A Comprehensive Outline of the Security Behind Apple Pay

by

Apple has described its new Apple Pay payments service, which is designed to be the first step towards the company's goal of replacing the wallet, as "easy, secure, and private." Apple Pay includes several different features that offer customers much greater security than a traditional credit card, including Device Account Numbers that replace credit card numbers, dynamic security codes for each transaction, and biometric payment verification through the use of Touch ID.

Ahead of the release of Apple Pay, TUAW's Yoni Heisler has taken an in-depth look at the security features built into the payments service, outlining the ways Apple is safeguarding customer information.

While Apple Pay is built on existing NFC technology, Heisler's research suggests it is the first implementation of the EMVCo tokenization specification, a newly introduced security framework designed to cover emerging payment methods. According to former credit card executive Tom Noyes, this specification is "the most secure payments scheme on the planet."

applepaytouchid
As previously rumored, Apple Pay utilizes a "token," which the company refers to as a Device Account Number, to replace a user's existing credit card number on the iPhone. A randomized 16-digit number, the Device Account Number ensures that no merchant is able to obtain a user's credit card number, protecting consumers from retail security breaches, as TUAW points out, because tokens are randomized numbers that cannot be decrypted back into a credit card number.

Device Account Numbers, or tokens, are paired with a dynamically generated one-time use code that replaces the credit card's CCV with every transaction.

Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

As noted by Heisler, a Device Account Number can't be used in a transaction without an accompanying one-time use cryptogram, which verifies that the "token in transit originated from the device being used." Cryptograms also carry transaction information like the merchant's identity and the amount of money being charged.

The transaction comprising the Device Account Number and accompanying cryptogram is further verified through the use of Touch ID, which essentially replaces insecure verification methods like passwords and PINs.

According to a credit card executive who spoke to TUAW, token transactions as implemented by Apple "are a new and much higher standard of security for electronic payments."

The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

Apple Pay is expected to go live in October, enabled through an update to iOS 8. Hints of Apple Pay have already been found in the iOS 8.1 beta, which was seeded to developers on Monday. TUAW's full look at the security behind Apple Pay, which covers tokens, Touch ID, and more, is well worth a read.

Related Roundup: Apple Pay
Related Forum: Apple Music, Apple Pay/Card, iCloud, Fitness+

Popular Stories

iPhone 17 Pro in Hand Feature Lowgo

iPhone 17 Pro to Reverse iPhone X Design Decision

Monday July 7, 2025 9:46 am PDT by
Since the iPhone X in 2017, all of Apple's highest-end iPhone models have featured either stainless steel or titanium frames, but it has now been rumored that this design decision will be coming to an end with the iPhone 17 Pro models later this year. In a post on Chinese social media platform Weibo today, the account Instant Digital said that the iPhone 17 Pro models will have an aluminum...
Read Full Article130 comments
iOS 26 Feature

Everything New in iOS 26 Beta 3

Monday July 7, 2025 1:20 pm PDT by
Apple is continuing to refine and update iOS 26, and beta three features smaller changes than we saw in beta 2, plus further tweaks to the Liquid Glass design. Apple is gearing up for the next phase of beta testing, and the company has promised that a public beta is set to come out in July. Transparency In some apps like Apple Music, Podcasts, and the App Store, Apple has toned down the...
Read Full Article239 comments
imac video apple feature

Apple Launching These 15+ Products Later This Year

Sunday July 6, 2025 8:05 am PDT by
The calendar has turned to July, meaning that 2025 is now more than half over. And while the summer months are often quiet for Apple, the company still has more than a dozen products coming later this year, according to rumors. Below, we have outlined at least 15 new Apple products that are expected to launch later this year, along with key rumored features for each. iPhone 17 Series iPho...
Read Full Article32 comments
iphone 16 pro models 1

Here's How the iPhone 17 Pro Max Will Compare to the iPhone 17 Pro

Saturday July 5, 2025 1:00 pm PDT by
Apple should unveil the iPhone 17 series in September, and there might be one bigger difference between the Pro and Pro Max models this year. As always, the Pro Max model will be larger than the Pro model:iPhone 17 Pro: 6.3-inch display iPhone 17 Pro Max: 6.9-inch displayGiven the Pro Max is physically larger than the Pro, it has more internal space, allowing for a larger battery and...
Read Full Article89 comments
iPhone Car Key Kia

