A Comprehensive Outline of the Security Behind Apple Pay

by

Apple has described its new Apple Pay payments service, which is designed to be the first step towards the company's goal of replacing the wallet, as "easy, secure, and private." Apple Pay includes several different features that offer customers much greater security than a traditional credit card, including Device Account Numbers that replace credit card numbers, dynamic security codes for each transaction, and biometric payment verification through the use of Touch ID.

Ahead of the release of Apple Pay, TUAW's Yoni Heisler has taken an in-depth look at the security features built into the payments service, outlining the ways Apple is safeguarding customer information.

While Apple Pay is built on existing NFC technology, Heisler's research suggests it is the first implementation of the EMVCo tokenization specification, a newly introduced security framework designed to cover emerging payment methods. According to former credit card executive Tom Noyes, this specification is "the most secure payments scheme on the planet."

applepaytouchid
As previously rumored, Apple Pay utilizes a "token," which the company refers to as a Device Account Number, to replace a user's existing credit card number on the iPhone. A randomized 16-digit number, the Device Account Number ensures that no merchant is able to obtain a user's credit card number, protecting consumers from retail security breaches, as TUAW points out, because tokens are randomized numbers that cannot be decrypted back into a credit card number.

Device Account Numbers, or tokens, are paired with a dynamically generated one-time use code that replaces the credit card's CCV with every transaction.

Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

As noted by Heisler, a Device Account Number can't be used in a transaction without an accompanying one-time use cryptogram, which verifies that the "token in transit originated from the device being used." Cryptograms also carry transaction information like the merchant's identity and the amount of money being charged.

The transaction comprising the Device Account Number and accompanying cryptogram is further verified through the use of Touch ID, which essentially replaces insecure verification methods like passwords and PINs.

According to a credit card executive who spoke to TUAW, token transactions as implemented by Apple "are a new and much higher standard of security for electronic payments."

The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

Apple Pay is expected to go live in October, enabled through an update to iOS 8. Hints of Apple Pay have already been found in the iOS 8.1 beta, which was seeded to developers on Monday. TUAW's full look at the security behind Apple Pay, which covers tokens, Touch ID, and more, is well worth a read.

Related Roundup: Apple Pay
Related Forum: Apple Music, Apple Pay/Card, iCloud, Fitness+

Popular Stories

iPhone 16 Pro Sizes Feature

iPhone 16 Launch Is Just One Month Out – Here's Everything We Know

Saturday August 10, 2024 5:00 am PDT by
Apple typically releases its new iPhone series in the fall, and a possible September 10 announcement date has been floated this year, which means we are just one month away from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design...
Read Full Article240 comments
macbook pro bb cyber

Apple's M3 MacBook Pro Gets Up to $1,000 Off In Major New Sales, Starting at $1,299 [Updated]

Sunday August 11, 2024 1:54 pm PDT by
Apple's M3 MacBook Pro is seeing multiple high value discounts on Best Buy and Amazon today, with up to $1,000 off select models. This includes a new all-time low price on the entry-level M3 512GB 14-inch MacBook Pro at $1,299.00, down from $1,599.00, and a massive $1,000 discount on the high-end 16-inch model exclusively for Best Buy members. Note: MacRumors is an affiliate partner with Best...
Read Full Article78 comments
iPhone 16 Pro Right Side Feature

The iPhone 16 is Getting a New Button: Here's What It Can Do

Tuesday August 13, 2024 4:01 pm PDT by
Multiple rumors have suggested that the iPhone 16 models are going to have an all-new button that's designed to make it easier to capture photos when the devices are held in landscape mode. Apple calls the button the Capture Button internally, and it is going to be one of the most advanced buttons that's been introduced to date with support for multiple gestures and the ability to respond to ...
Read Full Article172 comments
iOS 18 on iPhone Feature

Everything New in iOS 18.1 Beta 2 and iOS 18 Beta 6

Monday August 12, 2024 2:32 pm PDT by
Apple is beta testing iOS 18 and the first update to iOS 18 concurrently, and we got the second betas of iOS 18.1, iPadOS 18.1, and macOS Sequoia 15.1 today alongside the sixth betas of iOS 18, iPadOS 18, and macOS Sequoia 15. Many of the changes in iOS 18.1 are focused on bringing the .1 betas in line with the standard betas, which recently received updates to Photos and Safari, while...
Read Full Article77 comments
Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Thursday August 8, 2024 4:40 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
Read Full Article164 comments
iPhone 17 Slim Feature Single Camera 2

Next Year's Slim iPhone 17 Could Be an 'iPhone Air'

Monday August 12, 2024 8:43 am PDT by
Apple's rumored iPhone 17 "Slim" could be positioned as an iPhone "Air" to boost sales, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman explained how the "fourth" model in the iPhone lineup since 2020 (the iPhone 12 mini, iPhone 13 mini, iPhone 14 Plus, and iPhone 15 Plus) has largely been a commercial failure. In the case of the Plus model,...
Read Full Article154 comments

Top Rated Comments

GeneralChang Avatar
GeneralChang
129 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

You mean that convoluted system that required a perfect copy of the persons fingerprint and something like four hours of fabrication? I wouldn't really call that "hacked." By the time they got a dummy fingerprint made up, I'd have realized my phone was missing and locked it via iCloud.
Score: 45 Votes (Like | Disagree)
vpndev Avatar
vpndev
129 months ago
Gw

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

So please lay off the comments saying that you've been using this for years. You haven't.

However I don't expect that Google will dawdle with incorporation of tokenization (which is an EMV standard - by no means exclusive to Apple). A decent fingerprint reader might take longer.
Score: 31 Votes (Like | Disagree)
taptic Avatar
taptic
129 months ago
Apple: setting the example of security and privacy for Google and the NSA since forever.
Score: 26 Votes (Like | Disagree)
ptb42 Avatar
ptb42
129 months ago
Let's get this out of the way now...

No, a merchant doesn't have to sign up for :apple:pay. All of this is done on the back-end, by the credit card processing networks and the card-issuing banks.

If a merchant supports contactless card payments (PayWave, ExpressPay, PayPass), they can accept payments from your iPhone 6.

Merchants have to replace their point-of-sale terminals before 10/2015 anyway, if they haven't already done so. If their terminal doesn't accept EMV chip cards, the merchant will assume liability for fraudulent transactions.

The only determining factor is whether a merchant chooses to spend a bit extra money to add the NFC option to their point-of-sale terminal.

I'm tired of all the people complaining about "deficiencies" in :apple:pay, when they clearly don't even know how it is being implemented. Go read the referenced article, if you don't yet get it.
Score: 14 Votes (Like | Disagree)
taptic Avatar
taptic
129 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?
The chances of their being a psycho that starts shooting people in public are probably higher than a psyhco chopping peoples fingers off to shop with at CVS.

And no, people replicated someones fingerprint, but they need to have the original and a lot of time and patience. It's not much of a hack really...
Score: 13 Votes (Like | Disagree)
greytmom Avatar
greytmom
129 months ago
Folks, if you are being held at gun or knife point so that a thief can get your pin or password, you've got bigger issues than the thief going on a shopping spree.
Score: 10 Votes (Like | Disagree)
Read All Comments