A mobile payment system is only as secure as its weakest link... and in the case of Apple Pay, it's the banks' ability to verify who you are. The Guardian has learned that thieves are setting up iPhones with stolen IDs and taking advantage of lackadaisical identity checks (often just a part of the social security number) to provision victims' cards for Apple Pay. After that, it's open season -- crooks just have to claim that the legitimate card owner is on a trip to go on a shopping spree.
Apple Pay itself is still airtight at last check, so you shouldn't have to worry about surprise purchases as long as you're still in control of your ID. However, the exploits (which have reportedly led to "millions" in losses) suggest that banks should have a tougher verification standard for mobile payment platforms like this, including future systems like Android Pay. Otherwise, the same tech that saves you from pulling out your wallet will also make theft that much easier.