Apple Pay Takes a High-Tech Approach to Mobile Security

Apple is betting that tokenization systems offered by payment companies will provide a security boost to its new Apple Pay system at a time when consumers are wary of Apple's cloud-based services.

First Data, TSYS and Visa have announced their tokenization technology will support Apple Pay, which will enable the upcoming iPhones and Apple Watch to make contactless payments at a variety of retailers from cards issued by many of the top banks. Security is vital to Apple's pitch, particularly because the company is still working to calm consumers' worries about the safety of its iCloud service, which was targeted as part of a leak of nude celebrity photos last week. 

Apple Pay uses tokenization to replicate consumer card credentials and assign each account a randomly generated number in the cloud. That number, or token, is then stored on the device's secure element. The iPhone also generates dynamic data for each contactless payment. 

Apple's use of tokenization is "highly secure," said Barry McCarthy, president of financial services at First Data, in an interview with PaymentsSource. "The [primary account number] is never transmitted to the phone…which makes it difficult for the bad guys to steal the PAN in flight."

In 2015, First Data will become the token service provider (TSP) for issuers, McCarthy said. First Data will manage tokens throughout their lifecycle, including sending new tokens if a consumer's card expires and they get a new one or in the case of loss or theft, he said.

First Data played a key role in the launch of Google Wallet as well. The global processor works as the trusted service manager for Google's payment system, loading payment card credentials to a secure chip through a process called provisioning. For most Google Wallet purchases, Google presents a virtual MasterCard number to the merchant instead of the true card account number.

"First Data will continue to support a portfolio of projects and partners," said Pete Donat, senior vice president of First Data Ventures.

Apple Pay will support NFC transactions at the physical point of sale or online payments through in-app solutions. NFC at the point of sale will be categorized as card-present transactions for interchange fee purposes, and in-app purchases will be considered card-not-present transactions but its fees will align with more secure forms of card-not-present, said Donat.

NFC wallets have struggled for adoption, and one reason was because merchants didn't have point of sale terminals equipped with the capability. But as merchants upgrade their terminals for the October 2015 deadline for EMV-chip card acceptance in the U.S., those new terminals will likely have NFC functionality.

First Data has started shipping peripheral devices with EMV and NFC capability and a PIN pad, said McCarthy.

First Data, in its role supporting 750 million credit and debit cards in the U.S. and 4 million merchant locations, is "at the center of a significant portion of all payment transactions," McCarthy said. Apple "recognized that role…and we were invited to help participate among a very small list of providers to bring the [iWallet] solution to market."

First Data is also launching Payeezy, a platform to enable merchants and app developers to quickly code into their apps secure in-app payments. While Donat wouldn't disclose which merchants have started using Payeezy, he said the feedback has been positive.

For reprint and licensing requests for this article, click here.
Technology Mobile payments Data security Analytics
MORE FROM AMERICAN BANKER