Apple Pay and security: Could tokenization be the tool that curbs data breaches?
Depending on who you talk to, Apple's launch of its mobile payments platform Apple Pay on Tuesday was either an innovative kickstarter to an industry struggling to reach critical mass, or an uninspiring riff on pre-existing technology that's unlikely to move the industry's proverbial needle.
More Apple Coverage
But regardless which camp turns out to be correct, there is one aspect of Apple Pay that many agree the consumer tech giant has gotten right: Security.
Apple didn't spend much stage time explaining the tokenization process that underpins Apple Pay, but the method is seen as one of the most secure and fraud-proof payment mechanisms available.
Tokenization removes the actual credit card number and replaces it with a randomly generated number. That number, or token, can be configured to expire after one purchase or made specific to a certain transaction, making it a useless target for hackers or fraudsters.
But what's more, tokenization removes a huge storage burden from merchants, since they never see a person's actual credit card information and it never enters their POS system or online payment portal.
Now, Apple didn't invent tokenization. But by taking the tokenization route, the Cupertino powerhouse could be looking to ride the security wave all the way to payment success, especially considering the rising number of merchant data breaches and instances of stolen credit card information that continue to hit the payment and retail industries.
Just consider last year's Target breach or the more recent incident with Home Depot — had Apple Pay or some other token-based payment system been the method used by a majority of shoppers, it's fair to assume that there would have been no data to steal in the first place.
But Apple Pay has more than one security trick up its sleeve. According to Randy Vanderhoof, director of the EMV Migration Forum and the executive director of Smart Card Alliance, Apple's use of tokenization, coupled with user identification via various features on the iPhone, has never been done before.
"Using TouchID on the phone strengthens the bond between the payment and the device, so the assurance level and the risk associated with these transactions goes up," Vanderhoof said. "This significantly raises the bar on security, and that is reflected by the fact that the brands and issuers are willing to extend the lower card present rates to Apple. There is so much more security potential."
Vanderhoof said one reason that the security of Apple Pay has so far been unmatched is the fragmented device market. Other mobile wallets exist across multiple hardware platforms, with no consistency to support biometrics or other verification aspects such as location information. With Apple Pay, Apple controls both the hardware and the software.
Still an uphill climb
Apple Pay is available on the latest iPhones, so adoption of the platform will depend on the device upgrade cycle.
Yet even when consumers get their hands on a new iPhone, there's no guarentee that they'll make use of Apple Pay.
Featured
"No one is going to go to a single form a payment, so I don't think we will see a massive migration," said Alex Moss, managing partner with security solutions provider Conventus. "Apple Pay may eventually reduce the number of cards that a retailer has to store, but it's not going to get rid of them all — they will still have to process credit cards. Credit cards will still be there."
Of course, the best-case scenario for not only Apple, but also merchants, card issuers and credit card networks, would be for consumers to take notice of the security potential of tokenization and opt to use it over the crusty payment card method that still reigns supreme.
Yet as Moss pointed out, Apple can't force retailers to accept Apple Pay, nor can it require adoption from iPhone users. But if payment card providers begin a broad implementation of tokenization, it becomes a whole new ballgame.
"With Visa getting into tokens, merchants could one day face a mandate," he said. "It's the same as PCI and EMV, the card issuers can say, 'Hey, if you don't use this system, we won't process your payments.' Because in the end, they are the ones bearing the bulk of the risk for stolen charges."