iPhone 6

Apple Pay could make Target, Home Depot style breaches a thing of the past

Life
Apple's iPhone 6. Image: Apple

12 September 2014

The launch of Apple’s mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers.

Tens of millions of card numbers have been stolen in the last few months from malware-infected payment terminals in stores including Target and Home Depot. The thefts were possible in part because the card information gets stored in an unencrypted form inside the terminals.

The system Apple has announced uses a payment standard based on Near Field Communication (NFC) technology. When users of its new iPhone 6 and iPhone 6 Plus smart phones walk into a store, they will be able to wave their phone over an NFC reader to complete a purchase.

The system, which relies in part on Apple’s Touch ID biometric technology to verify the user’s identity, could finally replace a payment technology that’s been in use for five decades.

“Whether it’s a credit or debit card, we’re totally reliant on the exposed numbers and the outdated and vulnerable magnetic stripe interface,” Apple CEO Tim Cook said Tuesday when he introduced his company’s alternative, called Apple Pay.

The contactless “tap and go” system relies on a new payment technology called tokenisation. In place of your payment card number, a 16-digit proxy is stored in a security chip in the phone. That number, which is the token, is given to the retailer when a purchase is made, meaning your actual payment card number does not get handed around.

The retailer sends the token through its payment network to Visa, Mastercard or American Express. Those card issuers identify the number as a token and pass it to a trusted third party, which converts it to the original card number and sends it back to the issuer.

That conversion happens deep within the payment network, several levels removed from the retailers’ payment systems that are the target of many hacking attempts today.

“The real processing happens in a much more secure environment,” said Steve Mathison, vice president of payment acceptance at First Data, an Atlanta-based payment systems provider.

“When the real [card number] is exposed, it’s at the last minute and only to the issuer,” he said. “The merchant doesn’t have it and the [retailer’s payment network] doesn’t have it.”

Additional pieces of data, unique to the transaction and the user, are incorporated to prevent a token from being reused for a second transaction, even if it is stolen.

The US banking industry has started to end its reliance on magnetic stripe cards in favour of chip-based cards already popular in Europe, but that is not enough for some.

In July, the National Retail Federation called on the industry to adopt tokenisation to “move the US payments system in the right direction toward mitigating payment card fraud and identity theft.”

Contactless NFC systems have been slow to take off, but Apple Pay could help change that, especially if it’s as easy to use as Tim Cook demonstrated in his Tuesday keynote. Users simply hold their thumb on the Touch ID sensor and tap the phone against a payment terminal.

The NFC technology is based on a standard developed by credit card companies that’s already in use at about 220,000 locations in the US Google Wallet also uses NFC but hasn’t employed tokenisation. It also hasn’t been widely adopted by consumers.

According to Cook, that’s because the solutions today don’t focus enough on the user experience. “We love this kind of problem. This is exactly what Apple does best.”

A successful roll out of Apple Pay would accelerate competition and help hasten the roll out of NFC terminals, said John Beatty, president of engineering at Clover Networks, which produces payment terminals for retailers. The company is already advertising systems that accept Apple Pay.

“In my opinion, it could be a tipping point,” he said. “The US is moving to chip and sign … so you insert a chip card and it takes a little bit of time to authorise and you still need a signature. If you instead have people pull out their phones, put their thumb on the Touch ID and pay, it’s a more pleasant and faster payment experience.”

 

 

Martyn Williams, IDG News Service

Read More:


Back to Top ↑

TechCentral.ie