If you are at all interested in Apple Pay and how it works, make sure to check out the thorough writeup examining the security behind the technology by Yoni Heisler over at The Unofficial Apple Weblog.
Heisler spoke with a few individuals involved with the development of Apple Pay to understand how the mobile payment technology works and to determine whether it's secure. One takeaway from the piece is that tokenization isn't the only thing making Apple Pay more secure than other types of mobile payments. It is "just one part of the puzzle that makes Apple Pay so secure," Heisler wrote.
When the user signs up for Apple Pay, the card information is encrypted and sent to the appropriate credit card network. The network verifies the account information is valid, and sends a token back to the device to be saved within the phone's Secure Element chip. The token—a randomly generated and unique 16-digit number— is what gets transferred to other merchants. It may look like a valid credit number and share the same last-4 digits on the card as your real number, but there is no way to reverse engineer it back to the original number. The only entity who knows what credit card that token is connected to would be the credit card issuer. Your phone doesn't, and the merchant doesn't.
The token is just a placeholder, and on its own, is "fundamentally useless," Heisler wrote.
Apple combined tokenization with two-factor authentication in Apple Pay. TouchID, the fingerprint reader technology built-in to the latest iPhones, authenticates the person behind the transaction. But it didn't stop there. Apple Pay also dynamically generates a new CVV/CCV code for each transaction. Since this code is algorithmically generated, the payment processor has to verify that it was generated on an authorized device. Heisler emphasized that tokens cannot be used without the accompanying code, and the code ensures that the token used only from the device it was generated on.
"That is not just beyond magstripes—it is better than EMV-style smart cards," Adrian Lane, analyst and CTO of research firm Securosis, wrote in a blog post. "No wonder the banks were happy to work with Apple."
The Apple Pay ecosystem makes a lot of sense. The fingerprint scan verifies the authorized user is present for the transaction. The token that represents the card and device combination is sent to the merchant, with the actual credit card number staying safely in the user's wallet. The unique CVV generated verifies which device is being used.
"Apple— as it so often does—is setting the tone and using their prowess and sway to push two key concepts [tokenization and two-factor authentication] in particular," said Nicholas thorne, co-founder of BlockSign.
Whether or not Apple Pay succeeds is entirely up to the market and whether consumers adopt it. For businesses wondering about the security, it makes sense to accept Apple Pay. It is an extremely safe way to accept credit card payments—safer than existing methods. Check out the TUAW piece for more details.