A Comprehensive Outline of the Security Behind Apple Pay

by

Apple has described its new Apple Pay payments service, which is designed to be the first step towards the company's goal of replacing the wallet, as "easy, secure, and private." Apple Pay includes several different features that offer customers much greater security than a traditional credit card, including Device Account Numbers that replace credit card numbers, dynamic security codes for each transaction, and biometric payment verification through the use of Touch ID.

Ahead of the release of Apple Pay, TUAW's Yoni Heisler has taken an in-depth look at the security features built into the payments service, outlining the ways Apple is safeguarding customer information.

While Apple Pay is built on existing NFC technology, Heisler's research suggests it is the first implementation of the EMVCo tokenization specification, a newly introduced security framework designed to cover emerging payment methods. According to former credit card executive Tom Noyes, this specification is "the most secure payments scheme on the planet."

applepaytouchid
As previously rumored, Apple Pay utilizes a "token," which the company refers to as a Device Account Number, to replace a user's existing credit card number on the iPhone. A randomized 16-digit number, the Device Account Number ensures that no merchant is able to obtain a user's credit card number, protecting consumers from retail security breaches, as TUAW points out, because tokens are randomized numbers that cannot be decrypted back into a credit card number.

Device Account Numbers, or tokens, are paired with a dynamically generated one-time use code that replaces the credit card's CCV with every transaction.

Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

As noted by Heisler, a Device Account Number can't be used in a transaction without an accompanying one-time use cryptogram, which verifies that the "token in transit originated from the device being used." Cryptograms also carry transaction information like the merchant's identity and the amount of money being charged.

The transaction comprising the Device Account Number and accompanying cryptogram is further verified through the use of Touch ID, which essentially replaces insecure verification methods like passwords and PINs.

According to a credit card executive who spoke to TUAW, token transactions as implemented by Apple "are a new and much higher standard of security for electronic payments."

The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

Apple Pay is expected to go live in October, enabled through an update to iOS 8. Hints of Apple Pay have already been found in the iOS 8.1 beta, which was seeded to developers on Monday. TUAW's full look at the security behind Apple Pay, which covers tokens, Touch ID, and more, is well worth a read.

Related Roundup: Apple Pay
Related Forum: Apple Music, Apple Pay/Card, iCloud, Fitness+

Popular Stories

Apple Shopping Event 2025

Apple Announces 2025 Black Friday Event, Here's What You Can Get

Thursday November 20, 2025 6:28 am PST by
Apple's annual four-day Black Friday through Cyber Monday shopping event is returning on Friday, November 28 through Monday, December 1 in many countries, including the United States, Canada, Australia, New Zealand, France, Germany, Italy, Spain, the United Kingdom, Belgium, the Netherlands, Sweden, Thailand, and others. During the shopping event, customers can get an Apple gift card with...
Read Full Article41 comments
iOS 26

iOS 26.2 Adds These New Features to Your iPhone

Thursday November 20, 2025 10:50 am PST by
iOS 26.2 is currently in beta testing. The upcoming update includes a handful of new features and changes on the iPhone, including a new Liquid Glass slider for the Lock Screen's clock, offline lyrics for Apple Music, and more. In a recent press release, Apple confirmed that iOS 26.2 will be released to all users in December, but it did not provide a specific release date. Keep reading...
Read Full Article27 comments
hikawa phone grip stand apple%402x

Apple Launches Second Limited-Edition iPhone Accessory in a Month

Friday November 21, 2025 3:53 am PST by
Apple has begun selling the Hikawa Phone Grip and Stand, a new limited-edition iPhone accessory designed with accessibility in mind. Designed by LA-based Bailey Hikawa to celebrate the 40th anniversary of accessibility at Apple, the grip uses magnets to securely snap onto any iPhone with MagSafe. Apple says it can be removed with ease, and doubles as a stand with two different viewing...
Read Full Article127 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Wednesday November 19, 2025 4:00 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article104 comments
ipad black friday 2025

The Best Early Black Friday iPad Deals

Thursday November 20, 2025 10:20 am PST by
Black Friday is just over a week away, and iPad deals have finally started to flood in at retailers like Amazon and Best Buy. Below we're tracking discounts on every current generation iPad, including lowest-ever prices on M3 iPad Air and M5 iPad Pro, plus steep markdowns on iPad and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a ...
Read Full Article7 comments
watchos 26 workout app

