Here’s How the Security Behind Apple Pay Will Really Work

canstockphoto0316163Apple Pay was introduced by the giant technology company only three days ago, and already there are a number of questions about it — mostly from the financial technology industry.

Specifically, many fintech insiders are wondering how exactly Apple Pay works, and what are its security features. And, no, watching a demo of Apple Pay doesn’t quite cut it.

Bank Innovation turned to one of Apple Pay’s partners, MasterCard, for the lowdown. In an interview with Bank Innovation, Jorn Lambert, group executive of digital channels at MasterCard, shared the technical details for how Apple Pay will work when it is launched next month.

When a consumer wants to make a transaction with EMV debit or credit cards today, the card’s chip and the point-of-sale terminal generate a cryptogram — the transaction’s security key — and attach it to the consumer’s personal account number (PAN). The cryptogram is generated, in part, by the chip on the card, which was previously given to the consumer by the issuer. The cryptogram is then sent back to the issuing bank, which processes the transaction.

Because the issuer — in other words, the banks that work with the card networks — gave the consumer his card, the issuer is responsible for the quality and security of the cryptogram.

In transactions, Apple Pay will not only use a cryptogram, but a token as well. Lambert explained that the networks — Visa, MasterCard, and American Express — will generate the tokens which, in the case of Apple Pay, will be a 16-digit number that looks exactly like a credit card number, but it generated dynamically.

The process starts when a consumer inputs his credit card into his iPhone. When the card is inputted — the iPhone 6 allows for the card to be inputted via scanning — the networks send a token and a cryptogram to the iOS device, which stores them on a special chip (more about that in a moment). The iOS device, in this state with the cryptogram and token installed, is known as the “token requester.” (Some fintech folks had wondered whether Apple would be the “token provider,” but in actuality it — or its devices, really — are “token requesters.”) Again, Apple stores the token and cryptogram data on the phone in a “secure element” — which is a separate, secure chip within the iPhone especially dedicated to its security. This secure chip is also the only element within the device that can produce a token and cryptogram.

Getting back to our transaction, the consumer walks up to a checkout counter holding his iPhone stocked with a token and cryptogram. Apple Pay asks the consumer whether he wants to pay using his device and the NFC terminal sitting there on the checkout counter. He “says” yes in only one way: by using his fingerprint scan. This is the only authentication of the transaction.

This authentication prompts the “secure element” to send the token and cryptogram to the merchant. The network decrypts the cryptogram and determines whether it is authentic or not. If it is deemed authentic, the network will pass it along to the issuer (i.e. the bank), which then decrypts the token. In other words, every party to the transaction decrypts something.

Once the issuer decrypts the token and determines that it is authentic, the issuer/bank authorizes the transaction. Money is then credited to the merchant and marked as an amount owed by the cardholder.

This all happens in a split second.


During in-store transactions, Apple will be passing the cryptogram and token to merchants via NFC, and Apple will be paying a “card present” rate in NFC purchases, Lambert confirmed to Bank Innovation. However, when using Bluetooth Low Energy (BLE), presumably how the iPhone 5 and 5S will do payments, or when making an in-app purchase using Apple Pay, the transaction fee will be the equivalent to a “card-not-present” rate.

We asked Lambert to discuss how the iWatch would be authenticated for payments, but he declined to give specifics since that information is not yet public.

There are a number of interesting implications here. First, while it may seem that Apple isn’t using any new technology, Lambert maintains that the combined use of tokens and biometric security features distinguishes Apple Pay from others. Second, Apple will not be handling the tokenization — the credit networks like Visa and MasterCard will be doing so. This essentially takes Apple out of the payment process — Lambert said that Apple will be acting “more as a channel and not a party,” and Apple already said in its major product announcement this week that it will not retain any transaction data. With Apple acting as a payment conduit and not a processor, it would already see little data, but Lambert said Apple has put up “some Chinese walls” to further prevent it from gaining access to payment data.

Lambert said that MasterCard was “extremely confident” in tokenization technology and said that each network is offering their clients different tools and kits to help banks and merchants work with tokens. With token technology poised to take off thanks to Apple Pay, look for the credit networks to use their tokenization technology as another potential revenue stream. Say it with me: “Thank you, Apple.”

35 thoughts on “Here’s How the Security Behind Apple Pay Will Really Work

  1. […] Apple Pay’s security have been unveiled by MasterCard executive Jorn Lambert, who spoke to Bank Innovation, explaining how each transaction will be […]

  2. […] Apple Pay’s security have been unveiled by MasterCard executive Jorn Lambert, who spoke to Bank Innovation[2], explaining how each transaction will be […]

  3. […] via Here’s How the Security Behind Apple Pay Will Really Work | Bank Innovation. […]

  4. […] Apple Pay’s confidence have been denounced by MasterCard executive Jorn Lambert, who spoke to Bank Innovation, explaining how any transaction will be […]

  5. […] an interview with Bank Innovation, John Lambert, Group Executive of Digital Channels at Master Card shared a few technical details […]

  6. […] Tokenization is not mentioned in the contactless specifications. It is described instead in the separate Payment Tokenisation specification. There should be no difference between tokenization in contact and contactless transactions. As I explained in the second post, a payment token and expiration date are used as aliases for the credit card number (known as the primary account number, or PAN) and expiration date. The customer’s device, the POS, and the acquiring bank see the aliases, while the issuing bank sees the real PAN and expiration date. Translation is effected as needed by a token service provider upon request by the payment network (e.g. MasterCard or Visa). In the case of Apple Pay the role of token service provider is played by the payment network itself, according to a Bank Innovation blog post. […]

  7. […] seen a Bank Innovation blog post that tries to explain how Apple Pay works in terms of EMV and Tokenization. But that post is […]

  8. […] more, check out this interesting explanation from Bank […]

  9. […] Pay provides secure access to your credit card not using the details of the card itself, but as an encrypted representation of […]

  10. […] Pay provides secure access to your credit card not using the details of the card itself, but as an encrypted representation of […]