Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

Apple Pay: A Necessary Push To Transform Consumer Payments

Apple Pay is a strategic move that will rival PayPal and other contenders in the mobile wallet marketplace. The big question is whether consumers and businesses are ready to ditch the plastic.

On Tuesday, Apple announced an exciting new feature, Apple Pay, a mobile wallet payment system available on the new iPhone 6 and Apple Watch devices. My initial reaction to the announcement was "Not another mobile wallet option!" After researching implementation details, my attitude quickly changed and I became intrigued.

Apple Pay enables a safe and secure transaction between Apple devices and a retailer’s contactless payment reader or online storefront. The consumer avoids the tedious step of swiping or entering credit card numbers or passwords since it's already stored in Passbook, an application first introduced in iOS 6.

What’s important is how Apple Pay transforms traditional theft-prone credit cards into a unique Device Account Number stored securely on a special chip in the device. It then pairs that number with transaction-specific dynamic security codes. This ensures that intercepted transactions cannot be used to conduct fraud, because each security code is only good for the one transaction. This is the most obvious benefit, similar to the protections in place with EMV: to prevent the chips from being copied.

Another less obvious security benefit Apple Pay has over EMV is that sensitive card data is never handled by the merchant. As demonstrated in my recent Black Hat USA presentation, EMV passes plain-text card data to point-of-sale systems, which can later be stolen by RAM scrapers and used to commit fraud. With Apple Pay, the physical phone becomes the sole point for potential exploitation. Hopefully, Apple has implemented significant and sophisticated measures into protecting card data stored in the iPhones' Passbook from theft or unauthorized use. Regardless, removing sensitive payment data from the merchants’ hands is a necessary step to solve the increased breach epidemic retailers have been facing.

What’s especially bold is Apple’s move to bypass the payment processors that have been used for decades. POS and online ordering systems integrated to support Apple Pay can send the Device Account Number and the dynamic transaction security code directly to the card issuer for approval. In essence, Apple is creating its own secure payment network to facilitate its proprietary payment technology.

Long history of failure
Unfortunately, adoption will be a significant challenge. If you look at past attempts to change consumer payment behavior, there’s a long list of failures. For example, contactless payments were rolled out on a limited basis by inserting a rice-sized RFID chip in credit cards a purchaser waves in front of the terminal instead of swiping the magnetic stripe. Adoption in the United States was abysmal. More recently, mobile wallet offerings such as Visa payWave used NFC for contactless payments in stores, but gained little traction beyond pilot implementations.

Apple Pay is a strategic move to expand further into the major mobile wallet marketplace to rival PayPal and other contenders. The big question is whether Apple can succeed in convincing consumers and businesses to ditch the plastic. They both need compelling benefits to justify the behavioral changes. For example, Starbucks successfully leveraged its mobile application with payment capabilities to enhance the customer experience and drive its loyalty program.

One way Apple could incentivize adoption is by providing loyalty points for purchases made using Apple Pay, redeemable in the form of Apple Store purchases. Consumers would get rewarded for making the switch while driving increased traffic to the Apple stores. This in turn would generate demand for merchants to support Apple Pay. Finally, by eliminating the payment processors from the transaction flow, retailers would reap greater benefits with lower processing fees and increased cost savings that yield higher profits.

If successful, Apple Pay would cement Apple’s dominance across the user experience and extend its domain to mobile payments where the biggest potential is in the rapid adoption of m-commerce, defined as shopping online from handheld devices. Forrester Research projects m-commerce in the United States to top $293 billion by 2018.

Lucas Zaichkowsky is the Enterprise Defense Architect at AccessData, responsible for providing expert guidance on the topic of cyber security. Prior to joining AccessData, Lucas was a technical engineer at Mandiant where he worked with Fortune 500 organizations, the Defense ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/12/2014 | 7:46:20 AM
Device Account Number
Lucas, I really like this concept and it sounds very promising, but I'm not sure I totally understand how it works. So, for each transaction, Apple Pay creates a unique "Device Account Number" that is stored in the SIM card in your iPhone. But where does the Device Account Number come from? From the card company?
User Rank: Ninja
9/11/2014 | 8:53:35 PM
Re: The entire article falls apart at "Hopefully"
I hear you, I would think they would either hash or encrypt data at rest. They would not be able take a risk of credit card numbers being compromised. This is more regulated than the pictures we uploaded to iCloud which nobody really cares unless you are a celebrity.
User Rank: Ninja
9/11/2014 | 8:49:36 PM
Re: The entire article falls apart at "Hopefully"
I agree, handing over the credit card would more risky than using NFC with your iPhone.
User Rank: Ninja
9/11/2014 | 8:47:17 PM
I like the article, thanks for sharing it. I will most likely use Apple Pay simply because it is convenient. However we should not assume that the solution is secure enough that we feel comfortable. Keep in mind that the credit card itself provides two-factor authentication and unconnected, our iPhones may not provide the same capabilities because it is connected.
User Rank: Apprentice
9/11/2014 | 4:41:51 PM
Re: The entire article falls apart at "Hopefully"
We're already at risk of credit card data theft. I have an iPhone, and I'd rather pay via Apple Pay or similar service than hand out my card to all kinds of merchants out there. I have actually being carrying more cash on hand lately with all the security breaches going on.
User Rank: Apprentice
9/11/2014 | 1:52:20 PM
The entire article falls apart at "Hopefully"
From the article:

"Hopefully, Apple has implemented significant and sophisticated measures into protecting card data stored in the iPhones' Passbook from theft or unauthorized use. Regardless, removing sensitive payment data from the merchants' hands is a necessary step to solve the increased breach epidemic retailers have been facing."


If Apple cant keep private data (pictures and backups safe) what makes you think they can keep your personal finance information safe?

Lets all jump on the Apple bandwagon as quick as humanly possible because Apple can do no wrong, or when they do - its no big deal.

I understand this puts progress in a crux and I don't have a perfect answer - but I fear for the sheeple that will blindly follow and potentially expose themselves to risk of giving up their credit card information. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the &quot;My schedules and subscriptions&quot; page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...