Apple Pay’s Secure Element: Where it Succeeds and Fails

by on Nov 13, 2014

ApplePayAn underemphasized feature of Apple’s contactless payments service, Apple Pay, is its remarkable Secure Element hardware. The much more discussed security feature, Touch ID, utilizes biometric technology that registers and responds to a single iPhone user’s fingerprint in order to authorize a transaction. Even more importantly, however, Apple Pay also communicates with a Secure Element chip installed in iPhone 6 devices that acts to safeguard a user’s financial information against fraud and data breaches.

When loading cards into Apple Pay, the Secure Element assigns each a digital token (Device Account Number) and stores only those tokens in the chip. The tokens are used as static proxy account numbers representing the user’s cards. When making payments, the Secure Element then generates a one-time unique dynamic security code for each transaction carried through the payment network. The security code acts as a proxy card code verification (CCV) and verifies that the digital token originated from the correct mobile device, authenticating the transaction.

apple_pay_secure_element

This overall mechanism prevents the merchant from ever obtaining the user’s actual payment information, including their card number, CCV or personal details. This should reassure consumers, who may have recent highly-publicized data breaches on their mind. The original payment data is only ever revealed to the credit card networks and the banking institution. To ensure protection from fraud on both sides of the transaction, the actual payment information is not even shared with Apple. Only the digital tokens are locked inside the chip, and the tokens are rendered useless on their own.

Apple Pay has the potential for a fraud-free payment experience at brick-and-mortar stores as well as through participating third-party apps. Nevertheless, Apple Pay is not yet a ubiquitous payment option online, leaving users vulnerable to fraud while shopping on a mobile website or a non-participating app. As more online merchants and third-party developers integrate Apple Pay into their apps, iPhone users will be protected from fraud in nearly any situation.

apple_pay_private

Unfortunately, Apple’s innovative security hardware is only installed on iPhone 6, iPad Air 2 and iPad mini 3 devices, leaving the remaining smartphone users (i.e. Windows, Android, Fire and older Apple devices) more vulnerable to data breaches. It would behoove the tech industry at large to develop a standard chip and payment processing system across all smartphone devices so that more customers can be protected from fraud. For now, Apple Pay provides a great template for its competitors.