The Apple Pay Revolution Has Started

On October 20, 2014 Apple released an update to iOS that enables Apple Pay. This may have been the first day of the revolution against hackers that many of us have been waiting for. And it may be a revolution that ultimately affects many of us in our day-to-day IAM lives. Why do I feel this strongly about Apple Pay? A number of reasons:

  1. Apple is a market maker and as such they are one of the few companies that can change how we - the consumer - spend our money. Just like they revolutionized the mobile phone they have the capability to revolutionize mobile payments.
  2. Hackers are generally motivated by money. Is there really a point to being a hacker if you can't profit from it?
  3. Credit card numbers (and other important information) are the stock-in-trade of the hacker. Hacking systems to access credit card records is the easiest way to get massive numbers of credit card numbers.

What's in it for Apple? Well, Forrester forecasts that US mobile payments will reach $90B in 2017, a 48% compound annual growth rate (CAGR) from the $12.8B spent in 2012 and if Apple were getting a penny on every transaction - well, you do the math.

I don't think I need to provide you links to any of the recent hacks that uncovered millions of credit card numbers as there's been more than enough publicity of them. So how will Apple Pay revolutionize mobile payments? For one thing, your actual credit card number won't be stored on your iPhone. When you add a credit or debit card to Apple Pay it is encrypted and sent to Apple servers. Apple then decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your payment network can unlock. Once your bank approves the use of your card for Apple Pay a device-specific Device Account Number is created, encrypted, and sent along with other data to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store payment information safely. The Device Account Number in the Secure Element is unique to your device and to each card added. It’s isolated from iOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites. Apple doesn’t store or have access to the card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion of your Device Account Numbers, along with a card description, to help you manage your cards.

The most important aspect of Apple Pay is that your credit card is not sent to the merchant when you use Apple Pay - the only thing that is sent is a non-reusable secure token. The merchant that accepts your payment passes this token on to your issuing card company (i.e., Bank of America) for decryption and payment. Even if your merchant stored the token it would be useless to the hacker since the token isn't re-usable. This has the effect of "reducing the surface area of attack". You, the Apple Pay user, will not care about the next massive break-in where hackers capture millions of credit card numbers. The hackers job will more difficult the more Apple Pay gains acceptance and usage. Aside from paying cash, I think that Apple Pay will be my default choice for payment so I sure hope that usage spreads. As a consumer, I want Apple Pay to be very successful.

We also win from a privacy perspective. Neither Apple, nor the merchant, know anything about me. They don't know my name because that is not provided to them by Apple Pay. They just know I authorized a payment. So tracking who I am and what I spend my money on is hidden from everyone involved. Imagine the heartburn that all those marketing and data collection people are going to suffer?

Eddie Cue from Apple explains the security behind Apple Pay in this video which you should check out. Another great article that explains how Apple Pay could make credit card breaches a thing of the past can be found in PC World here. The Wall Street Journal also has an article related to the reporter's usage of Apple Pay here.

How might Apple Pay benefit us folks in the IAM trenches? If companies are able to integrate the secure element/Apple Pay into their solutions any Apple Pay-enabled phone could be used as a second factor for authentication. Nothing is released without confirmation via a biometric swipe so not only do you have possession of the device but you also have to authorize the transaction. A transaction could be a logon via a VPN to your corporate network or the release of a password. Anywhere you might use a token you could be able to use Apple Pay. Another example is Dell laptops. Many are NFC-enabled. Apple Pay is NFC-based. Imagine walking up to your Dell laptop and it unlocking from your screen saver for you? And vice-versa: You walk away and when your are far enough away your screen saver locks your machine automatically.

Like all revolutions they take a bit of time to build up steam. I'm waiting on my iPhone 6 Plus so I can start using Apple Pay. In the meantime, Apple signed up 1 million Apple Pay accounts in the first 72 hours of operation. How many will they have by the end of 2015?

About the Author