Each year, many consumers have credit cards replaced due to data breaches, stolen card information, card theft and loss.
Even so, most people somehow still trust the swipe of the card. After all, we’ve been doing it for years. You would think that recent experiences with data theft and the inconveniences associated with card replacement would cause us to shun this nearly antiquated form of payment. But apparently, old habits die hard, because even though new smartphone-based, card-free payments are available, many consumers are still leery about the security of these new systems.
Instead of sticking our heads in the sand and ignoring new technology, let’s delve into mobile payment systems and study their new-fangled security implementations. Having the information in your hands will make it easier for you to make a decision on which mobile payment system seems safest to use—if you decide to use one at all.
What Exactly Is Meant by “Mobile Payments”?
Surely by now you’ve seen the ads for Apple Pay. It’s a form of “contactless payment technology” (read: no card swiping involved) where you simply hold your iPhone near the Near Field Communication (NFC) reader, place your finger on the Touch ID and voila! Payment is made with one touch. But how exactly does this work?
It involves using the iPhone’s Passbook feature. Many people already use it to store coupons, tickets, store reward cards and more. Apple now encourages iPhone 6 users to store credit card and debit card information, choose one to be accessed by default, and have that card number dinged for payment when using Apple Pay. According to The Unofficial Apple Weblog (TUAW), Apple pay can also use the same credit card listed in your iTunes account. Either way, when you make a payment, the credit card information is encrypted and “securely sent to the appropriate credit card network.” The card data is validated and then the network sends a “token” back to the iPhone.
For those of us who don’t know how tokens work, in Apple Pay, a token is a 16-digit number that is randomly generated. It’s used more like a placeholder for the actual credit card number. If someone were to steal this number, it would be useless. As TUAW says, “as an additional layer of security, there are mechanisms in place to ensure that the token itself is bound to the phone on which it’s stored and can never be used from another device.”
Apple claims it’s very safe—in fact, once it’s tokenized, no one can see your card number, and the cards you save in Passbook are assigned Device Account Numbers that are encrypted and stored in the Secure Element, which is a dedicated chip in iPhone, iPad and Apple Watch. When you start a transaction via Apple Pay, the phone sends the token to the NFC reader. That way, the reader, the store and anyone else involved can’t see or steal your card number.
The NFC reader then sends that token to the credit card network, which is where the actual card information will be connected to the token number. The network verifies the numbers and then contacts the bank that issued the card to authorize the sale. Once the bank approves, it sends a message through the network to the merchant and the transaction moves forward.
Sounds secure—maybe. But what about lost phones? Apple assures that using the Lost Mode or Wipe feature through Find My iPhone will completely disable Apple Pay.
Google Wallet is throwing competition Apple’s way. It’s the Android equivalent of Apple Pay. You can upload personal credit card information into the Google Wallet app, or you can obtain a Google Wallet Card from Google to use the payment system. Gift cards and store loyalty cards and coupons can also be added and accessed through Google Wallet.
The Google Wallet Card is kind of like a pre-paid credit card and is provided through Debit MasterCard. You upload money to the account either through “a recurring bank transfer” or just when your balance is low. It’s a free card to own, but you must control the money that goes into it. The card itself can be swiped like a credit card or used within your Android phone.
Unlike Apple’s Secure Element, Google uses Host Card Emulation (HCE), in which your card numbers are actually stored on Google’s servers. To use the smartphone-based Google Wallet, you open the app, select the appropriate card, tap your phone on the store’s NFC reader, and then payment information is exchanged with Google’s servers. Then, a one-time-use MasterCard number is sent to the merchant over the network to close the sale. In this way, your credit card number is never seen by the store’s cashier and never stored within the POS system. Unlike Apple Pay, though, Google stores your actual credit card information, which some feel makes its systems still vulnerable for a breach.
Once the sale is complete, the app sends notifications to your phone screen. Google Wallet provides fraud protection and states that it “covers 100% of verified unauthorized Google Wallet transactions in the US.” You can lock the app itself with a PIN for added security, and at wallet.google.com, you can view all of your transactions online. Google Wallet also claims that you can disable Google Wallet from your Google account via the web if your Android phone is lost or stolen. It sounds just about as secure as Apple Pay—if you trust Google to protect your data on its servers.
According to recent news stories, Google has sealed a deal with Softcard, which is the mobile payment system used by AT&T, T-Mobile and Verizon Wireless. With this agreement, the three carriers will sell Android phones that will come with Google Wallet embedded in the smartphones—much like Apple Pay comes with new iPhones. In this way, users won’t have to download an app to use the service and they can access it via these major networks.
Next page: A Third Option