On September 9, Apple announced that they will start incorporating Apple Pay into their mobile devices. Apple and members of the media claim that Apple Pay could potentially put an end to the data breaches involving point-of-sale (POS) systems. We take a deeper look into Apple’s new payment service, to see if consumer are truly as a safe as the tech company claims to be.
How Apple Pay works
Here is the step by step process of how a consumer would use Apple Pay to buy something:
- Register the cardholder's payment information through an app on the iPhone 6. (The payment information is not saved in the phone)
- The iPhone 6 receives a digital token – a reference ID of the cardholder’s account number.( This token is used to authorize payments, instead of using card or account information.)
- To process the payment, the app must first be unlocked via fingerprint verification.
- Once unlocked, the phone must be held near the NFC (Near Field Communication) payment device. ( Instead of having the user to swipe a card, iPhone 6 users will only have to put their phone near the payment device to process the payment.)
- The app authorizes the payment by creating a one-time authentication code for each transaction. (This way, no sensitive payment information used during the payment transaction can be used fraudulently.)
Why does Apple claim that it is secure?
Apple emphasizes the following two security features:
Fingerprint Authentication
Payment can only be initiated if the consumer, who is also the owner of the card, activates the app with his or her fingerprint. In other words, even if the iPhone 6 is stolen, a thief cannot use an iPhone 6 to make unauthorized purchases because, the thief cannot activate the payment app without the original owners fingerprint.
Tokenization
Tokenization in data security refers to the process of substituting sensitive data with a “token,” that holds no value on it's own. In Apple Pay, tokenization removes the actual payment information, such as credit card number, and uses a randomly generated code. With this method, even if a hacker steals transaction data, the payment information remains safe because the hacker only gets the randomly generated code.
Does this mean the end of data breaches? We say "No"
Both Fingerprint Authentication and Tokenization have been implemented in previous data security systems – it’s not anything novel.
Tokenization is already widely employed in the payment transaction industry to assure government compliance. While it is industry standard, it did not contribute much in stopping data breaches, as you can see from the continuous breach from eBay to Home Depot.
Fingerprint authentication systems have been incorporated in iPhone and Android devices before, most notably iPhone 5s and Samsung Galaxy S5, for little more than a year. And even now, there is a hacking solution to bypass the fingerprint verification. A thief can use residual fingerprints left on the phone and then enhance the detail with Photoshop, creating a fake fingerprint. This also is remarkably easy process where anyone can do it easily at home.
Apple Pay may open up the road for using NFC as an alternate method of payment transactions, but it won’t be secure enough to save merchants and banks from future breaches.
For more analysis on Apple Pay and other emerging payment technologies, download a copy of our whitepaper below.