Here's Which Vehicles Offer iPhone Car Keys

Sunday July 6, 2025 3:03 pm PDT by
In 2020, Apple added a digital car key feature to its Wallet app, allowing users to lock, unlock, and start a compatible vehicle with an iPhone or Apple Watch. The feature is currently offered by select automakers, including Audi, BMW, Hyundai, Kia, Genesis, Mercedes-Benz, Volvo, and a handful of others, and it is set to expand further. Apple has a web page with a list of vehicle models that ...
Read Full Article107 comments
iphone 17 pro render majin bu

New iPhone 17 Pro Renders Highlight Apple Logo and MagSafe Design Changes

Sunday July 6, 2025 8:43 pm PDT by
New renders today provide the best look yet relocated Apple logo and redesigned MagSafe magnet array of the iPhone 17 Pro and iPhone 17 Pro Max. Image via Majin Bu. Several of the design changes coming to the iPhone 17 Pro model have been rumored for some time, such as the elongated camera bump that spans the full width of the device, with the LiDAR Scanner and flash moving to the right side. ...
Read Full Article112 comments
iPhone 17 Pro in Hand Feature Lowgo

iPhone 17 Pro Coming Soon With These 14 New Features

Friday July 4, 2025 1:05 pm PDT by
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are just over two months away, and there are plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models. Latest Rumors These rumors surfaced in June and July:Apple logo repositioned: Apple's logo may have a lower position on the back of the iPhone 17 Pro models, compared to previous...
Read Full Article72 comments
apple account card feature

Apple Account Card Expanding to More Countries

Tuesday July 8, 2025 7:34 pm PDT by
Apple is expanding the ability to add an Apple Account Card to the Wallet app to more countries, according to backend Apple Pay changes. With iOS 15.5, Apple updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an Apple gift card, for example, it is added to an Apple Account that is also...
Read Full Article25 comments

Top Rated Comments

GeneralChang Avatar
GeneralChang
141 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

You mean that convoluted system that required a perfect copy of the persons fingerprint and something like four hours of fabrication? I wouldn't really call that "hacked." By the time they got a dummy fingerprint made up, I'd have realized my phone was missing and locked it via iCloud.
Score: 45 Votes (Like | Disagree)
vpndev Avatar
vpndev
141 months ago
Gw

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

So please lay off the comments saying that you've been using this for years. You haven't.

However I don't expect that Google will dawdle with incorporation of tokenization (which is an EMV standard - by no means exclusive to Apple). A decent fingerprint reader might take longer.
Score: 31 Votes (Like | Disagree)
taptic Avatar
taptic
141 months ago
Apple: setting the example of security and privacy for Google and the NSA since forever.
Score: 26 Votes (Like | Disagree)
ptb42 Avatar
ptb42
141 months ago
Let's get this out of the way now...

No, a merchant doesn't have to sign up for :apple:pay. All of this is done on the back-end, by the credit card processing networks and the card-issuing banks.

If a merchant supports contactless card payments (PayWave, ExpressPay, PayPass), they can accept payments from your iPhone 6.

Merchants have to replace their point-of-sale terminals before 10/2015 anyway, if they haven't already done so. If their terminal doesn't accept EMV chip cards, the merchant will assume liability for fraudulent transactions.

The only determining factor is whether a merchant chooses to spend a bit extra money to add the NFC option to their point-of-sale terminal.

I'm tired of all the people complaining about "deficiencies" in :apple:pay, when they clearly don't even know how it is being implemented. Go read the referenced article, if you don't yet get it.
Score: 14 Votes (Like | Disagree)
taptic Avatar
taptic
141 months ago
A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?
The chances of their being a psycho that starts shooting people in public are probably higher than a psyhco chopping peoples fingers off to shop with at CVS.

And no, people replicated someones fingerprint, but they need to have the original and a lot of time and patience. It's not much of a hack really...
Score: 13 Votes (Like | Disagree)
greytmom Avatar
greytmom
141 months ago
Folks, if you are being held at gun or knife point so that a thief can get your pin or password, you've got bigger issues than the thief going on a shopping spree.
Score: 10 Votes (Like | Disagree)
Read All Comments