A Comprehensive Outline of the Security Behind Apple Pay

by

Apple has described its new Apple Pay payments service, which is designed to be the first step towards the company's goal of replacing the wallet, as "easy, secure, and private." Apple Pay includes several different features that offer customers much greater security than a traditional credit card, including Device Account Numbers that replace credit card numbers, dynamic security codes for each transaction, and biometric payment verification through the use of Touch ID.

Ahead of the release of Apple Pay, TUAW's Yoni Heisler has taken an in-depth look at the security features built into the payments service, outlining the ways Apple is safeguarding customer information.

While Apple Pay is built on existing NFC technology, Heisler's research suggests it is the first implementation of the EMVCo tokenization specification, a newly introduced security framework designed to cover emerging payment methods. According to former credit card executive Tom Noyes, this specification is "the most secure payments scheme on the planet."

applepaytouchid
As previously rumored, Apple Pay utilizes a "token," which the company refers to as a Device Account Number, to replace a user's existing credit card number on the iPhone. A randomized 16-digit number, the Device Account Number ensures that no merchant is able to obtain a user's credit card number, protecting consumers from retail security breaches, as TUAW points out, because tokens are randomized numbers that cannot be decrypted back into a credit card number.

Device Account Numbers, or tokens, are paired with a dynamically generated one-time use code that replaces the credit card's CCV with every transaction.

Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

As noted by Heisler, a Device Account Number can't be used in a transaction without an accompanying one-time use cryptogram, which verifies that the "token in transit originated from the device being used." Cryptograms also carry transaction information like the merchant's identity and the amount of money being charged.

The transaction comprising the Device Account Number and accompanying cryptogram is further verified through the use of Touch ID, which essentially replaces insecure verification methods like passwords and PINs.

According to a credit card executive who spoke to TUAW, token transactions as implemented by Apple "are a new and much higher standard of security for electronic payments."

The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

Apple Pay is expected to go live in October, enabled through an update to iOS 8. Hints of Apple Pay have already been found in the iOS 8.1 beta, which was seeded to developers on Monday. TUAW's full look at the security behind Apple Pay, which covers tokens, Touch ID, and more, is well worth a read.

Related Roundup: Apple Pay
Related Forum: Apple Music, Apple Pay/Card, iCloud, Fitness+

Popular Stories

AirPods Pro Firmware Feature

Apple Releases New Firmware for AirPods Pro 2, AirPods Pro 3, and AirPods 4

Thursday November 13, 2025 11:35 am PST by
Apple today released new firmware designed for the AirPods Pro 3, the AirPods 4, and the prior-generation AirPods Pro 2. The AirPods Pro 3 firmware is 8B25, while the AirPods Pro 2 and AirPods 4 firmware is 8B21, all up from the prior 8A358 firmware released in October. There's no word on what's include in the updated firmware, but the AirPods Pro 2, AirPods 4 with ANC, and AirPods Pro 3...
Read Full Article67 comments
CarPlay Pinned Messages

iOS 26.2 Adds New CarPlay Setting

Thursday November 13, 2025 6:48 am PST by
iOS 26 extended pinned conversations in the Messages app to CarPlay, for quick access to your most frequent chats. However, some drivers may prefer the classic view with a list of individual conversations only, and Apple now lets users choose. Apple released the second beta of iOS 26.2 this week, and it introduces a new CarPlay setting for turning off pinned conversations in the Messages...
Read Full Article24 comments
iPhone Pocket Short

iPhone Pocket Now Available to Order, But Already Selling Out

Friday November 14, 2025 6:20 am PST by
Apple recently teamed up with Japanese fashion brand ISSEY MIYAKE to create the iPhone Pocket, a limited-edition knitted accessory designed to carry an iPhone. iPhone Pocket is available to order on Apple's online store starting today, in the United States, France, China, Italy, Japan, Singapore, South Korea, and the United Kingdom. However, it is already completely sold out in the United...
Read Full Article188 comments
tvOS 26 Profiles

tvOS 26.2 Adds a Useful New Feature to Your Apple TV

Friday November 14, 2025 10:02 am PST by
Starting with the upcoming tvOS 26.2 update, currently in beta, additional profiles created on the Apple TV no longer require their own Apple Account. In the Settings app on the Apple TV, under Profiles and Accounts, anyone can create a new profile by simply entering a name and indicating whether the profile is for a kid. The profile will be associated with the primary user's Apple Account,...
Read Full Article
Tim Cook WWDC 2018

Report: Tim Cook to Step Down as Apple CEO 'as Soon as Next Year'

Saturday November 15, 2025 2:40 pm PST by
Apple is preparing for Tim Cook to step down as CEO of the company "as soon as next year," according to the Financial Times. The company's board of directors and senior executives "recently intensified preparations for Cook to hand over the reins," the report said. While the report said that Apple is unlikely to name a new CEO before its next earnings report in late January, it went on to ...
Read Full Article407 comments
walmart new ornametns

