How Secure is Apple Pay?

Katie Lamb

Katie Lamb

Share on facebook
Share on twitter
Share on linkedin

Very.

 
With the release of Apple Pay in Hong Kong last week you can’t blame us for being over-excited little puppies and using it at every possible opportunity! We know not everyone is as crazy about it as us with 20.5% not trying Apple Pay due to security concerns, but we’re hoping we can change your minds on that.

Screen Shot 2016-07-26 at 10.22.10

The Basics

  • Apple Pay servers never access your card information.
  • Apple Pay stores a combination of part of your encrypted, unique Device Account Number, part of your card number, and some information about your card for you to better manage you mobile wallet.
  • If you lose your phone and hence Apple Wallet, it is near impossible for someone to make purchases from Apple Pay unless they can replicate your fingerprint or wrist. Why? Because iPhone/iPad use TouchID and Apple Watch uses Wrist Detect to make an in-store purchase.
  • The only exception is if you don’t use TouchID and simply enter a passcode to access your Apple Wallet, giving thieves the opportunity to watch you enter your passcode.
  • No payment can be sent without authentication!
  • Online purchase is also unheard of as Apple Pay only stores part of your card number, not the whole thing.
  • You can also remove cards from your Apple Wallet in 3 different ways; phone your bank, put the device into ‘Lost Mode’ via ‘Find my iPhone’, or wipe the device entirely through ‘Find My iPhone’.

Screen Shot 2016-07-26 at 16.37.51

The Details

Setting up Apple Pay

To set up Apple Pay, you can either:

  • Enter the relevant information from your credit or debit card manually.
  • Or you can use your camera lens to capture this (picture is not saved or sent anywhere, the lens simply detects the information and inserts it into the correct fields).

This data is then:

  • Encrypted and sent to Apple servers.
  • Data is decrypted so Apple can identify your network provider before it is re-encrypted with a key, that only your network provider or any other provider authorised by your card issuer has access to.
  • Data is sent to your bank along with some background information is also sent along with this on your previous buying  behaviour with iTunes and the App Store, your device information, as well as your location when you added the credit or debit card if location services are enabled.
  • Once your bank receives all of this information, they approve or deny the addition of your credit or debit card to Apple Pay.

Upon approval:

  • You receive a device-specific, encrypted, Device Account Number that even Apple cannot decrypt.
  • Device Account Number is added to your device’s Secure Element. (The Secure Element is a certified chip that safely stores your payment information and is entirely separate from iOS and watchOS).
  • Basically, your information is never stored on Apple Pay servers and is never backed up to iCloud.

All of this means that Apple does not actually have access to your credit or debit card details. Apple Pay simply stores part of your card number and part of your Device Account Number, together with a description of your card, in order to differentiate your cards from one another and help you manage your mobile wallet. Should someone gain access to your Apple Wallet, they  cannot actually access enough information to make a purchase, online or in-store.

Screen Shot 2016-07-26 at 16.38.16

Using Apple Pay

In order to use Apple Pay from your iPhone you must enter either a passcode or use the Touch ID that you have previously set up. For Apple Watch payments you must be wearing the watch so Apple Pay can authenticate you through Wrist Detect.
When making the payment, neither Apple nor you device sends all of your credit or debit card information, they don’t even send your card numbers. Instead, your unique and encrypted Device Account Number is sent.
Screen Shot 2016-07-26 at 15.30.30

What if I lose my phone?

No need to worry, Apple have your back.

  • You can use a more traditional method by phoning your bank and asking them to remove the card from your Apple Wallet.
  • Otherwise, as long as you have ‘Find My iPhone’ enabled, you can either put the phone into ‘Lost Mode’ which will automatically remove your credit or debit cards from your Apple Wallet,
  • Or you can wipe the phone entirely to remove all data you have stored on it, including anything within your mobile wallet.

ios9-lost-mode-track-device

Source: Apple Support, 2016 (https://support.apple.com/en-us/HT201472)

 

Compare all of this to a traditional wallet and a plastic card

  • Someone could either watch you enter your PIN number before they steal your card.
  • Practice your signature on the back of the card until it looks similar once they have possession of your card (because let’s be honest, how often do they actually check your signature?)
  • Or shop online using all the details provided on the card itself on websites that don’t ask for a password.

So now that you trust Apple Pay, get in touch with us if you’re looking for cool experiences using it with mobile wallet and leave your comments below!

https://support.apple.com/en-gb/HT203027