How Apple Pay is designed to avoid the pitfalls of traditional payment systems

Posted:
in iPhone edited October 2014
Apple has made security a tentpole of its marketing strategy for Apple Pay, the company's new mobile payment system, which rolls out across the U.S. on Monday. AppleInsider took a look at how Apple Pay's design makes it better for consumers.


How it works now

When consumers swipe their credit card for a latte or a new set of tires, the card data actually changes hands a number of times before the transaction is approved.

First, the merchant --?for example Starbucks --?collects the card number, CVV, expiration date, billing address, PIN (if it's a debit card), and other data from the card itself at the terminal. It's encrypted, then sent to the merchant's bank or payment processor, called the "acquirer."
Credit card numbers flow though at least three different networks in a typical transaction.
The acquirer forwards the authorization request to the customer's bank, called the "issuer," via the card networks' individual processing networks. The issuer either accepts or denies the charge, and responds by sending the appropriate status codes back in the other direction.

Most of this chain is extremely secure; unfortunately, as recent data thefts like those from major retailers Target and Home Depot have shown, that's not always the case.

Smaller merchants using off-the-shelf payment systems are unlikely to have access to the card data, but larger merchants often collect it for business-related functions, like sales analysis. These databases are major targets for malicious attackers, to be sure, but there's one more, potentially larger problem: privacy.

Major retailers also use this information to profile customers for advertising, like the famous case where Target outed a teen pregnancy based on spending habits. With consumers become more conscious of the privacy of their personal information, this has become an even more hot-button issue.

How Apple Pay is different

Apple designed Apple Pay to use tokenization. Broadly speaking, tokenization replaces the actual credit card number with a special number for making payments.

Tokenization is not a new concept, but Apple's implementation is reportedly far more secure and brings tokenization into the real world. Traditionally, credit card tokenization was an online-only affair and the token vault -- a database that maps tokens to credit card numbers --?was maintained by the payment gateway.

Apple has worked directly with credit card networks like Visa and American Express to move tokenization to their end of the chain, according to details of Apple Pay's design revealed by POS provider Clover.

With Apple Pay, rather than receiving a card number, CVV, expiration date, and billing address from the customer, the merchant receives only a device-specific token and a dynamic, one-time-use security code. The token is translated into a credit card number only when it reaches the payment network, meaning that only the consumer's bank and the payment network have information about both the person and the transaction.

Apple has gone to great lengths to tout Apple Pay's security and privacy bona fides, both on the Apple Pay marketing site and in the company's knowledge base. As they say:
Apple Pay was designed so that when you pay in stores Apple doesn't collect any transaction information that can be tied back to you.
This focus on privacy differentiates Apple Pay not only from the current physical credit card system, but also from competing mobile payment platforms.

Existing mobile payment systems

Apple Pay's major competitor, Google Wallet, operates without the security or privacy benefits of network-level tokenization. Instead, Google stores consumers' card data on its own servers and acts as an intermediary for transactions.

When paying with Google Wallet, consumers aren't paying directly. Google actually foots the bill and then charges the customers' card on file.

In this way, Google gains access to all of the customer's purchase history, a major concern for those worried about privacy. It is unclear whether Google will change tack in the face of recent privacy concerns, but a shift seems unlikely given the search giant's advertising-focused business model.
Google gets access to all Wallet transactions, and SoftCard transmits the card number over NFC.
Another competitor, SoftCard --?formerly ISIS --?stores consumers' credit card numbers in a secure element on the SIM card itself. During a transaction, the number and additional metadata is transmitted via NFC as though the card were swiped, and the rest of the process continues in the same manner.

Apple's approach, while not entirely novel, provides much more security than traditional systems or high-tech competitors. It also gives consumers greater control over the dissemination of their personal information --?something likely to win over more fans if current trends continue.

