We deal with the features and security of the contactless service Apple, which today launched in Russia.
First, be sure to read the instructions for setting up Apple Pay in Russia. Here we will analyze the general issues of work and safety so that you know what you use and how it works.
What is Apple Pay?
Apple Pay is designed to simplify the buying / selling process. Instead of using a plastic card or cash, any purchase can be made using the Apple gadget.
Compatible devices for offline payments :
- iPhone 6 and 6 Plus
- iPhone 6S and 6S Plus
- iPhone 7/7 Plus
- Apple watch
- iPhone SE
Via iPad and Mac, you can pay only on the Internet.
Payment occurs when the user brings his iPhone or Apple Watch to the contactless terminal. After a few seconds, a message appears on the screen about the possibility of making a payment and a proposal to confirm the transaction through a fingerprint scanner or password
Apple Pay has been around for more than a year and a half. As of 2016, it works in 9 countries: England, Australia, Hong Kong, Canada, China, Singapore, USA, Switzerland and France. Today, the system appeared in Russia .
How it works?
Basis: the system’s mechanism is based on the technology of close NFC data transmission (at a distance of up to 20 cm) in conjunction with the Secure Element chip, which stores data on the bank card in encrypted form. Secure Element represents the industry standard for financial transactions. This chip runs a special Java application.
Secure Element: This is an area of dedicated memory that is separate from system memory. This area stores user bank card information. No program has access to it, data is not transferred anywhere, and even Apple cannot influence this strategy. So no one will know about your purchases and cash flow.
Secure Enclave: This is the component that controls the authentication process and initiates payment transactions. However, it stores a fingerprint for Touch ID.
Apple Pay Servers: This is the server part that controls the status of credit and debit cards in the Wallet application, along with the device number stored in Secure Element. Apple Pay Servers are also responsible for transcoding payment information within applications.
History and partners
Contactless payment technology has been used for a long time – since the middle of the first decade of the 21st century. But for all the time of its existence, it has not gained popularity. Even the Apple Pay concept is not new. Google has already tried to take a place in this niche with its inconvenient Google Wallet service.
Apple Pay is compatible with many existing contactless readers: Visa PayWave, MasterCard PayPass, American Express and ExpressDay.
In addition to the fact that hundreds of banks support Apple’s service, you can pay using your smartphone on any terminals that support contactless payment methods.
Where can I pay with Apple Pay?
Payment is made without entering a bank card number and other information about the bank. Simply put your finger on the Touch ID.
During the purchase process, Apple Pay may transmit additional information stored in the buyer’s phone, such as: delivery address and phone number.
What is Apple’s “profit” from Apple Pay? It’s simple: the corporation receives 0.15% from each transaction – this is a fee for servicing a payment service and creating application tools. This money is paid to her by banks: Citi, plus existing payment systems, MasterCard and Visa.
What about security?
Apple Pay has a multi-level security system: a unique device identifier, dynamically generated security codes for each payment transaction, biometric information – a fingerprint.
Together, these funds provide more reliable security than a magnetic strip and even a chip in a bank card.
During the creation of a connection, devices exchange one-time tokens , which are deleted at the end of the connection. The token is designed to replace the card number so that the latter will not be recognized. The token represents a randomly generated number, so the bank card number hidden behind it cannot be decrypted.
All this is combined and replaces the CVV of a bank card for a payment transaction. After establishing a connection and exchanging tokens for data transfer, they are encrypted. These encrypted messages reflect their belonging to a specific device that created the used token.
Even if the token is intercepted, this will not give the attacker valuable information, since after the connection is disconnected, the token is deleted.
Although the message contains information about the buyer, seller, the amount of money involved in the transaction and the bank that provided the card, all data is encrypted. Apple does not disclose information about the encryption algorithm, which causes a storm of indignation among some information security specialists.
Apple motivates its partners to switch to more modern payment terminals according to the EMV specification, that is, replacing the magnetic strip of plastic cards with a chip – Secure Element, which is almost impossible to crack using data interception.
There was a fly in the ointment in this barrel of honey. No matter how hard the developers try, there are problem spots in the Apple Pay service. And it largely depends not on Apple. In the process of moving funds, many other structures are involved, including banks with their huge security gaps.
The fingerprint scanner does not always work correctly. Providing a modern and seemingly reliable means of identification, it is at the same time a huge security hole. If the Touch ID fails, you can use the pin code. This negates all advanced security.
You can snoop, confuse a pin code, press the wrong keys, in short, the human factor in action. When you pay using an Apple Watch, a fingerprint is not required, in which case the security question rises.
In this regard, additional verification tools appeared: a secret code, a one-time password, a call to customer support or the provision of information about previous purchases.
Some banks in other countries require a user to authorize in mobile Internet banking. These steps reduce the usability of Apple Pay due to additional levels of verification.
At the moment, Russia has the simplest payment format without additional authorizations in the process.
Meanwhile, Apple Pay is still not hacked.
Apple Pay Competitors
In 2011, Google Wallet entered the contactless payment market, but it did not become popular in many respects due to the fact that there was a strong competitor in the NFC payment market – Softcard, supported by major US mobile operators. But now he is blown away. And Google bought it for $ 100 million.
Using the achievements in the field of contactless payments Softcard, Google launched the payment service Android Pay, which works on the principles close to Apple Pay.
Samsung Pay also works on the market. For sale, Samsung bought LoopPay for $ 250 million. The latter offers additional devices for contactless payment. The main advantage of LoopPay, and now Samsung Pay is compatibility with older devices.
Still there is PayPal with a service that carries out payments via QR codes. It was developed by Paydiant, which was purchased by PayPal. For scanning QR codes, a smartphone is used with the iOS or Android operating system and the installed program CurrentC, working on Paydiant technology.
The minus is obvious: a time delay – you must carefully hold the smartphone over the QR code to take a picture.
The future of Apple Pay
In the near future, when a larger number of retail outlets will switch to Apple Pay, using this system you can give discounts and sell targeted advertising in accordance with the needs of the consumer. After all, a smartphone knows almost everything about you.
But there is another side to this. Payment has been simplified, its implementation time has decreased, there have been more targeted advertising. Accordingly, users will be more willing to spend their money.
With the passage of time and the proliferation of contactless terminals, Apple Pay may become a replacement for Visa or MasterCard plastic cards.
In the meantime, it’s too early to talk about it.