Apple Pay could put an end to data breaches

The technologies behind Apple Pay all help remove vulnerabilities in the current point-of-sale process.

The retail data-breach epidemic highlighted by Target now has other famous victims, including UPS, Home Depot, and Dairy Queen. If you've used a credit card sometime in the past year or two, there's a very good chance your information has been compromised or exposed by at least one of these data breaches. If you use Apple's new Apple Pay system, though, such worries just might be behind you.

The current point-of-sale (POS) system carries a number of risks when it comes to processing credit card transactions. As we've seen with the data breaches mentioned above, the POS system itself can be compromised. There are also stories of restaurant workers using card skimmers, or card skimmers being surreptitiously attached to card swiping mechanisms at gas stations. Basically, any transaction that involves handing your physical card to someone, or reading the data from the magnetic stripe on the back of the card, could lead to your credit card data's compromise in some way.

NFC (Near Field Communication) technology enables mobile devices to communicate wirelessly with a POS system, no physical card required. NFC itself isn't new, but Apple Pay has better security, broader support, and the clout of the Apple brand behind it. In other words, Apple Pay might actually catch on, and make wireless payments with a mobile device mainstream.

The recent hack of nude celebrity photos, and the implications that has for iCloud security, might cause some to think twice about trusting credit card information on an Apple device. While it's always prudent to exercise caution, Apple has security features in place that make a compromise highly unlikely--if not impossible.

First, Apple does not store the actual credit card data on the iOS device, or on iCloud. The payment information is encrypted and stored in a "Secure Element." When you initiate a transaction, Apple Pay generates a one-time key based on the encrypted information, and that's what is shared with the point-of-sale system. For added protection, Apple Pay transactions from an iPhone also require fingerprint authentication using Touch ID.

Even if attackers were able to intercept the one-time code information, it wouldn't be useful anymore. The cashier doesn't see your credit card number or security code, and there is no physical card to be swiped. In a nutshell, had everyone who shopped at Target or Home Depot used Apple Pay, the data breach news would be fairly trivial.

In the event that your iPhone is lost or stolen, you'll be able to disable Apple Pay payments through the Find My iPhone site. However, the Touch ID authentication requirement should be sufficient to prevent anyone from making unauthorized transactions with your device.

Android loyalists and Apple bashers are quick to point out that Apple is actually late to the NFC party. That is true. As I mentioned above, NFC technology has been available on competing mobile devices, and mobile payments have existed on rival platforms for some time. The major difference is that Apple has the support and momentum to make it mainstream. Apple has enlisted Visa, Mastercard, and American Express--which account for more than 80 percent of the credit cards in use--as well as individual banks, including Bank of America, Capital One, Chase, and CitiBank, with more on the way.

Apple boasts that there are 220,000 stores ready to support Apple Pay. That sounds impressive, but it's a drop in the bucket, more or less, when weighed against all of the possible stores and retailers. The bad news is that Apple Pay won't be available everywhere you shop, but Apple has a plethora of major retailers on board, including Walgreens, McDonald's, Petco, Staples, and Subway. Apple Pay will also work within iOS through third-party apps like Target, Panera, and Starbucks.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetAppleiphone 6securitydata breachHome DepotupsApple Pay

More about AppleBank of AmericaCapital OneHome DepotMastercardMcDonald'sNFCPetcoStaplesStarbucksVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts