Apple Pay: An in-depth look at what's behind the secure payment system

With Apple Pay slated to go live later this month, one can soon expect to see an avalanche of fear mongering from pundits who, like PayPal, will question the wisdom of trusting Apple with user credit card information.

The reality, though, is that Apple Pay is an exceedingly secure mobile payment platform. In fact, it may very well be the safest way to make any type of credit card payment. To understand why, below is a general overview of how the system works behinds the scenes. Note that this article is meant to paint the Apple Pay process in broad strokes, as a good portion of the nitty-gritty technical details aren't yet publicly known and, due to security considerations, may never be fully disclosed.

In putting this post together, I was able to talk to a few individuals involved with the development of Apple Pay who were able to shed a tiny bit of light on Apple's foray into the world of mobile payments. Additionally, a number of the technical aspects of the financial and logistical processes that govern Apple Pay can be gleaned from the EMV Payment Tokenisation Specification Technical Framework which can be downloaded here.

That said, here's how Apple Pay operates and why it's so secure.

Credit Card information isn't part of the equation

With Apple Pay, no credit card data -- even in encrypted form -- is ever stored on the iPhone or on Apple's servers. Similarly, no credit card data is ever transmitted to or stored on a merchant's servers.

When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it's safely stored within the iPhone's Secure Element.

The token is used in place of an actual credit card number and is what Apple, in its marketing materials, refers to as a unique Device Account Number.

What the heck is a token?

The token itself, as implemented in Apple Pay, is a randomly generated and unique 16-digit number that ostensibly resembles a valid credit card number but is, in fact, fundamentally useless. Think of the token as nothing more than a placeholder or reference ticket for your actual credit card information. The only thing a token has in common with its corresponding credit card number are the last 4 digits on the card.

A 2012 white paper from First Data on the benefits of tokenization reads:

The token can be used just like the original card number for business functions such as returns, sales reports, marketing analysis, recurring payments, and so on, but cannot be used to conduct a fraudulent transaction outside the merchant environment. The aim of tokenization is to remove the card information from the merchant environment as completely and quickly as possible (thus addressing the root cause of data security issues) while maintaining existing business processes.

Tokens by themselves are worthless and cannot be decrypted

The key thing to remember about tokens is that they hold no intrinsic value and cannot be used, by themselves, to perform any type of monetary transaction. Over and above that, it's likely that Apple Pay tokens are not mathematically generated, which is to say that they can't be decrypted back into a credit card number because encryption isn't even part of the equation. Put differently, there exists no master key to reverse engineer them. Instead, there's what is effectively a master index. When a credit card is loaded into Apple Pay, the credit card data is replaced with a randomly generated string that only the token issuer (in this case the credit card networks) can map back to the credit card account.

You could hand the most talented hackers or cryptographers a list of millions of token numbers and it would be of no value to them.

As an additional layer of security, there are mechanisms in place to ensure that the token itself is bound to the phone on which it's stored and can never be used from another device.

The mechanics of an Apple Pay transaction

Once a transaction is underway, the iPhone sends the token (which again, acts as a stand-in for the real credit card information) to the merchant which, in turn, sends it to the credit card network where it is mapped back to the corresponding credit card account that created it. The card network ultimately contacts the issuing bank for authorization. If the card is approved, the issuing bank sends a message all the way back down the line to the merchant indicating that all systems are go and the transaction can proceed.

This process is leaps and bounds safer than traditional credit card terminals because merchants transact exclusively in tokens and are never in possession of user credit card information.

With a service like Apple Pay in use, large credit card breaches at companies like Target and Home Depot become ancient history because there are no credit card numbers to steal in the first place. What's more, Apple Pay's use of tokens eliminates common threats such as man in the middle attacks and good ole' fashioned credit card skimming because, again, actual credit card information never touches the merchant.

The use of a token, though, is just one part of the puzzle that makes Apple Pay so secure.

Additional layers of security - Touch ID and cryptograms

Per the aforementioned EMV Payment Tokenisation Specification, completing a token-based transaction from a mobile device requires a form of personal authentication, which is where the simplicity of Touch ID rears its beautiful head. Instead of having to clumsily enter in a one-time password (static authentication data such as a PIN cannot be used), the payment process is finalized when a user authorizes it with Touch ID.

But there's a whole lot more to Apple Pay than Touch ID and the simple handing off of tokens. Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely comprised of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

The important thing to remember, though, is that the cryptogram is effectively a one-time use digital signature that verifies that the token in transit originated from the device being used. Additionally, the cryptogram includes pertinent transaction data such as the identity of the merchant and how much is being charged.

There are two important facts here to remember:

  1. Tokens cannot be used without an accompanying cryptogram

  2. The cryptogram ensures that a token can only be used from the device on which it was initially loaded

Fleshing this out a bit more, I spoke to Steve Mott of BetterBuyDesign -- a former MasterCard executive who now writes for Digital Transactions -- who added the following details:

The network 'unravels' the cryptogram, then ships the transaction information to the issuer for authorization. The key is the merchant sees NO account information but has the final four digits of the PAN [CC number] as an account identifier to use as a mechanism for tracking volume/activity per account. The only dynamic part of the token is the cryptogram, generated per transaction; the rest is static token data, but largely worthless without the cryptogram.

Apple Pay will help usher in a new standard for mobile payment security

Highlighting the improved safety that Apple Pay provides, Tom Noyes -- a former credit card executive who has an excellent series of in-depth posts about the world of mobile payments -- said the following in the wake of Apple's Apple Pay announcement.

Apple is the first implementation of the new EMVCo tokenization specification. In my view this is a giant LEAP beyond EMV chip and PIN, and is now (by far) the most secure PAYMENTS scheme on the planet.

Mott was similarly excited about the prospect of Apple Pay, noting that while it remains to be seen how well the service scales, Apple "raised the bar and made transacting without a token no longer an option."

Noyes' statement brings up an interesting point, namely that the fundamental aspects of Apple Pay weren't concocted in Cupertino. Rather, Apple Pay was designed in accordance with an emerging token-based mobile payments standard which aims to increase security and reduce the incidence of fraud. To that end, Apple is getting into the mobile payments space at just the right time. So while Apple isn't necessarily inventing the wheel here, Apple Pay again represents the first real implementation, on a massive scale no less, of the relatively fresh tokenization specification.

That said, it's not as if Apple took the easy way out and simply developed Apple Pay to conform to the most general requirements for token-based transactions. On the contrary, sources at two top credit card companies who helped work on the implementation of Apple Pay told me that large technical teams from Apple, credit card companies, and banking institutions worked tirelessly over the past few months to implement additional layers of security into the Apple Pay platform. This jibes with recent reports detailing the immense effort put into the platform from the likes of Visa and JP Morgan Chase.

A credit card executive involved with development of Apple Pay told me:

Token transactions as they have been implemented for Apple are a new and much higher standard of security for electronic payments. The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

What this means for consumers

While it remains to be seen if Apple Pay catches on with consumers, there should be no doubt that Apple Pay is an extremely safe way to make a credit card payment. In fact, it's likely much safer than how most users are currently making credit card payments today.

Remember that merchants in an Apple Pay transaction never have access to user credit card information and, as a result, users never have to worry about their information being compromised in a security breach. Further, security at the device level is effectively impenetrable as tokens, along with the encrypted keys responsible for the cryptogram, are all securely stored in the Secure Element.

And as an extra security precaution, iPhone owners will have the ability to unlink or temporarily suspend a token connected to a stolen device, thereby rendering Apple Pay inoperable until the device is retrieved.

So while the Apple Pay user experience has been set up to be impressively simple, there are a myriad of complex safety measures at work behind the scenes to help ensure that sensitive user data remains free from prying eyes. The use of token-based payments is something the banks have been pushing for and something the credit card networks are similarly excited for.

The only variable, really, is how consumers take to it. Safety, though, shouldn't be a concern.