Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How Apple Pay could make the Target and Home Depot breaches a thing of the past

Martyn Williams | Sept. 12, 2014
The launch of Apple's mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers.

The launch of Apple's mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers.

Tens of millions of card numbers have been stolen in the last few months from malware-infected payment terminals in stores including Target and Home Depot. The thefts were possible in part because the card information gets stored in an unencrypted form inside the terminals.

Apple announced a system this week, one that uses a payment standard based on NFC technology. When users of its new iPhone 6 and iPhone 6 Plus smartphones walk into a store, they'll be able to wave their phone over an NFC reader to complete a purchase.

The system, which relies in part on Apple's Touch ID biometric technology to verify the user's identity, could finally replace a payment technology that's been in use for five decades.

"Whether it's a credit or debit card, we're totally reliant on the exposed numbers and the outdated and vulnerable magnetic stripe interface," Apple CEO Tim Cook said Tuesday when he introduced his company's alternative, called Apple Pay.

The contactless "tap and go" system relies on a new payment technology called tokenization. In place of your payment card number, a 16-digit proxy is stored in a security chip in the phone. That number, which is the token, is given to the retailer when a purchase is made, meaning your actual payment card number doesn't get handed around.

The retailer sends the token through its payment network to Visa, Mastercard or American Express. Those card issuers identify the number as a token and pass it to a trusted third party, which converts it to the original card number and sends it back to the issuer.

That conversion happens deep within the payment network, several levels removed from the retailers' payment systems that are the target of many hacking attempts today.

"The real processing happens in a much more secure environment," said Steve Mathison, vice president of payment acceptance at First Data, an Atlanta-based payment systems provider.

"When the real [card number] is exposed, it's at the last minute and only to the issuer," he said. "The merchant doesn't have it and the [retailer's payment network] doesn't have it."

Additional pieces of data, unique to the transaction and the user, are incorporated to prevent a token from being reused for a second transaction, even if its stolen.

The U.S. banking industry has started to end its reliance on magnetic stripe cards in favor of chip-based cards already popular in Europe, but that isn't enough for some.

In July, the National Retail Federation called on the industry to adopt tokenization to "move the U.S. payments system in the right direction toward mitigating payment card fraud and identity theft."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.