X

Get to know Apple Pay, the successor to your wallet

Apple Pay is coming to the iPhone 6 and 6 Plus. Here's everything you need to know about its security and how it works.

Sharon Profis Vice President of Content, CNET Studios
As the Vice President of CNET Studios, Sharon leads the video, social, editorial design, and branded content teams. Before this role, Sharon led content development and launched new verticals for CNET, including Wellness, Money, and How To. A tech expert herself, she's reviewed and covered countless products, hosted hundreds of videos, and appeared on shows like Good Morning America, CBS Mornings, and the Today Show. An industry expert, Sharon is a recurring Best of Beauty Awards judge for Allure. Sharon is an avid chef and hosts the cooking segment 'Farm to Fork' on PBS nationwide. She's developed and published hundreds of recipes.
Credentials
  • Webby Award ("How To, Explainer, and DIY Video"); Folio Changemaker Award, 2020
See full bio
Sharon Profis
5 min read

nfciphone.jpg
James Martin/CNET
Magnetic stripe cards are outdated, susceptible to fraud, and deserve an award for sticking around despite being older than the first computer.

Plastic payment cards are finally changing with two things: Chip and PIN cards, and NFC-based mobile payments.

Apple is the latest -- and perhaps the most significant -- player in the mobile payment space. If you plan to purchase an iPhone 6 or iPhone 6 Plus, there's a good chance you'll be wooed into using Apple Pay, a new feature that replaces traditional bank cards with your phone.

Why it's worth ditching your plastic for

Apple Pay is infinitely more secure than a magstripe card. That's a little hard to believe in light of recent leaks and breaches, but it's true.

Magnetic stripe cards use an archaic process that goes like so: After swiping your card at register, the POS copies (and stores) your card information (including numbers and your name), and sends it to the bank for verification before completing the transaction.

Since your card number is unique and unchanging, anyone -- the cashier, a lurking customer, or a hacker -- who gets a hold of your card number and associated details can easily use it. The only way to stop them is by calling your bank, at which point damage has probably been done.

In Apple Pay (or Google Wallet, or other NFC-based transaction), paying for things is just as easy, but the security is much more complex. Those familiar with the Chip and PIN cards of Europe are already familiar with what's called "tokenization." Basically, instead of sharing your unique 16-digit card number with the retailer, the card -- or in this case, the phone -- generates a random 16-digit number for each new transaction.

If anyone was to get a hold of those numbers, they'd be worthless, since they expire after each transaction.

What this means is that we'll all be much less worried when credit card data breaches occur, since the debit and credit card data obtained would be virtually worthless.

It's all in the secure element

Software-based security solutions are weak, easy to hack, and will hopefully one day phase out. Knowing that, there's no way Apple -- or any other smartphone manufacturer -- would base its mobile payment security on a software solution.

Instead, Apple introduced a two-part hardware-based security solution for Apple Pay. The first lies in your fingerprint, which is required for each transaction initiated. Apple users are familiar with using Touch ID to authorize iTunes purchases, and now Apple is applying the same process for in-store transactions.

The second hardware solution is the real key to keeping our financial information locked away: the secure element.

Built as a chip and only available in the iPhone 6 and iPhone 6 Plus, the secure element is where your financial information is stored. It is only accessed when a random 16-digit number must be generated for a transaction. The data stored on the secure element never makes their way onto your phone's software, so even if someone hacked your operating system, there would be no way to extract your financial information.

The secure element found in the iPhones are also safe from hardware attacks. In fact, if a thief dismantled your phone, the secure element would sense tampering and immediately shut down.

This, in addition to NFC, is also why previous versions of the iPhone can not be made compatible with Apple Pay.

Using it at a store

If Tim Cook's demo was accurate, using Apple Pay will be easy. All you'll do is tap your phone on the credit card terminal, scan your finger on the Touch ID button, and the transaction will be complete.

But here's what's really going on behind the scenes:

At the register, you'll tap the top edge of your phone to the credit card terminal, which is where the NFC chip is located. Your iPhone will then prompt you to scan your finger on the Touch ID button. The phone will then access the secure element to generate a random, 16-digit number that mimics your "real" card number. That information gets sent back to the NFC chip, which sends it to the POS. From there, the payment finishes processing as usual.

Not only does the tokenization happen with the help of the secure element, but none of your financial information is stored in the retailers servers, Apple's servers, or your iPhone. Plus, according to Apple, the company does not keep track of your purchases.

Where you'll use it

824921502386e107d7aek.jpg
MasterCard

What will make Apple Pay successful is the fact that the infrastructure for NFC-based mobile payments is already in place. Have you ever swiped your credit card at a terminal that looked like the photo on the right?

Those NFC-ready terminals were adopted by many retailers as early as 2008 for use with contactless cards. Turns out, however, they're going to be more useful for mobile payments.

As you take Apple Pay into the real world, you may be surprised at the number of retailers that have compatible terminals. Apple listed a few, calling out Whole Foods, McDonald's, Subway and Sephora as chains ready to accept your iPhone as a legit form of payment.

Unlike a traditional card transaction, you will always be in possession of your phone -- without any exceptions. The cashier will never ask to see it, unlike some transactions where you hand over your card to confirm the last four digits.

Even in a McDonald's drive-thru, there will be a pay terminal where you'll tap your phone.

"What happens if I lose my phone? Or run out of battery?"

We have yet to see how this plays out in practice, but if you lose your phone, you'll simply log into iCloud.com to suspend payments. All that's left is to find your phone.

If you run out of battery, that's another issue. Unfortunately it's a lot like not having your wallet with you. Some users may decide to continue carrying their physical cards with them, in which case they'd have a backup. Unless those cards are of the Chip and PIN variety, the transactions wouldn't be safeguarded by tokenization.

Touch ID remains a concern

Just 48 hours after the release of the iPhone 5S, some people found a way to hack Touch ID. Although it's still much more secure than a 4-digit PIN, Touch ID can be hacked if someone lifts your fingerprint and transfers it to a material like latex.

For this reason, security experts recommend you use a non-dominant finger (like your pinky or ring finger) for Touch ID.

Update, 10:15 a.m. PT: Adds information on where you'll use Apple Pay.

Watch this: Why Apple Pay may be more exciting than the Apple Watch

Mobile Guides

Phones
Foldable Phones
Headphones
Mobile Accessories
Smartwatches
Wireless Plans
Mobile coupons