Member Since: 11/27/2010
Posts: 9,806
|
Apple Pay: An in-depth look!
Apple Pay: An In depth Look
Quote:
The mechanics of an Apple Pay transaction
Once a transaction is underway, the iPhone sends the token (which again, acts as a stand-in for the real credit card information) to the merchant which, in turn, sends it to the credit card network where it is mapped back to the corresponding credit card account that created it. The card network ultimately contacts the issuing bank for authorization. If the card is approved, the issuing bank sends a message all the way back down the line to the merchant indicating that all systems are go and the transaction can proceed.
This process is leaps and bounds safer than traditional credit card terminals because merchants transact exclusively in tokens and are never in possession of user credit card information.
With a service like Apple Pay in use, large credit card breaches at companies like Target and Home Depot become ancient history because there are no credit card numbers to steal in the first place. What's more, Apple Pay's use of tokens eliminates common threats such as man in the middle attacks and good ole' fashioned credit card skimming because, again, actual credit card information never touches the merchant.
The use of a token, though, is just one part of the puzzle that makes Apple Pay so secure.
|
Quote:
Additional layers of security - Touch ID and cryptograms
Per the aforementioned EMV Payment Tokenisation Specification, completing a token-based transaction from a mobile device requires a form of personal authentication, which is where the simplicity of Touch ID rears its beautiful head. Instead of having to clumsily enter in a one-time password (static authentication data such as a PIN cannot be used), the payment process is finalized when a user authorizes it with Touch ID.
But there's a whole lot more to Apple Pay than Touch ID and the simple handing off of tokens. Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely comprised of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.
The important thing to remember, though, is that the cryptogram is effectively a one-time use digital signature that verifies that the token in transit originated from the device being used. Additionally, the cryptogram includes pertinent transaction data such as the identity of the merchant and how much is being charged.
There are two important facts here to remember:
Tokens cannot be used without an accompanying cryptogram
The cryptogram ensures that a token can only be used from the device on which it was initially loaded
|
Quote:
Apple Pay will help usher in a new standard for mobile payment security
Highlighting the improved safety that Apple Pay provides, Tom Noyes -- a former credit card executive who has an excellent series of in-depth posts about the world of mobile payments -- said the following in the wake of Apple's Apple Pay announcement.
Apple is the first implementation of the new EMVCo tokenization specification. In my view this is a giant LEAP beyond EMV chip and PIN, and is now (by far) the most secure PAYMENTS scheme on the planet.
|
|
|
|
|
