January 4, 2017

Apple Pay, Tokenization and Security: How to Stay Safe with Your Digital Wallet

Whether you love Apple’s user-friendly and reliable products or hate the price tag and the status symbolism they represent, you’ve got to admit: The company knows business.

Apple Pay may be the most successful mobile payment solution in terms of widespread adoption. It’s possible to all but replace your physical cards by storing them on your iPhone (6 or later) with Apple Pay. Even your Tulsa FCU cards can be added to Apple Pay.

Apple Pay has become a widely used digital wallet by taking advantage of two developments in payment infrastructure to save you time: near-field communication (NFC) and token encryption.

What is tokenization?

Apple Pay and other similar services use a process called “tokenization” for their security. In the simplest possible terms, tokenization is the use of a non-secure bit of data to stand in for a secure one. Think of tokenization like arcade tokens. The secure data is the quarter, which you exchange at a machine for a token. That token then tells the arcade machines that you have a quarter to play. The game machine never sees the actual quarter, but accepts the token that stands in for it instead.

Apple Pay works the same way. The app creates a token – a random series of numbers – that corresponds to your account, along with a one-time security key. It transmits that data to the payment terminal. The payment terminal transmits that token to the “token vault,” a secure database that links these tokens to the actual accounts. The token vault connects the token to the real account, provided the security key is correct. That token vault then transmits a charge directly to the linked cards, while returning a verification of funds to the payment terminal. With Apple Pay, the token vault is hosted at the payment processor, so the point of sale terminal never even sees your card information.

This is different from a swiped or keyed transaction. Ordinarily, the terminal reads your credit or debit card information directly and transmits it to the payment processor. This means your card’s information is stored in three different places. Any one of those could be the site of a data breach. In fact, one of the major recent data breaches, Home Depot, was caused by a bug in the point of sale terminal.

With Apple Pay’s tokenization, your information is seen only by the payment processor and your financial institution. That’s fewer points of failure along the information chain, which makes your transactions more secure. Apple has gone to great lengths to ensure that the token interaction takes place at payment processors, removing its own servers from the process as much as possible.

Importantly, this means that Apple itself has no idea what purchases you’re making. It can’t track your behavior based on your Apple Pay transactions. For fans of internet privacy, this has to be good news.

There are other layers of security involved in Apple Pay and similar services. For starters, the apps won’t work unless your phone is unlocked. Given the fingerprint reader technology in most modern smartphones, that’s an added layer of protection between a potential thief and your data.

The biggest downside of this level of security is the cost involved in implementing it. Because of Apple’s insistence that the token interaction not use its servers, some payment processors have been reluctant to add the additional security. This has slowed the expansion of Apple Pay technology, and is part of the reason only about a third of retailers accept the service.

In sum, Apple Pay’s tokenization system is an efficient, secure way to pay. By using modern technology and the latest in encryption protocols, Apple Pay is able to keep your data more secure and private than ever. You can feel confident using Apple Pay anywhere you’d pay with your credit or debit card.

This article is for educational purposes only. Tulsa FCU makes no representations as to the accuracy, completeness, or specific suitability of any information presented. Information provided should not be relied on or interpreted as legal, tax or financial advice. Nor does the information directly relate to our products and/or services terms and conditions.