Featured Writer Phillip Jackson breaks down everything you need to know about Apple Pay.
One of the most exciting things Apple introduced at their iPhone 6 announcement was Apple Pay. Over the last several days, I have been digging through Apple’s Dev Center and website looking for more information on this system. To get most of my questions answered, I had to dig up the patent for Apple Pay. If you want, give it a look for yourself. Just don’t blame me when your eyes start to bleed from the overlap of data and all of the scenarios covered. Or, as I promised in last week’s iPhone Round-up, you can keep reading as I break down this not-so-well-documented technology into the basic bits and clarify as much as possible. Let’s get to it!
- Which Payment Providers support this service?
- Which payment networks are supported?
- Visa, MasterCard, and American Express
- Which card types are supported?
- Both credit and debit cards from the major issuing banks are supported.
- How much does it cost to accept Apple Pay?
- Apple does not charge users, merchants or developers to use Apple Pay for payments. Your credit and debit transactions will continue to be handled by the payment networks.
Overview of How Apple Pay Works
Apple Pay relies on an Apple app called Passbook to capture your credit and debit card information. It is currently available to iOS7 users and can store gift cards, boarding passes, flight tickets, etc. But Passbook’s newest version in iOS8 has been upgraded to also store credit and debit cards. This can be done by either manually entering the card info or taking a picture of the card. You can also add a new card through your iTunes or iCloud account. Passbook syncs and stores your credit and debit card information into the Secure Element, which is found inside your shiny new iPhone 6 or 6 Plus. Once inside the Secure Element, the information is kept away from the core application processor, which should keep malicious software from accessing it.
Step by Step Through In-Store Payment Process
Items are scanned into the Point of Sale device (POS) as usual. When it’s time for you to provide your payment, you open Passbook and select the card with which you’d like to pay. Next, you authenticate yourself to that card by using your fingerprint or passcode that you’re provided when storing it, and then tap your phone to the store’s card reader. This initiates a connection to the store’s back-end servers, at which point a WiFi connection is attempted to that store’s payment provider. If a WiFi connection can be made, your card data, which is stored in the Secure Element, is encrypted and transferred to the payment provider. If a WiFi connection cannot be made through the POS or externally, the information is transferred by way of the NFC connection. The payment provider, who has the keys to unlock and decrypt your data, does so if needed and completes the transaction. Once completed, a confirmation will be sent to the store’s back-end POS servers, effectively completing the sale. It is during this time that any rewards, coupons or other store-related notifications will take place on your phone.
Web and In-App Payment Process
The only difference in the process for in-app style payments or payments through websites is the use of the NFC chip. All transactions are performing through your WiFi connection and all data transmitted is encrypted.
A Slight Hiccup in Apple Pay’s Giddy-Up
Now that is simple enough, but I have some problems with the above outlined method. Notice that when the credit card data is transmitted to the payment provider it is encrypted. Well, that would mean that it is not encrypted while stored within the Secure Element, wouldn’t it? Looking into this further, I read the following on Apple’s website:
With Apple Pay, instead of using your actual credit and debit card numbers when you add your card to Passbook, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone.
Ok, that sounds like the data stored in Secure Element is encrypted. But then I read the following lines from the patent:
“In one example, the portable device can make purchases by using NFC to wirelessly establish a secure link with the point of sale device, which is connected to a back-end system configured to execute commercial transactions, e.g. a bank, acquirer, or the like. This secure link using NFC can be established by positioning the portable device to be within close proximity of (within 3 to 6 cm of) the point of sale device. In this example, credit card information is sent by the Secure Element as plaintext (i.e., not encrypted) data directly to the NFC. The plaintext data is not sent to the application processor.”
The above excerpt leaves me to believe that the data which is stored in the Secure Element is not encrypted when saved through Passbook. Did you notice that the entire transaction took place through NFC? This is possible, as outlined above, but later in this same section it’s stated that this is not the ideal scenario for its use because the transaction will be extremely slow and the data is not as secure as it could be.
Actually, the data is only encrypted by the Secure Element once a WiFi connection is made and just before it is transferred to the payment provider.
What is this “Secure Element” Thing?
Given all this, what exactly is the purpose of this “Secure Element” thing we have all read so much about? In the iPhone 6 and 6 Plus, Apple has included a new chip, or ROM, called the Secure Element. This chip is actually a separate piece of hardware. As I mentioned above, it creates a separate area away from the core processor of the phone to keep your credit card data. Think of it as a safety deposit box. Honestly, it’s a pretty good idea.
Final Take-Away and Wrap-up
What are we to make of all of this? Given that our data is not actually encrypted within the Secure Element, why even use it? What is the point?
The whole premise behind Apple Pay using the Secure Element is to keep the data that is stored on your phone as secure as possible. This is done by the simplest of solutions: keep ’em separated. By keeping your most confidential information completely separate from the rest of the application process, they are in fact making your transactions more secure when executed from your phone. Apple is taking a very simplistic approach to malicious software getting on your device and intercepting your data, and sometimes the simplest of approaches is the best. Remember, to achieve the most security with Apple Pay you must have access to a WiFi connection. Without that, this is only marginally more secure than swiping your card at the POS. There are some examples outlined in the patent that do show that the NFC connection can be used as a means to gain access to a WiFi connection, and this would allow for a fully secure and encrypted transaction. We will just have to make sure at what level each establishment supports Apple Pay.
I think, in its first iteration, Apple Pay is a genius idea. However, given the fact that the data is not stored in an encrypted fashion at all times, it does have its flaws. If I was building a website, I would not store my users’ passwords (or anything else that is deemed confidential) in plaintext. Maybe Apple did not take these measures on the iPhone 6 and 6 Plus because of space limitations on the Secure Element. Hopefully in the next iPhone they will expand this feature and make it even better than it is right now.
Until next time, “Keep your sights clear, your code clean and your arrows sharp!”
Here’s lots of other things you can also do: