Apple Pay Promises To Strengthen Payment Security

Apple Pay Promises to Strengthen Payment Security

Apple Pay logoMany folks seem excited about Apple’s introduction of Apple Pay and its potential to advance contactless payment technology, by solidifying support for the NFC  (Near Field Communication) standard among other things.

In a piece on, Doc Vaidhyanathan, CA Technologies’ VP Product Management, Digital Payment, said Apple Pay “confirmed NFC’s position for the communication between mobile devices and points of interaction.” CyberSource Senior Vice President Andre Machicao said Apple Pay “has the potential to accelerate the pace of both mobile commerce and mobile payments adoption in the marketplace.”

Apple Pay is a Significant Step Forward in Payment Security

Even more exciting than Apple Pay’s invigoration of contactless payment technology, which has been around for years, is its potential to strengthen payment security. And strengthening payment security is critical, given the high-profile data breaches suffered by retailers like Home Depot.

So what makes Apple Pay such a potentially significant step forward for payment security?

As Wayne Rash writes in an eWEEK article, Apple Pay “effectively virtualizes your credit cards,” storing encrypted versions of card information that it does not share with merchants. Instead, Apple creates a single-use number for each transaction that it sends to merchants; neither Apple nor merchants keep the numbers.

Apple Pay and Tokenization

Apple Pay uses the principle of tokenization, which takes a sensitive data element (like credit card information) and substitutes it with a “token” that holds no value for hackers. Tokenization is especially effective when combined with end-to-end encryption, as it is with Apple’s system.

Apple smartly waited to introduce Apple Pay just before U.S. retailers must upgrade their payment terminals to accept cards that meet the EMV standard that is widely used elsewhere around the world. As ABI Research senior analyst Monolina Sen said in an eSecurity Planet article, hackers likely focused on U.S. retailers because the country’s lack of EMV made them easier targets.  For that reason, Mastercard and Visa are requiring U.S. merchants to accept EMV by October of 2015. If merchants have to upgrade their terminals for EMV, they will almost certainly opt for NFC capabilities as well.

Apple Pay Security Weaknesses

Are there any security weaknesses associated with Apple Pay? A few, but they pale in comparison with the myriad of security issues that come with credit cards.

As security consultant Bob Doyle told eSecurity Planet, the enrollment process is “a weak point in the process” because hackers using malware or exploiting misconfigurations or flaws in the iOS software could harvest information as it is entered by credit cardholders. Another possible weak point, Doyle said, is Apple Pay’s use of NFC. “When there is a new communications system in a device, then there is an opportunity to compromise the device itself.”

The good news, Dole said, is that Apple has included protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Apple’s protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a point-of-sale machine.

Apple Pay is More Secure Than Cards

Doyle and many other experts do believe that Apple Pay – and competitive payment systems like Google Wallet – will be far more secure than cards, even cards equipped with EMV chips.

Doyle called Apple Pay “a clear enhancement over chip and PIN.” Nicholas Percoco, vice president of strategic services at security vendor Rapid7, told eSecurity Planet that Apple Pay technologies “will basically render the transaction data worthless if intercepted.”

In addition, Lev Lesokhin, executive vice president for strategy and market development at CAST, said that payment systems like Apple Pay will require retailers to invest in new development “and I’m hoping that they’ll take the opportunity to use that new frontier of development to improve the robustness of their systems.”

eSecurity Planet
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.

This article was originally published on November 25, 2014

Webopedia Staff
Webopedia Staff
Since 1995, more than 100 tech experts and researchers have kept Webopedia’s definitions, articles, and study guides up to date. For more information on current editorial staff, please visit our About page.

Related Articles

@ Sign

Pronounced at sign or simply as at, this symbol is used in e-mail addressing to separate the user' name from the user's domain name,...


(MUHN-jing) Munging (address munging), is the act of altering an email address posted on a Web page to make it unreadable to bots and...

How to Create an RSS Feed

In the second installment of RSS how-to, we look at some of the nonrequired (optional) channel and item tags, discuss RSS specifications in-depth and...

Dictionary Attack

(n.) (1) A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with...


Accenture is a global professional services company that specializes in information technology (IT)...


Gartner is a world-renowned information technology (IT) consultancy and advisory firm that conducts...

Digital Marketing Acronyms and...

Many companies have had to evolve their businesses to meet consumer wants and...