NEW YORK (MainStreet) — Yesterday Apple flipped the switch on its new digital payment system ApplePay. With this system, anyone who has the latest iPhone can use his handset for wireless payments, at least when shopping at one of the 220,000 stores accepting the new system.
The phone broadcasts payment information with a near field signal that the cashier picks up, and ideally payment goes through in less time than it takes to point the device at the register. Easy.
Easy, but so far unnecessary. Apple’s slogan “Gone are the days of searching for your wallet” summons images of late night infomercials where poor dullards struggle to operate a blanket. The truth is that while many companies have tried to introduce digital wallets, they’ve never really taken off, in large part because swiping a plastic card just isn’t the inconvenience tech companies seem to think it is. Much like blu-ray players, digital wallets have been solutions in search of a problem.
Perhaps, that is, until now.
What Apple Pay really brings to the table is security.
Ordinarily the only way to shop with a credit/debit card is to share the number with the vendor so they can confirm it against your bank’s records. The obvious catch is that the whole system relies on broadcasting that one, sensitive piece of information. If a waitress wants to scribble it down on a cocktail napkin or a Russian hacker breaks into a retail giant, there’s not much you can do to stop them.
ApplePay solves that by neither sharing nor storing your real credit card numbers in the first place.
Instead when you load a card into the system Apple Pay assigns it a random 16 digit token. That token gets stored on a secure chip in the phone which unlocks with a fingerprint scan. When you make a purchase ApplePay sends the merchant both your token and a one-time transaction code generated by the credit card company.
The merchant confirms with your credit card company that the token represents a legitimate account, the credit card company confirms that the one-time code represents a legitimate transaction and importantly no one ever sees your actual credit card number.
Even “spoofing,” in which hackers would intercept the near field signal between phone and cash register, isn’t troubling. In addition to being difficult to do without standing inches away, the worst a hacker could escape with is your 16 digit token. Without the specifics of your ApplePay account (not broadcast) to link up with the correct credit card, that’s just so many random numbers.
Token payments aren’t a new idea, but they’re new to mainstream American commerce. They keep credit card numbers from getting out into the wild. Shoppers, for example, who had used a system like this would have been less vulnerable to the major Home Depot and Target data breaches recently, because no useable information would have been on file.
ApplePay has added three new layers of security onto the existing system: tokens, one-time codes and fingerprint activation. Is that the end of shoppers’ security woes? No. For every smart Silicon Valley techie out there, there’s a clever hacker who wants to make money off what he built. There is no such thing as a bulletproof system.
But it’s a very long step in the right direction.
--Written for MainStreet by Eric Reed, a freelance journalist who writes frequently on the subjects of career and travel. You can read more of his work at his website www.wanderinglawyer.com.