KEY POINTS

  • Apple Pay combines a number of existing security technologies to solve the major problems in payments security: Apple didn't invent an entirely new payments security standard. Instead it found a solution to weaknesses in payment security and built a solution that does not require existing payments players to upend their systems and processes.
    • Data protection: Apple Pay uses both encryption and tokenization to protect data and reduce sensitive data transmission down to one instance. 
    • Device authentication: Each Apple Pay transaction has a unique value that ensures that the transaction is coming from an authorized device. 
    • User authentication: Apple requires the user's bank to have an additional user authentication system in order to further authenticate suspicious card registrations. In addition, Apple Pay requires fingerprint authentication through Touch ID in order to make fraudulent transactions from a stolen phone extremely difficult. 
  • Apple Pay not only tokenizes payment data but also creates a unique device identifier as well as  unique dynamic cryptograms like those used in EMV transactions: Together the device identifier and the cryptogram uniquely generated for each transaction ensure that even if the token is stolen, it can't be used because the token must come from the device to which it was registered. This overcomes the biggest problem with plastic EMV cards — that they only secure in-store transactions, not online transactions. Since the iPhone is a connected device, cryptograms can be sent to online merchants without the device having to interact with a physical payment terminal.
  • The most significant impacts from the new security standard will come years from now: Apple Pay and solutions like it could dramatically reduce fraud for merchants and also limit the need for additional payment security software. While we think Apple Pay and similar payments methods will proliferate more quickly than most estimates, it will be many years before plastic cards are no longer used. When mobile payments employing these types of security standards become more mainstream, fraud as it is conducted today will be greatly reduced. 

Introduction

Apple's new payment system Apple Pay has gotten lots of attention for its ease of use. But what's garnered less attention is the innovative security framework the feature uses to prevent fraudulent transactions and data theft.

While there has been some discussion recently of problems with Apple Pay security, we strongly believe these issues will be short-lived, as we'll discuss further in this report. The key security features on Apple Pay effectively protect consumers' card [...]