Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

Recently Apple unveiled its latest iPhones and other new products. While the big screens on the new iPhones are making the splashy headlines, perhaps the most interesting reveal, from a data privacy perspective, is not a shiny gadget, but the new mobile payment service dubbed “Apple Pay”. Although mobile payment services aren’t new – Google introduced “<a href="https://www.google.com/wallet/">Google Wallet</a>” several years ago – Apple’s product has some interesting security features that could grab the attention of retailers and consumers, stung by recent large credit card breaches.

According to Apple, Apple Pay will use existing NFC technology (<a href="http://www.nearfieldcommunication.org/">Near Field Communication</a>), which enables contactless communication between devices. This allows an NFC capable smartphone to communicate with a merchant’s NFC compatible card reader to make a credit or debit card purchase. But will Apple Pay card transactions be secure?

Based on the information revealed thus far, there is a heavy emphasis on security in Apple Pay. To enable Apple Pay, the user scans their credit or debit cards into their iPhone. But the card number itself is not stored anywhere on the phone. Rather, a randomly generated and unique Device Account Number (DAN) is assigned in place of the card number, encrypted and stored in a separate chip called a <a href="http://www.smartcardalliance.org/publications-nfc-frequently-asked-questions/#7">secure element</a> -- which operates in a separate secure environment within the device.

To make a purchase, the DAN is sent via NFC along with a dynamically created one time use security code (cryptogram) that essentially replaces the card’s CCV. The cryptogram ensures that the transaction is being conducted from the device that contains the DAN. Finally, to complete the transaction, Apple adds an additional layer of security via Touch ID, which is the fingerprint sensor incorporated in recent iPhones. The payment process is only finalized when the user’s fingerprint is recognized by the iPhone.

Thus, in a nutshell, the iPhone sends the DAN to the merchant which, in turn, sends it to the credit card network where it is mapped back to the corresponding credit card account. The card network contacts the issuing bank for authorization and, if approved, the issuing bank tells the merchant to allow the transaction to proceed. As demonstrated by Apple, all of this takes place within seconds by simply holding the iPhone with Apple Pay enabled near the NFC reader.

What makes this process really interesting is that the credit card number, even in encrypted form, is not stored on the iPhone or on Apple’s servers, nor is any credit card data transmitted to the merchant or stored on the merchant’s servers. Rather, the DAN (also called a token) is used in its place. The token itself has no intrinsic value and would be useless to hackers, even if they were to intercept it or to somehow obtain it via malware or other means. Also, should the consumer’s device be lost or stolen, the thief or finder would be unable to use Apple Pay without the owner’s fingerprint.

To put this in perspective, the recent large credit card breaches at Target and Home Depot could not have happened had Apple Pay or a similar technology been used for those transactions. There would simply have been no credit card numbers transmitted to the retailer to intercept or obtain.

While no payment process is likely to be 100% secure, particularly once criminals have an opportunity to start poking and prodding the technology, Apple Pay seems to hold some promise for perhaps making massive credit card breaches a thing of the past. There can be little doubt that it is safer than the magnetic stripe card technology currently still in use.

Whether Apple Pay will reach wide acceptance by consumers and merchants also remains to be seen. Many merchants have yet to adopt NFC capable terminals and Apple Pay itself is no incentive since there is no customer information shared between Apple and the retailer. Not surprisingly though, Apple should benefit, as reports indicate it will collect a fee from the banks of 0.15 % of each purchase. Moreover, Apple has already announced partnerships with several large banks and various retailers in an effort to have the technology widely available upon launch, currently set for later this month.

Will Using “Apple Pay” Keep the Data Breach Away?