Apple Pay is scheduled to launch later today with the release of iOS 8.1, which will activate the NFC side of the equation for iPhone 6 and iPhone 6 Plus owners. More than 220,000 retail outlets are supporting Apple Pay at launch, with many more expected to sign on in the coming weeks.
«134

Comments

  • Reply 1 of 73
    asciiascii Posts: 5,941member
    Not to mention the fact that you have to auth with your fingerprint, which is surely a big step forward over other systems.
  • Reply 2 of 73
    philboogiephilboogie Posts: 7,438member
    But will it be accepted fast enough in the US in this first year for an international rollout next year/next iOS release?
  • Reply 3 of 73
    Gonna buy a pop at Walgreens just to try it. lol
  • Reply 4 of 73
    em_teem_te Posts: 26member

    Does your phone need to be connected to the internet?

  • Reply 5 of 73
    Where is located the database that maps tokens to credit card numbers? Phone or apple servers?
  • Reply 6 of 73
    rogifanrogifan Posts: 10,669member
    When does iOS 8.1 come out? 10am pacific? Hopefully no issues with this update.
  • Reply 7 of 73
    rogifanrogifan Posts: 10,669member
    bradipao wrote: »
    Where is located the database that maps tokens to credit card numbers? Phone or apple servers?
    Apple doesn't have access to any credit card numbers or data.
  • Reply 8 of 73
    Quote:

    Originally Posted by PhilBoogie View Post



    But will it be accepted fast enough in the US in this first year for an international rollout next year/next iOS release?

     

    I wouldn't count on it. Some of the Maps implementation is overdue to certain international customers since iOS 6 and iTunes Radio is still a US-only feature (AFAIK).

  • Reply 9 of 73
    macxpressmacxpress Posts: 4,895member
    Quote:
    Originally Posted by em_te View Post

     

    Does your phone need to be connected to the internet?


     

    I don't think so. All you're phone is doing is authenticating you are you and your credit card account information, although its not really sending out any credit card information. This is what makes it so great and secure. If they had an iPod Touch with NFC and the fingerprint reader you could probably use it as well for ?Pay. 

  • Reply 10 of 73
    droidftwdroidftw Posts: 1,009member
    Quote:

    Originally Posted by em_te View Post

     

    Does your phone need to be connected to the internet?


     

    There's no reason why your phone would need an Internet connection.

  • Reply 11 of 73
    asciiascii Posts: 5,941member

    You can do it with the watch and that doesn't have a network connection.

  • Reply 12 of 73
    When and where is Apple expected to put out a simple "here's what you need to know about ApplePay and how it works"? Anyone know?

    I think I'll wait for that, instead of the confusing emails from my credit card companies and such.
  • Reply 13 of 73
    plovellplovell Posts: 801member
    Quote:

    Originally Posted by em_te View Post

     

    Does your phone need to be connected to the internet?


    For a transaction, it seems that the answer is "no". The POS terminal does the networking, not your phone.

     

    I'm not sure about Google Wallet but I expect that it would need an internet connection.

     

    Quote:

    Originally Posted by bradipao View Post



    Where is located the database that maps tokens to credit card numbers? Phone or apple servers?

    It's in the bank that issued your card. The iPhone does not have it, nor does Apple.

  • Reply 14 of 73
    plovellplovell Posts: 801member
    Quote:

    Originally Posted by PhilBoogie View Post



    But will it be accepted fast enough in the US in this first year for an international rollout next year/next iOS release?



    Apple already said that it will roll out in Europe next year. I guess that Canada will get it also (maybe even sooner ?)

     

    Europe is attractive because there are lots of NFC terminals already. OTOH, they already have chip+PIN so there's less urgency for it than there is in the U.S.

  • Reply 15 of 73
    iTunes Radio is still a US-only feature (AFAIK).

    Not quite - iTunes Radio has (randomly) made it to Australia too but that is as far as it seems to have got... I suspect a lot of the delays with iTunes radio elsewhere are going to be at the record company end rather than Apple.
  • Reply 16 of 73

    Quote:
    Originally Posted by PhilBoogie View Post



    But will it be accepted fast enough in the US in this first year for an international rollout next year/next iOS release?

     

    Absolutely. Apple has been deliberately hyping banks, retailers and apps as a thank you for participating, and as a reason for others to get on board - for the coverage. Not only that, but Apple will most definitely be either upgrading the initial participating retailers POS terminals free of charge, or be subsidising the cost to push the adoption as fast as possible.

