Apple is moving into the payments market with the announcement of a contactless payments service for its new iPhone 6. The company yesterday announced two new iPhone models and an accompanying Apple Watch and also unveiled details of Apple Pay, which will allow users to make payments using near field communication (NFC) wireless technology.
Rather than creating its own payments infrastructure, Apple has inked deals with Visa, MasterCard, American Express, and a number of major card-issuing banks, which will see payments made using the new iPhone routed through existing payment card networks.
One touch payments
Users of the new iPhone 6 will be able to pay for goods and services by holding their phone near a contactless reader without having to unlock the mobile device or launch an app. The reader will verify the payment and the user’s identity after the user holds their finger on Apple’s Touch ID fingerprint sensor.
Apple said that actual credit and debit card numbers are not used to process transactions. Instead, when a user adds a card to Apple Pay, a unique “Device Account Number” is added to the phone and stored securely on a dedicated chip. These numbers are never transmitted to Apple servers. When the user makes a payment, the Device Account Number and a one-time, transaction-specific “dynamic security code” are used to process the payment.
While contactless payments and NFC integration on smartphones are not new innovations, their arrival on the iPhone signals that the technology may begin to go mainstream. This will naturally draw the attention of attackers. Recent major credit card breaches in the US have focused on payment card terminals. Malware installed on point-of-sale (PoS) terminals has, in some cases, yielded huge hauls of customer payment card details.
Improved payment security?
According to Gartner, the arrival of Apple Pay may be welcomed by merchants worried about PoS breaches. Using Apple Pay means that consumers won’t have to store payment card data on their phones. Instead, when they are ready to pay for something, their card issuer would provide the phone with a one-time token that would initiate the payment process.
“Token numbers are not considered credit card numbers and there are lots of security benefits to merchants when they do not accept, store or transmit actual credit card numbers,” said Gartner’s Avivah Litan, who added that the scope of the merchants’ payment card industry (PCI) compliance audit would be greatly reduced. Litan said that merchants could potentially avoid payment card data breaches since criminals can’t reuse token numbers and thus won’t bother stealing them.
However, Gartner suggested that Apple may have further work to do to ensure widespread adoption of Apple Pay. Merchant rather than consumer acceptance is often the arbiter of success. Considering how merchants are already investing heavily in moving to EMV (chip and PIN) terminals or point-to-point encryption (P2PE), Apple may need to sweeten the deal, such as through lowering merchant fees.
Other experts have also suggested that NFC mobile payments could quell PoS breaches. “Given that Apple is arguably the sleeping giant of digital wallets, this could reduce the impact of PCI DSS [Data Security Standard] for the merchant considerably,” Branden Williams of Sysnet Global Solutions told Forbes. “If a retailer only accepts transactions via the NFC P2PE Terminal, they could conceivably take the majority of their infrastructure out of scope, and remove the big target on their back”.
Systems such as Apple Pay certainly address some of the weaknesses that have facilitated recent attacks on PoS systems. However, this should not be cause for complacency, since attackers will usually look for other weaknesses once one avenue of attack has been closed off. Should Apple Pay take off as a payment method, attackers are likely to rigorously test the security in place around NFC payments.