Apple Pay Promises to Strengthen Payment Security
Many folks seem excited about Apple's introduction of Apple Pay and its potential to advance contactless payment technology, by solidifying support for the NFC (Near Field Communication) standard among other things.
In a piece on Pymnts.com, Doc Vaidhyanathan, CA Technologies' VP Product Management, Digital Payment, said Apple Pay "confirmed NFC’s position for the communication between mobile devices and points of interaction." CyberSource Senior Vice President Andre Machicao said Apple Pay "has the potential to accelerate the pace of both mobile commerce and mobile payments adoption in the marketplace."
Apple Pay is a Significant Step Forward in Payment Security
Even more exciting than Apple Pay's invigoration of contactless payment technology, which has been around for years, is its potential to strengthen payment security. And strengthening payment security is critical, given the high-profile data breaches suffered by retailers like Home Depot.
So what makes Apple Pay such a potentially significant step forward for payment security?
As Wayne Rash writes in an eWEEK article, Apple Pay "effectively virtualizes your credit cards," storing encrypted versions of card information that it does not share with merchants. Instead, Apple creates a single-use number for each transaction that it sends to merchants; neither Apple nor merchants keep the numbers.
Apple Pay and Tokenization
Apple Pay uses the principle of tokenization, which takes a sensitive data element (like credit card information) and substitutes it with a "token" that holds no value for hackers. Tokenization is especially effective when combined with end-to-end encryption, as it is with Apple's system.
Apple smartly waited to introduce Apple Pay just before U.S. retailers must upgrade their payment terminals to accept cards that meet the EMV standard that is widely used elsewhere around the world. As ABI Research senior analyst Monolina Sen said in an eSecurity Planet article, hackers likely focused on U.S. retailers because the country's lack of EMV made them easier targets. For that reason, Mastercard and Visa are requiring U.S. merchants to accept EMV by October of 2015. If merchants have to upgrade their terminals for EMV, they will almost certainly opt for NFC capabilities as well.
Apple Pay Security Weaknesses
Are there any security weaknesses associated with Apple Pay? A few, but they pale in comparison with the myriad of security issues that come with credit cards.
As security consultant Bob Doyle told eSecurity Planet, the enrollment process is "a weak point in the process" because hackers using malware or exploiting misconfigurations or flaws in the iOS software could harvest information as it is entered by credit cardholders. Another possible weak point, Doyle said, is Apple Pay's use of NFC. "When there is a new communications system in a device, then there is an opportunity to compromise the device itself."
The good news, Dole said, is that Apple has included protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Apple's protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a point-of-sale machine.
Apple Pay is More Secure Than Cards
Doyle and many other experts do believe that Apple Pay – and competitive payment systems like Google Wallet – will be far more secure than cards, even cards equipped with EMV chips.
Doyle called Apple Pay "a clear enhancement over chip and PIN." Nicholas Percoco, vice president of strategic services at security vendor Rapid7, told eSecurity Planet that Apple Pay technologies "will basically render the transaction data worthless if intercepted."
In addition, Lev Lesokhin, executive vice president for strategy and market development at CAST, said that payment systems like Apple Pay will require retailers to invest in new development "and I'm hoping that they'll take the opportunity to use that new frontier of development to improve the robustness of their systems."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
Stay up to date on the latest developments in Internet terminology with a free newsletter from Webopedia. Join to subscribe now.
From A3 to ZZZ this guide lists 1,500 text message and online chat abbreviations to help you translate and understand today's texting lingo. Read More »List of Well-Known TCP Port Numbers
Port numbers 0 to 1024 are reserved for privileged services and designated as well-known ports. This list of port numbers are specified in... Read More »
Computer architecture provides an introduction to system design basics for most computer science students. Read More »Network Fundamentals Study Guide
Networking fundamentals teaches the building blocks of modern network design. Learn different types of networks, concepts, architecture and... Read More »The Five Generations of Computers
Learn about each of the five generations of computers and major technology developments that have led to the computing devices that we use... Read More »