On September 9, along with plenty of new hardware, Apple also officially introduced their oft-rumored mobile payments system, which they ended up calling Apple Pay. While Apple calls it “easy, secure and private,” a new comprehensive outline of the system, its features and functions may shed a bit more light on that blanket statement.
In a report published by Yoni Heisler of TUAW, an in-depth look at Apple’s big push into mobile payments gets dissected from a security standpoint, in an effort to explain how this will all work, and how it will keep information and your money, secure when it rolls out later this year.
Heisler points out that while the NFC-equipped iPhone 6 and iPhone 6 Plus have support for Apple Pay out of the box due to the hardware requirements built-in,and that Apple Pay is indeed built from existing NFC technologies, the research points to Pay being the first real-world implementation of the EMVCo tokenization specification. This new specification is a security framework specifically built to cover a wide range of emerging payment methods. As noted in the original report, credit card executive Tom Noyes believes it is “the most secure payments scheme on the planet.”
If the tokens sound familiar, it would be because they have been rumored off-and-on long before Apple Pay became a reality, with the most recent report from September 15, citing comments from the Moven CEO, and saying that Apple Pay could be the end of physical bank cards at some point down the road. This is due to the fact that Apple Pay uses specific, randomized tokens for each transaction that is made on the device. These “Device Account Numbers” are randomized 16-digit ethereal sequences that cannot be directly linked to a physical bank card, even after a transaction is made. This means that when someone makes a purchase with Apple Pay, they may be technically using a linked card, but the merchant never gains access to that information, so even if there is a merchant breach, the credit/debit card information cannot be obtained from outside (or inside) resources.
These tokens are randomized with each transaction, across the board, and are dynamically generated at the point of sale while it occurs. This one-time generated code effectively replaces the credit card number associated to the account, replacing it with the digital, random and encrypted Device Account Number:
“Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that’s tied directly to the token. The cryptogram itself “uniquely identifies the device” that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren’t publicly known.“
What’s more, as noted by Heisler, each transaction is not possible without the creation of a cryptogram as well, which is also a one-time use device. With this cryptogram, it verifies that the “token in transit originated from the device being used.” The cryptogram also carries other, secured information, including the transaction price, as well as the merchant information.
The other important step to the process is Touch ID, which is being used for Apple Pay in a way to replace simple PIN numbers, or even lengthy passwords. The biometric security in the fingerprint adds another level of safety and security for the user, as it is needed to process any transaction through Apple Pay.
It should be no surprise that Apple is putting this much effort into securing mobile payments through Pay, especially with recent events tied to the company’s iCloud service. Even PayPal took time out of their schedule to mock Apple for their mobile payment aspirations, and the controversy that broke out after several photos of celebrities in personal situations were leaked.
Apple, in the mean time, has not divulged when Apple Pay will launch yet, exactly, simply outlining that it will become available in October at some point. However, a report published on Wednesday, October 1, revealed that iOS 8.1 will launch on October 20, and will officially introduce Apple Pay to the public at that point.
You can check out the full outline of Apple’s security for Pay through the source link below.
Do you plan on using Apple Pay?
[via TUAW]