In this article, I describe the Apple contactless payment service, included the security features it comes with. To get started, be sure to read the instructions on how to set up Apple Pay.
What is Apple Pay?
Apple Pay service is designed to simplify the process of buying and selling. Instead of using a plastic card or cash, any purchase can be made using an Apple device. A transaction can be initiated when the user brings the device (an iPhone, iPad, or Apple Watch) close to a contactless terminal. After that, a message appears on the screen providing details of the payment request and asking the user to confirm the transaction by providing a fingerprint or password.
Apple Pay has been around since 2014. At of the time of writing, it is available in 33 countries and Apple’s service is supported by hundreds of banks.
History and partners
Contactless payment technology has been used for a long time. As early as 1997, Mobil introduced the Speedpass - the first mobile payment device. The concept of Apple Pay is also not new. Google has already tried to take a place in this niche with its Google Wallet service.
Apple Pay is compatible with many existing contactless readers: MasterCard PayPass, Visa PayWave, ExpressDay, and American Express.
How does it work?
Apple Pay is based on Near-Field Communication Technology (NFC). With the help of this method, data can be transferred at a distance of up to 20 centimetres. The system works in conjunction with the Secure Element chip, which stores bank card data in encrypted form. This chip runs a special Java application.
Secure Element’s memory is separated from the system memory. No program has access to it, data is not transferred anywhere, and even Apple cannot influence or change this security strategy.
In addition to Secure Element, Apple Pay includes Secure Enclave. This manages the authentication process and starts payment transactions. It is a kind of hardware key manager isolated from the main processor for better security. Secure Enclave also stores Touch ID fingerprints.
Apple Pay servers are involved in verifying the balance and status of the bank cards attached to the Wallet app. Apple Pay servers also verify the device ID number stored in the Secure Element.
Payment is made without transferring bank card numbers or other banking information. During the purchase process, Apple Pay may transfer additional information stored on the buyer's phone, such as shipping address and phone number.
How much does Apple make from Apple Pay?
In the United States, card issuers should pay Apple 0.15 % for a credit card transaction and 0.5 cents for each debit card transaction. In addition, issuers pay 50 cents to Mastercard and 7 cents to Visa for each card added to Apple Wallet.
What about security?
Apple Pay has a multi-level security system that includes:
- A unique device identifier
- Dynamically-generated security codes (tokens) for each payment transaction
- Biometric information (a fingerprint)
Together, these tools provide more reliable security than a magnetic stripe and even a bank card chip.
When the connection is initiated, the devices exchange one-time tokens, which are deleted when the connection ends. The token is intended to replace the card number so that no one can intercept it. The token is a randomly-generated number and the bank card number hidden behind it cannot be decrypted.
After the exchange of tokens, all data gets encrypted. These encrypted messages carry information about the specific device that created the token and information about the buyer, the seller, the amount of money involved in the transaction, and the bank that issued the card.
Apple does not disclose information about the encryption algorithm, which causes a storm of indignation among some information security experts.
No matter how hard Apple developers try, there are some problem areas that are not always Apple's fault. Many other organizations are involved in the process of moving funds, including banks with their huge security gaps.
At the transaction level, the fingerprint scanner does not always work correctly. If the Touch ID fails, you can use a PIN code, but this negates all advanced security. Plus, at the point of sale, PIN code entries could be viewed by others if the users isn’t extra-cautious. Note that when paying with an Apple Watch, a fingerprint is not required; in this case, the issue of security becomes more acute.
Some banks require the user to authorize the payment via a mobile banking app. These steps reduce the usability of Apple Pay due to additional levels of verification.
Although Apple Pay has not been hacked (as far as we know), the security of any digital wallet depends on the safety habits users develop and the precautions they take.
As an additional security measure, it’s a good idea to install a Virtual Private Network (VPN) service on the device. Once enabled, the device will be connected to a VPN server via an encrypted connection. This way users can safeguard their data when it is transferred over public networks. Though Apple Pay has a lot of its own security mechanisms, it’s impossible to know when cybercriminals will find a workaround.
The future of Apple Pay
In the near future, it’s likely that more retail outlets will accept Apple Pay, and will use it to issue discounts and deliver targeted advertising in accordance with consumer needs. After all, those behind smartphones and their apps enable corporations to know almost everything about users, so offer the perfect platform for targeted advertising.
At the consumer end, Apple Pay has simplified the payment process, offering a convenient alternative to cash or plastic. And while some consumers would prefer more privacy, others appreciate ads and discounts targeted to them specifically.
With time and the proliferation of contactless terminals, Apple Pay and similar services could eventually replace plastic bank cards.