Another month brings another reported massive data breach. On September 8, 2014, Home Depot confirmed that its payment data systems had been breached, potentially impacting customers using payment cards at the retailer’s US and Canadian stores beginning in April 2014. The breach was purportedly aided in part by a new variant of the malicious software program that stole card account data from Target last December. Analysts immediately hypothesized that the breach could be much bigger than the attack on Target, which resulted in the reported theft of 40 million payment card numbers and another 70 million customer records. On September 18, 2014, Home Depot confirmed that hypothesis and announced that 56 million cards may have been put at risk as a result of the breach.
As the system of exchanging sensitive data through the use of payment cards has proven to be more and more vulnerable to security breaches, it is timely that Apple recently announced an addition of Apple Pay to the next version of the iPhone. Apply Pay, which will be launched in October, reportedly will enable iPhone 6 and 6 Plus users to leave their credit cards at home and make purchases by using their cell phones via a “tokenization” scheme endorsed and recognized by major financial services companies. Through this process, instead of storing a cardholder’s actual credit card number on the device, another account number will be generated by the device to identify the user. This account number (i.e. token number) is then stored on an encrypted chip within the iPhone called the “Secure Element” and is transmitted during a transaction through a Near Field Communication (NFC)-enabled credit card terminal to the merchant and bank to identify a user for payments.
Analysts and bloggers anticipate that Apple Pay will make the breakthrough as not only a more efficient method of shopping, but as more secure than today’s credit card process. Unlike in a conventional credit card transaction where a user’s identity and credit card information are visible to merchants processing the payment, a user’s actual credit or debit card numbers are not shared with merchants or transmitted with payment through Apple Pay. Apple states that it does not store users’ credit card information on the Apple servers or retain any transaction information.
In an interview with Bank Innovation, Jorn Lambert of Master Card said that Apple has additionally erected “some Chinese walls” to prevent Apple from gaining access to payment data. As an added layer of protection, consumers will also be required to authenticate their identity through the Touch ID fingerprint sensor of their devices against the fingerprint copy stored like the credit card information on the Secure Element of each iPhone – effectively the same two-step process used in chip-and-PIN credit card transactions in Europe and Canada.
Notwithstanding the promising security features of Apple Pay, questions naturally remain about the ability of hackers to get around the unique Apple Pay security features. Moreover, it is unknown whether merchants — who may already be spending money on upgrading to EMV –enabled point of sale terminals in anticipation of the liability shift in October 2015 when merchants will be more exposed to liability for fraudulent transactions if they cannot accept a customer’s EMV chip card –will equip themselves with the NFC terminals. While only time can tell whether Apple Pay will offer consumers a truly “more secure” method of shopping, the hype around this payment platform combined with the public’s excitement about Apple products will certainly test the level of consumer loyalty to the conventional routine of swiping a credit card at checkout.
