, said Cherington, because POS systems would no longer be responsible for storing card information, even in an encrypted form. He added that hackers may capture communications between a mobile device and an NFC reader using a small antenna but Apple's use of tokenized Device Account Numbers rather than card numbers should deter such attacks.
"Even if threat actors are able to access the retailer's network, the one-time-use-only nature of the information makes it essentially useless for their purposes," said Cherington. "It appears Apple Pay and other NFC mobile payment systems in general offer enhanced security against traditional retail credit card breaches."
In a blog post, Avivah Litan, vice president and distinguished analyst for research firm Gartner Inc., based in Stamford, Conn., agreed with Cherington's assessment that the use of tokens rather than card numbers makes the payment process more secure, as attackers are "not going to bother stealing" a token that can't be reused. Apple's choice of tokenization could also reduce the burden placed on merchants that accept cards, added Litan, because tokens aren't considered to be the same as card numbers under PCI DSS regulations, potentially reducing the scope of a PCI audit.
Litan cautioned that Apple Pay will only be successful in the long run if merchants choose to accept it. Considering that Android continues to outpace iOS in mobile adoption, she said that most stores will likely continue rolling out point-to-point-encryption for POS terminals to enhance security, unless Google can also improve the adoption of its NFC-based Wallet offering.
"Apple can certainly ride the security wave and offer merchants and consumers more secure payments," said Litan in her blog post. "But they are still just a fraction of the shopper base and the other fraction still has to be protected. So Apple will need to offer more than just security features to gain all-important acceptance. IMHO, lower fees are key to Apple Pay success."
Still need more info on mobile payment security? Resident compliance expert Mike Chapple explains the implications of the PCI council's Mobile Payment Acceptance Security Guidelinesfor merchants.