Apple Pay Promises to Strengthen Payment Security
Many folks seem excited about Apple's introduction of Apple Pay and its potential to advance contactless payment technology, by solidifying support for the NFC (Near Field Communication) standard among other things.
In a piece on Pymnts.com, Doc Vaidhyanathan, CA Technologies' VP Product Management, Digital Payment, said Apple Pay "confirmed NFC’s position for the communication between mobile devices and points of interaction." CyberSource Senior Vice President Andre Machicao said Apple Pay "has the potential to accelerate the pace of both mobile commerce and mobile payments adoption in the marketplace."
Apple Pay is a Significant Step Forward in Payment Security
Even more exciting than Apple Pay's invigoration of contactless payment technology, which has been around for years, is its potential to strengthen payment security. And strengthening payment security is critical, given the high-profile data breaches suffered by retailers like Home Depot.
So what makes Apple Pay such a potentially significant step forward for payment security?
As Wayne Rash writes in an eWEEK article, Apple Pay "effectively virtualizes your credit cards," storing encrypted versions of card information that it does not share with merchants. Instead, Apple creates a single-use number for each transaction that it sends to merchants; neither Apple nor merchants keep the numbers.
Apple Pay and Tokenization
Apple Pay uses the principle of tokenization, which takes a sensitive data element (like credit card information) and substitutes it with a "token" that holds no value for hackers. Tokenization is especially effective when combined with end-to-end encryption, as it is with Apple's system.
Apple smartly waited to introduce Apple Pay just before U.S. retailers must upgrade their payment terminals to accept cards that meet the EMV standard that is widely used elsewhere around the world. As ABI Research senior analyst Monolina Sen said in an eSecurity Planet article, hackers likely focused on U.S. retailers because the country's lack of EMV made them easier targets. For that reason, Mastercard and Visa are requiring U.S. merchants to accept EMV by October of 2015. If merchants have to upgrade their terminals for EMV, they will almost certainly opt for NFC capabilities as well.
Apple Pay Security Weaknesses
Are there any security weaknesses associated with Apple Pay? A few, but they pale in comparison with the myriad of security issues that come with credit cards.
As security consultant Bob Doyle told eSecurity Planet, the enrollment process is "a weak point in the process" because hackers using malware or exploiting misconfigurations or flaws in the iOS software could harvest information as it is entered by credit cardholders. Another possible weak point, Doyle said, is Apple Pay's use of NFC. "When there is a new communications system in a device, then there is an opportunity to compromise the device itself."
The good news, Dole said, is that Apple has included protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Apple's protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a point-of-sale machine.
Apple Pay is More Secure Than Cards
Doyle and many other experts do believe that Apple Pay – and competitive payment systems like Google Wallet – will be far more secure than cards, even cards equipped with EMV chips.
Doyle called Apple Pay "a clear enhancement over chip and PIN." Nicholas Percoco, vice president of strategic services at security vendor Rapid7, told eSecurity Planet that Apple Pay technologies "will basically render the transaction data worthless if intercepted."
In addition, Lev Lesokhin, executive vice president for strategy and market development at CAST, said that payment systems like Apple Pay will require retailers to invest in new development "and I'm hoping that they'll take the opportunity to use that new frontier of development to improve the robustness of their systems."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
Stay up to date on the latest developments in Internet terminology with a free weekly newsletter from Webopedia. Join to subscribe now.
Like everything in technology, AI touches on so many other trends, like self-driving cars and automation, and Big Data and the Internet of Things... Read More »DevOp's Role in Application Security
As organizations rush to release new applications, security appears to be getting short shrift. DevSecOps is a new approach that holds promise. Read More »Slideshow: Easy Editorial SEO Tips to Boost Traffic
This slideshow reviews five easy on-page editorial SEO tips to help drive organic search engine traffic, including the page title, heading,... Read More »
Java is a high-level programming language. This guide describes the basics of Java, providing an overview of syntax, variables, data types and... Read More »Java Basics, Part 2
This second Study Guide describes the basics of Java, providing an overview of operators, modifiers and control Structures. Read More »The 7 Layers of the OSI Model
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers. Use this handy guide to compare... Read More »