How Apple Pay could make the Target and Home Depot breaches a thing of the past

The new payment technology could put a dent in cyber criminals targeting retailer terminals

Uber with Apple Pay

Uber with Apple Pay

The launch of Apple's mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers.

Tens of millions of card numbers have been stolen in the last few months from malware-infected payment terminals in stores including Target and Home Depot. The thefts were possible in part because the card information gets stored in an unencrypted form inside the terminals.

Apple announced a system this week, one that uses a payment standard based on NFC technology. When users of its new iPhone 6 and iPhone 6 Plus smartphones walk into a store, they'll be able to wave their phone over an NFC reader to complete a purchase.

The system, which relies in part on Apple's Touch ID biometric technology to verify the user's identity, could finally replace a payment technology that's been in use for five decades.

"Whether it's a credit or debit card, we're totally reliant on the exposed numbers and the outdated and vulnerable magnetic stripe interface," Apple CEO Tim Cook said Tuesday when he introduced his company's alternative, called Apple Pay.

The contactless "tap and go" system relies on a new payment technology called tokenization. In place of your payment card number, a 16-digit proxy is stored in a security chip in the phone. That number, which is the token, is given to the retailer when a purchase is made, meaning your actual payment card number doesn't get handed around.

The retailer sends the token through its payment network to Visa, Mastercard or American Express. Those card issuers identify the number as a token and pass it to a trusted third party, which converts it to the original card number and sends it back to the issuer.

That conversion happens deep within the payment network, several levels removed from the retailers' payment systems that are the target of many hacking attempts today.

"The real processing happens in a much more secure environment," said Steve Mathison, vice president of payment acceptance at First Data, an Atlanta-based payment systems provider.

"When the real [card number] is exposed, it's at the last minute and only to the issuer," he said. "The merchant doesn't have it and the [retailer's payment network] doesn't have it."

Additional pieces of data, unique to the transaction and the user, are incorporated to prevent a token from being reused for a second transaction, even if its stolen.

The U.S. banking industry has started to end its reliance on magnetic stripe cards in favor of chip-based cards already popular in Europe, but that isn't enough for some.

In July, the National Retail Federation called on the industry to adopt tokenization to "move the U.S. payments system in the right direction toward mitigating payment card fraud and identity theft."

Contactless NFC systems have been slow to take off, but Apple Pay could help change that, especially if it's as easy to use as Tim Cook demonstrated in his Tuesday keynote. Users simply hold their thumb on the Touch ID sensor and tap the phone against a payment terminal.

The NFC technology is based on a standard developed by credit card companies that's already in use at about 220,000 locations in the U.S. Google Wallet also uses NFC but hasn't employed tokenization. It also hasn't been widely adopted by consumers.

According to Cook, that's because the solutions today don't focus enough on the user experience. "We love this kind of problem. This is exactly what Apple does best."

A successful roll out of Apple Pay would accelerate competition and help hasten the roll out of NFC terminals, said John Beatty, president of engineering at Clover Networks, which produces payment terminals for retailers. The company is already advertising systems that accept Apple Pay.

"In my opinion, it could be a tipping point," he said. "The U.S. is moving to chip and sign ... so you insert a chip card and it takes a little bit of time to authorize and you still need a signature. If you instead have people pull out their phones, put their thumb on the Touch ID and pay, it's a more pleasant and faster payment experience."

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleClover NetworkssecurityFirst Data

More about AppleFirst DataGoogleHome DepotIDGMastercardNewsNFCVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts