October 29, 2014

How Apple Pay Really Works

Kirk Lennon:

“The first step to using Apple Pay is to add your credit card to Passbook. You can use the camera on your iPhone 6 to read the cardholder data directly from the card. This is the only step in the process where your PAN is ever used. The PAN is sent over an encrypted connection to the credit card companies and the payment token is received. The actual process of generating and storing tokens is done by either your issuing bank or, for example, Visa offers an ‘on behalf of’ service for banks where they handle the tokenization process. The token is not cryptographically generated, and while certain elements can be set, the number is essentially random, which means it is impossible for a malicious agent to figure out the PAN from the token. The issuers maintain a ‘token vault’ that maps back tokens to their respective PANs, and there can be multiple tokens for a single PAN. Once your iPhone receives the token, it then stores it in the Secure Element. When you go to pay in a store, your iPhone transmits the token to the merchant along with the token cryptogram, which is generated at transaction time by the Secure Element using the token and additional transaction-specific data. The token and this security code are sent through the normal payment networks where the token is finally mapped back to your PAN and your bank (hopefully) authorizes the transaction. The merchant never sees your actual account number, nor even your name. Your private information stays private and secure. Also, note who is not a part of the payment process: Apple. Once you add your card to your phone, the rest of the transaction is between you, the merchant, and your credit card company or bank. Apple never knows where, when, or how much you spend using it. Apple does, however, get a small percentage of the credit card transaction fee each time you use it, perhaps as compensation for reducing fraud. How to reconcile these two facts? It’s simple: The banks keep track of aggregate transactions that come from Apple Pay tokens and then combine Apple’s portion of the fees into periodic lump-sum payments.”

Safe and effective.

(Via DF.)