Apple Watch Users Claim Workout App Is Now Worse in Every Way

Thursday November 20, 2025 7:01 am PST by
Apple Watch owners have been voicing their frustration online over changes to the Workout app that Apple introduced in watchOS 26, with many finding the redesigned interface makes starting exercises difficult and exasperating. When Apple launched watchOS 26 in September, the Workout app went from large, easily tapped workout tiles to a scrolling, corner-button interface. Instead of tapping a ...
Read Full Article229 comments
ipad mini 7 feature red and blue

iPad Mini 8: Four Major New Features to Expect

Wednesday November 19, 2025 7:50 am PST by
Apple's eighth-generation iPad mini is highly likely to arrive next year, offering a significant refresh of the device with at least four major new features. OLED Display The next-generation version of the iPad mini could feature an OLED display, as part of Apple's plan to expand the display technology across many more of its devices. Apple's first OLED device was the Apple Watch in 2015, ...
Read Full Article67 comments
apple wallet drivers license feature iPhone 15 pro

Two More U.S. States Commit to Offering iPhone Driver's Licenses in Apple Wallet App

Thursday November 20, 2025 8:21 am PST by
In select U.S. states, residents can add their driver's license or state ID to the Apple Wallet app on the iPhone and Apple Watch, and then use it to display proof of identity or age at select airports and businesses, and in select apps. Earlier this week, Illinois became the 13th state in the U.S. to offer the feature. Subsequently, we shared a list of additional states that are committed...
Read Full Article38 comments
android iphone airdrop quickshare

iPhone Users Can Now AirDrop Files to Android Devices

Thursday November 20, 2025 9:47 am PST by
Google today announced a new cross-platform feature that allows for file sharing between iPhone and Android users. With AirDrop on the iPhone and QuickShare on Pixel 10 devices, there is a new file transfer function available. The file sharing option works on Apple devices that include iPhone, iPad, and Mac, along with the Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, and Pixel 10 Fold....
Read Full Article124 comments

Top Rated Comments

GeneralChang Avatar
GeneralChang
145 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

You mean that convoluted system that required a perfect copy of the persons fingerprint and something like four hours of fabrication? I wouldn't really call that "hacked." By the time they got a dummy fingerprint made up, I'd have realized my phone was missing and locked it via iCloud.
Score: 45 Votes (Like | Disagree)
vpndev Avatar
vpndev
145 months ago
Gw

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

So please lay off the comments saying that you've been using this for years. You haven't.

However I don't expect that Google will dawdle with incorporation of tokenization (which is an EMV standard - by no means exclusive to Apple). A decent fingerprint reader might take longer.
Score: 31 Votes (Like | Disagree)
taptic Avatar
taptic
145 months ago
Apple: setting the example of security and privacy for Google and the NSA since forever.
Score: 26 Votes (Like | Disagree)
ptb42 Avatar
ptb42
145 months ago
Let's get this out of the way now...

No, a merchant doesn't have to sign up for :apple:pay. All of this is done on the back-end, by the credit card processing networks and the card-issuing banks.

If a merchant supports contactless card payments (PayWave, ExpressPay, PayPass), they can accept payments from your iPhone 6.

Merchants have to replace their point-of-sale terminals before 10/2015 anyway, if they haven't already done so. If their terminal doesn't accept EMV chip cards, the merchant will assume liability for fraudulent transactions.

The only determining factor is whether a merchant chooses to spend a bit extra money to add the NFC option to their point-of-sale terminal.

I'm tired of all the people complaining about "deficiencies" in :apple:pay, when they clearly don't even know how it is being implemented. Go read the referenced article, if you don't yet get it.
Score: 14 Votes (Like | Disagree)
taptic Avatar
taptic
145 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?
The chances of their being a psycho that starts shooting people in public are probably higher than a psyhco chopping peoples fingers off to shop with at CVS.

And no, people replicated someones fingerprint, but they need to have the original and a lot of time and patience. It's not much of a hack really...
Score: 13 Votes (Like | Disagree)
greytmom Avatar
greytmom
145 months ago
Folks, if you are being held at gun or knife point so that a thief can get your pin or password, you've got bigger issues than the thief going on a shopping spree.
Score: 10 Votes (Like | Disagree)
Read All Comments