Apple Pay, Tokens, and Payment Security

Last year in my Perspectives On Management class, Bill Clerico, co-founder of WePay, said physical payments will soon become obsolete and that at some point, people won’t have to carry around credit cards or cash with them. He stated that it is still barbaric that in restaurants people give a waiter or waitress their credit card to walk away with for several minutes. These restaurant employees have the power to take the credit card information with ease. However, with the rise of new technologies, payments and other physical transactions have become more seamless and safer than ever before. Apple and their Apple Wallet platform have dominated this space and are leading the charge towards a secure card-less and contact-less payment norm.

Screen Shot 2018-10-02 at 12.26.11 PM.png

Apple Wallet is a feature on the iPhone and Apple Watch that allows users to store their credit and debit cards, plane tickets, concert tickets, rewards cards and even now student ID’s among other things for immediate use when they are scanned. Juniper Research forecasts that by 2020, roughly 450 million people will be using contactless payment systems. In 2018 alone, contactless payments surpassed $1 trillion for the first time ever. Juniper also forecasts that half of those users will be on the Apple Pay platform. That being said, it is clear that Apple is dominating the space through its seamless integration and other sticky features that enables it to be the world’s leader in contactless payments.

Apple Pay 

Apple Pay has a variety of features that makes it so effective, efficient, and secure in purchasing through apps, stores, and on the web. It also enables people to pay their friends and family through messages, all without any cash or cards changing hands. What makes Apple Pay so secure are the several safety measures put into place to ensure that a users personal payment data cannot be breached. First, Apple Pay assigns a device specific number and unique transaction code for every purchase. By doing so, Apple Pay never stores a user’s credit card information on the Apple servers or even on the user’s iPhone. Additionally, these features enable Apple Pay to complete a transaction without ever giving the merchant access to the user’s credit card number.

Screen Shot 2018-10-02 at 12.25.48 PM.png

Although this secure transaction appears to be simple, it requires a complex back-end process to enable Apple to never store the card number or give it to the merchants. The way this process works is as follows: When an iPhone user signs up for Apple Pay, they are prompted to enter their credit or debit card information. Upon entering this information, it is immediately encrypted and securely sent to the users credit card network where it is validated. If the encrypted card information is deemed valid, then a token is sent back to the iPhone and stored within its Secure Element. The Secure Element is a platform capable of securely hosting applications, confidential information, and cryptographic data. The token that is sent back is a random 16-digit number that resembles a credit card number but is valueless. It serves as a place holder for the actual credit card information and has the same last 4-digits as the actual credit card. Tokens are extremely secure and valueless for several reasons. First, the tokens themselves and their number combination cannot execute a transaction on their own, it is basically an inactive credit card number. Next, the token numbers are not mathematically encrypted, but are instead random, so nobody would be able to decrypt or reverse engineer the token number to discover the real credit card information. Also, only the token issuer can map the token back to the actual credit card information. And because in Apple Pay’s case the credit card network is the token issuer, the credit card information never leaves the user’s credit card data networks.


So what happens internally when an actual transaction is made? Upon paying for a product, Apple Pay sends the token to the merchant, then the merchant sends the token to the credit card network. The network then maps the token to the actual credit card number to which the credit card network contacts the bank for authorization. If the card number is approved, then the bank sends the card information back down the line of authentication factors and allows the transaction to proceed. By using this token technology, Apple eliminates the risk of credit card attacks such as fraud and credit card skimming because no credit card number is ever present.


Apple Pay’s security does not stop there. Token transactions on mobile devices require authentication, and that’s where Apple’s Touch ID and facial recognition comes into play. When an Apple Pay transaction is made, Apple creates a CVV and a cryptogram. The CVV is like the three digit number on the back of your credit card, but in this case, is a dynamically generated three digit number attached to the token. The cryptogram is a one time use digital signature that uniquely identifies the device that created the token, however, most of the cryptogram features at Apple or not public knowledge. The cryptogram ensures that the token can only be used from the device in which it was initially created. That being said, it is evident that Apple Pay is securing its payments through its use of tokens and the tokens’ authentication features.

Screen Shot 2018-10-02 at 4.31.34 PM.png

It is no question that Apple is changing the way society makes payments. With these technologies, Apple Pay customers can make secure payments across their different applications, websites, and other merchants without having to worry about their credit card information being stolen. Apple Pay is dominating the United States, however, since Android phones are the primary phone used in international countries, Apple must make strategic advancements in their technology to surpass Android’s secure payment technology and grow their international market share.


Now that Apple has successfully created a secure payment platform for its users, it will be interesting to see how Apple attacks the restaurant industry, where credit cards and cash are still changing hands in an extremely non-secure way. Once Apple successfully integrates this technology into the restaurant industry, this will make Apple Pay as well as the iPhone even more sticky than it already is for society and its users.





5 thoughts on “Apple Pay, Tokens, and Payment Security

  1. Great blogpost Nick! Apple seems to have built Apple pay very securly by encrypting the credit card numbers and adding extra layers of security. Also, I had never thought about the fraud risk that we go through when we go to a restaurant, but it would be very easy for a waitress to take a picture of the credit card. It would be interesting to see how Apple wallet compares to Google pay in terms of security.


  2. Nick I really enjoyed reading your post. I think the power of electronic payment and the trend towards no more physical currency, including no more credit cards is very exciting. It seems like most stores and places to get food are now are accepting Apple pay. It will definitely be interesting to see how Apple can be used at full sit down restaurants, but I am all for their services being implemented. I enjoyed your post!


  3. Good post about mobile payment. I’m sure Apple pay and other mobile pays will become more popular in the U.S. like Wechat Pay and AliPay in China. With the mobile payment, people can definitely avoid sharing their credit cards information to strangers. Also, I heard Apply plans to offer its own credit card with Goldman Sachs. Apply Pay will be a great resource for promoting its card.


  4. Great post Nick! I had no idea that the merchant never receives your actual credit card information when you pay with Apple pay. Their “token” system of a randomly generated credit card number that links back to your actual card seems like a beautifully designed way to both make payments easier and safer. Thanks for sharing.


  5. Great post, Nick! This blog post is really informative, and it details a process that I didn’t know much but really should. Now that Venmo has reached such popularity, I think people are ready to use digital monetary transactions for everyday purchases. It will be interesting to see how services like ApplePay plan to use blockchain to support their backend structure. I think this technology may bring even more security to an already very secure network. Thanks for educating me on this topic!


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s