Our Blog

Elements of Apple Pay security

Buy with Apple Pay – it’s time to get used to this.

The consensus is that if Apple can’t crack NFC mobile payments then no-one will. Well, Apple Pay is the company’s foray into mobile payments, so let the fun begin.

Apple Pay security


At this stage you probably know how Apple Pay will work: have iPhone 6; tap to NFC-enabled terminal; payment completed via user’s Touch ID. Simples. The service launches in the US in October 2014, and there is a lot at stake. Visa, MasterCard, and American Express are already on board. The mobile payments market is expected to reach $100 billion in the US in the next five years.

Apple Watch is also enabled for payments (in-store only), but there wasn’t enough clarity in the Cupertino presentation regarding authorisation. For example, there is no Touch ID functionality on the Apple Watch. Apple will clear this up in the months ahead.

Nevertheless, respected payments industry commentator Tom Noyes is his blog has already labelled Apple Pay ‘the most secure PAYMENTS scheme on the planet’.

Apple, of course, stores the credit card details of 800 million customers built up over years of use in the Apple ecosystem via iTunes, iBooks, and the App Store. This is where Apple has a headstart in the mobile payments industry.

At the Apple Pay revelation in Cupertino Tim Cook lauded the payment system’s speed, security, and privacy. The key to all three features is a chip called Secure Element.

Apple Pay security and its Secure Element

With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone and Apple Watch. This process is, effectively, tokenization.

According to Apple’s documentation these numbers are never stored on Apple’s servers.

When you make a purchase, it is the Device Account Number alongside a transaction-specific dynamic security code that are used to process your payment. Your credit or debit card numbers are never shared with merchants or transmitted with payment.

A dynamic security code is used to process the payment as opposed to sending the number to the retail terminal.

Once the transaction is completed, these numbers and codes will be rendered useless, meaning that even if a POS system is compromised, any data stolen cannot be used for future transactions.

What about Tim Cook’s boasts in relation to the Apple Pay security, speed, and privacy?


No-one will ever see your credit card details, your name, or your security code. Unique one-time numbers are used for each transaction. Numbers are rendered useless once the transaction is complete.

Using “Find My iPhone”, cards stored on a lost iPhone can be blocked, but you will not have to cancel your actual credit or debit card.

From a merchant’s point-of-view Apple Pay security may solve key PCI problems. As credit card PANs are not stored, merchants will not have to worry about a key PCI requirement: never store the PAN unencrypted.

In a Forbes.com interview, Dr. Branden R. Williams, EVP, Strategy, Sysnet Global Solutions who co-authored the book PCI Compliance, had this to say: “If a retailer only accepts transactions via the NFC P2PE [Point-to-Point Encryption] Terminal, they could conceivably take the majority of their infrastructure out of scope [of PCI], and remove the big target on their back.”


We can’t argue here. All it takes is one tap of an iPhone 6 or Apple Watch at an NFC-enabled terminal. Online, of in-app, customers will just use the ‘Buy with Apple logo icon - Aluminum Pay’ button and all the relevant transaction details are provided to the merchant.


Apple has stated that no-one will know what you bought, where you bought it, or how much you paid. Given the recent iCloud hack Apple was keen to emphasise privacy in their Cupertino iPhone 6 and Apple Watch launch.

Aviso’s role in mobile payments

Apple have come up with a payments product which will, as Tim Cook exclaimed at the iPhone 6 and Apple Watch launch, “forever change the way we buy.” But Apple Pay has not changed how all those payments are processed. The card payment processing network between the merchant, the issuer, the card scheme, and the acquirer remains the same.

That’s where Aviso comes in. Our software can be incorporated into any part of the switching process as a payment meanders through this network. We enable merchants, acquirers, and issuers to accept all types of payment messages.

Just as Tim Cook lauded Apple Pay for speed and security, we do likewise with our software.

For example, our Novate solution is easily integrated into any payment processing system. It accepts and processes all message types, is extremely reliable, cost-effective, and – crucially – fast: there is no ‘downtime’ with Novate.

Novate can enable mPOS providers to seamlessly integrate with either acquiring banks or card schemes in order to start accepting all types of payments.

Novate provides a robust, secure solution on which the next generation of innovators in the payments space can build their businesses.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts