So I have to give a thumb up to fingerprint scanning. But even better is that Apple is storing payment-card data in the iPhone's Secure Element, which is simply a chip in the phone. It shouldn't be very easy to access and, even if that happens, it's simply a token that leads to encrypted data. But here's the really good part: The payment data is not stored on Apple servers or held by the retailer. This is how Apple eliminates the problem of profit-oriented retailers not working together to stop data breaches. When retailers are no longer in possession of payment data, they cease being the target.
Ah, when that happens; there's the rub. Apple Pay is showing the way out of some sticky security problems, but its debut (probably by the end of October) doesn't eliminate the problem. I'd calculate that this coming holiday season, 99.999% of all merchant transactions won't use Apple Pay. It's going to be a very long time before that figure gets whittled down significantly.
It will help if other mobile-payment players see the wisdom of this approach and emulate it. When enough payments are made this way, so that card data stored is on personal devices and not conglomerated on big enterprise server systems, ROI goes out the window for cyberthieves. They need to access huge numbers of cards, ideally tens of millions or better. That's because cards age out quickly, and once a breach is discovered, that aging-out is greatly accelerated. Cyberthieves are not going to see much percentage in hacking tens of millions of phones to get that kind of data quantity.
I know that the mass collection of payment card data won't be eliminated by the Apple Pay model, even if it's a huge success. Card issuers are still going to retain those sorts of records. But in general, financial operations have better security than retailers, and they also have more incentive to promote better security for all.
You've gotta give credit to Apple. It didn't just use a better deadbolt. It outthought the thief by better understanding him.
Sign up for CIO Asia eNewsletters.