Walmart Black Friday Deals Begin Today With Low Prices on Headphones, TVs, and More

Friday November 14, 2025 7:55 am PST by
Walmart's Black Friday sale has officially kicked off today, with an online shopping event that's also seeing some matching deals in retail locations. There are quite a few major discounts in this sale, including savings on headphones, TVs, and more. Note: MacRumors is an affiliate partner with Walmart. When you click a link and make a purchase, we may receive a small payment, which helps us...
Read Full Article13 comments
apple silicon mac lineup 2024 feature purple m5

Apple's 2026 Mac Plans

Friday November 14, 2025 3:23 pm PST by
Most of Apple's Macs are slated to get M5 chips across 2026, and there's a possibility we'll even see the first M6 chips toward the end of the year. Updates are planned for everything from the MacBook Air to the Mac Studio. MacBook Air (Early 2026) The MacBook Air will be one of the first Macs to get a 2026 refresh, with an update planned for the first few months of the year. The MacBook...
Read Full Article149 comments
iOS 26

iOS 26.2 Available Next Month With These 8 New Features

Tuesday November 11, 2025 9:48 am PST by
Apple released the first iOS 26.2 beta last week. The upcoming update includes a handful of new features and changes on the iPhone, including a new Liquid Glass slider for the Lock Screen's clock, offline lyrics in Apple Music, and more. In a recent press release, Apple confirmed that iOS 26.2 will be released to all users in December, but it did not provide a specific release date....
Read Full Article68 comments
best early black friday deals

Best Black Friday Apple Deals Live Now - Save on AirPods, iPads, and Apple Watches

Saturday November 15, 2025 1:45 pm PST by
We're officially in the month of Black Friday, which will take place on Friday, November 28 in 2025. As always, this will be the best time of the year to shop for great deals, including popular Apple products like AirPods, iPad, Apple Watch, and more. In this article, the majority of the discounts will be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When ...
Read Full Article1 comments
homepod mini thumb feature

New HomePod Mini, Apple TV, and AirTag Were Expected This Year — Where Are They?

Wednesday November 12, 2025 11:42 am PST by
While it was rumored that Apple planned to release new versions of the HomePod mini, Apple TV, and AirTag this year, it is no longer clear if that will still happen. Back in January, Bloomberg's Mark Gurman said Apple planned to release new HomePod mini and Apple TV models "toward the end of the year," while he at one point expected a new AirTag to launch "around the middle of 2025." Yet,...
Read Full Article119 comments

Top Rated Comments

GeneralChang Avatar
GeneralChang
145 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

You mean that convoluted system that required a perfect copy of the persons fingerprint and something like four hours of fabrication? I wouldn't really call that "hacked." By the time they got a dummy fingerprint made up, I'd have realized my phone was missing and locked it via iCloud.
Score: 45 Votes (Like | Disagree)
vpndev Avatar
vpndev
145 months ago
Gw

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

So please lay off the comments saying that you've been using this for years. You haven't.

However I don't expect that Google will dawdle with incorporation of tokenization (which is an EMV standard - by no means exclusive to Apple). A decent fingerprint reader might take longer.
Score: 31 Votes (Like | Disagree)
taptic Avatar
taptic
145 months ago
Apple: setting the example of security and privacy for Google and the NSA since forever.
Score: 26 Votes (Like | Disagree)
ptb42 Avatar
ptb42
145 months ago
Let's get this out of the way now...

No, a merchant doesn't have to sign up for :apple:pay. All of this is done on the back-end, by the credit card processing networks and the card-issuing banks.

If a merchant supports contactless card payments (PayWave, ExpressPay, PayPass), they can accept payments from your iPhone 6.

Merchants have to replace their point-of-sale terminals before 10/2015 anyway, if they haven't already done so. If their terminal doesn't accept EMV chip cards, the merchant will assume liability for fraudulent transactions.

The only determining factor is whether a merchant chooses to spend a bit extra money to add the NFC option to their point-of-sale terminal.

I'm tired of all the people complaining about "deficiencies" in :apple:pay, when they clearly don't even know how it is being implemented. Go read the referenced article, if you don't yet get it.
Score: 14 Votes (Like | Disagree)
taptic Avatar
taptic
145 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?
The chances of their being a psycho that starts shooting people in public are probably higher than a psyhco chopping peoples fingers off to shop with at CVS.

And no, people replicated someones fingerprint, but they need to have the original and a lot of time and patience. It's not much of a hack really...
Score: 13 Votes (Like | Disagree)
greytmom Avatar
greytmom
145 months ago
Folks, if you are being held at gun or knife point so that a thief can get your pin or password, you've got bigger issues than the thief going on a shopping spree.
Score: 10 Votes (Like | Disagree)
Read All Comments