     

    In many countries in Europe, retailers have already implemented NFC based terminals, so it's just a case of getting banks on board and working with the regulatory boards and getting approvals from any officials that need be. I expect Apple Pay adoption across most of Europe in the beginning of 2015.

     

    Quote:
    Originally Posted by em_te View Post

     

    Does your phone need to be connected to the internet?


     

    It does definitely not need an internet connection. The only time it needs an internet connection is whilst adding the card to Passbook, and to authenticate your Apple Watch to use a card you have stored.

     

    Quote:
    Originally Posted by bradipao View Post



    Where is located the database that maps tokens to credit card numbers? Phone or apple servers?

     

    Neither, the only time Apple uses your card number is whilst you're adding the card to Passbook, and even in this case, Apple are only processing your card but never store it. 

     

    The tokens are stored with the bank on their own servers and are resolved to actual card numbers there.

     

    Apple Pay uses public key cryptography. The private key is stored with the bank, and the public key is stored on the phone (which is the device account number). Both keys are needed to decrypt the data the bank stores to retrieve the card number. The dynamic security code is generated using transaction data the NFC terminal has provided, such as amount and terminal ID, and also uses the device account number.

     

    Both the device account number and dynamic security code are sent to the bank, verified, resolved to the card number, and then billed.

     

    So long story short, it's unbreakable, and only the bank stores any info that could lead to a breach (Apple Pay or no Apple Pay, if your bank is breached, it's game over anyway).

  • Reply 17 of 73
    brucemcbrucemc Posts: 1,528member
    Quote:

    Originally Posted by ascii View Post



    Not to mention the fact that you have to auth with your fingerprint, which is surely a big step forward over other systems.

    Surprising this fact isn't getting more coverage.  By having a biometric with a secure storage, Apple has eliminated one of the weakest links in the chain - the users themselves.  Whether it is by choosing a simple PIN/password, or falling for phishing scams, the user is the easiest to compromise (see: celebrity pic scandal).  With TouchID & secure element storage, a user simply can't make those mistakes.  Should be a huge leap forward on improved security in payments (brick & mortar, and on-line).

     

    Tying that biometric & secure storage into the payment solution requires control of the HW, software, and services.  I believe only one company can do that right now.

  • Reply 18 of 73
    maestro64maestro64 Posts: 4,596member

    This is the reason Walmart and a few others are not signing up for ApplePay.

     

    Apple went directly to CC companies and Bank and struck a deal with them, cutting the merchant right out of the equations. CC companies and Banks make money on the interest people pay, they do not care what you are buying it has no value to them. The only analytics they do on your buying habits is to watch for fraud. Walmart wants to know who you are and what you are buying. Applepay will cut them out of knowing who you are unless you use a frequent buyers card or their own CC. 

     

    Apple sold the CC companies and Bank on saving them money by cutting fraud costs. If ApplePay shows a significant decrease in Fraud costs, you can almost guaranty they CC Companies and Banks will forces the issue with Walmart and the like. I would bet that Target was forces to sign on due to the breach they had.

  • Reply 19 of 73
    Quote:

    Originally Posted by anantksundaram View Post



    When and where is Apple expected to put out a simple "here's what you need to know about ApplePay and how it works"? Anyone know?



    I think I'll wait for that, instead of the confusing emails from my credit card companies and such.



    Remember, Apple is not rolling out ApplePay so I doubt if Apple will do anything beyond providing the capability and some marketing.  It is the credit cards or large merchants that will do the rollout.  I hope Apple is working on international rollout such as Europe where NFC has more widely rolled out.  The biggest challenge to ApplePay is the lack of NFC terminals and probably the cost of a terminal so vendors will make the investment.

  • Reply 20 of 73
    asciiascii Posts: 5,941member
    Quote:

    Originally Posted by Maestro64 View Post

     

    Walmart wants to know who you are and what you are buying. Applepay will cut them out of knowing who you are unless you use a frequent buyers card or their own CC. 


    I'm sure the shops will figure out some way to track you... For example, if your device is in NFC range (10cm) it's probably also in Bluetooth range, and Bluetooth has a unique mac address.

Sign In or Register to comment.