Apple Pay Promises to Strengthen Payment Security
Many folks seem excited about Apple’s introduction of Apple Pay and its potential to advance contactless payment technology, by solidifying support for the NFC Â (Near Field Communication) standard among other things.
In a piece on Pymnts.com, Doc Vaidhyanathan, CA Technologies’ VP Product Management, Digital Payment, said Apple Pay “confirmed NFCâ€™s position for the communication between mobile devices and points of interaction.” CyberSource Senior Vice President Andre Machicao said Apple Pay “has the potential to accelerate the pace of both mobile commerce and mobile payments adoption in the marketplace.”
Apple Pay is a Significant Step Forward in Payment Security
Even more exciting than Apple Pay’s invigoration of contactless payment technology, which has been around for years, is its potential to strengthen payment security. And strengthening payment security is critical, given the high-profile data breaches suffered by retailers like Home Depot.
So what makes Apple Pay such a potentially significant step forward for payment security?
As Wayne Rash writes in an eWEEK article, Apple Pay “effectively virtualizes your credit cards,” storing encrypted versions of card information that it does not share with merchants. Instead, Apple creates a single-use number for each transaction that it sends to merchants; neither Apple nor merchants keep the numbers.
Apple Pay and Tokenization
Apple Pay uses the principle of tokenization, which takes a sensitive data element (like credit card information) and substitutes it with a “token” that holds no value for hackers. Tokenization is especially effective when combined with end-to-end encryption, as it is with Apple’s system.
Apple smartly waited to introduce Apple Pay just before U.S. retailers must upgrade their payment terminals to accept cards that meet the EMV standard that is widely used elsewhere around the world. As ABI Research senior analyst Monolina Sen said in an eSecurity Planet article, hackers likely focused on U.S. retailers because the country’s lack of EMV made them easier targets. Â For that reason, Mastercard and Visa are requiring U.S. merchants to accept EMV by October of 2015. If merchants have to upgrade their terminals for EMV, they will almost certainly opt for NFC capabilities as well.
Apple Pay Security Weaknesses
Are there any security weaknesses associated with Apple Pay? A few, but they pale in comparison with the myriad of security issues that come with credit cards.
As security consultant Bob Doyle told eSecurity Planet, the enrollment process is “a weak point in the process” because hackers using malware or exploiting misconfigurations or flaws in the iOS software could harvest information as it is entered by credit cardholders. Another possible weak point, Doyle said, is Apple Pay’s use of NFC. “When there is a new communications system in a device, then there is an opportunity to compromise the device itself.”
The good news, Dole said, is that Apple has included protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Apple’s protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a point-of-sale machine.
Apple Pay is More Secure Than Cards
Doyle and many other experts do believe that Apple Pay â€“ and competitive payment systems like Google Wallet â€“ will be far more secure than cards, even cards equipped with EMV chips.
Doyle called Apple Pay “a clear enhancement over chip and PIN.” Nicholas Percoco, vice president of strategic services at security vendor Rapid7, told eSecurity Planet that Apple Pay technologies “will basically render the transaction data worthless if intercepted.”
In addition, Lev Lesokhin, executive vice president for strategy and market development at CAST, said that payment systems like Apple Pay will require retailers to invest in new development “and I’m hoping that they’ll take the opportunity to use that new frontier of development to improve the robustness of their systems.”
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
This article was originally published on November 25, 2014