How Apple Pay Mitigates Breach Fatigue

Apple released iOS 8.1 yesterday which includes Apple Pay for those using an iPhone 6 or 6 Plus. Given the rash of data breaches recently, it makes sense to be a little bit wary of blindly handing over credit card information without a reasonable understanding of what it entails. 

Start here: Kirk Lennon posted a fantastic breakdown of the current non-cash payment situation: Why the stripe is a bad idea, how "Chip and PIN" in the rest of the world and "Chip and Sign" in the US are addressing the issues with the stripe, and what Apple Pay does that makes all of this even easier and more secure. In case you're wondering why it's Chip and Sign in the States, it's because the PIN gets stored on the card, and choosing that PIN can't be done over the phone or online, it has to be done at an ATM which is capable of reading the chip and writing the PIN to it. Since there are virtually no ATMs here with that capability, it was decided to go with Chip and Sign instead of trying to replace nearly every ATM in the US.

A Passbook full of Apple Pay cards.A Passbook full of Apple Pay cards.

In short, Apple Pay allows you to use your credit card, but NOT your credit card number. Instead, you get a token that is stored to your phone which looks like a regular card number. That token, along with a randomized security code, is what gets sent to the bank as payment information. This way, even if someone were to find a way to discover the "card number," it does them no good since it isn't a real card number, and the security code essentially turns it into a disposable piece of information. Sort of like having a box of Kleenex, but as credit cards. Get one, use it once, and once you've used it, it's basically worthless if someone else wants to use it after you.

Macworld also has an article about how NFC (Near Field Communication, or The Payment Method Android Tried To Turn Into A Thing That People Used) spoofing attacks exist, but even if they worked on Apple Pay transactions it doesn't do the attacker any good to get that data. If you want to dig deeper, you can check out Apple's iOS Security documentation.

Apple Pay sounds like an exciting proposition even now, having officially been available less than 24 hours. It's easy to set up, easy to use, and since I'm not handing my account information to a merchant, there's less chance of a breach causing me to get yet another new credit card number and have to update all my information. Everywhere. Again. Everybody wins!