Last month, Apple showed off Apple Pay, its new mobile payment system that is scheduled for release in the next few weeks. While Apple discussed some aspects of Apple Pay during the event last month, there are still many questions that remain regarding the system's security, and the token process, in which Apple gives a merchant a unique identifying number instead of your financial information.
We spoke with Navy Federal Credit Union, USAA, Chase, and PNC—banks who are working with Apple to incorporate Apple Pay—to find out just how secure Apple Pay will be when the "October" release date finally arrives.
"When Apple got in touch with us and showed us their solution [Apple Pay], we were very excited to see what they had been working on and what they had developed, particularly since it was so convenient, secure, and private," said Randy Hopper, vice president of credit cards at Navy Federal, the largest credit union in the United States.
"Certainly security is something that's always on the top of our minds as an issuer, so we had a lot of questions about how the token process works and how the information is exchanged and how it's secured." stated Hopper.
Tokenization replaces your credit card information with a generated number—in Apple's case an encrypted unique Device Account Number—keeping your information away from Apple, merchants, and hackers. That Device Account Number is stored in the Secure Element of your iPhone 6, and is "walled off from iOS, is never stored on Apple Pay servers, and is never backed up to iCloud," according to Apple.
Hopper believes tokenization may soon become a standard feature in banking.
"In the wake of all these large scale compromises [being hacked]—Target, Home Depot, UPS, among others—we want to devalue the payment information that is used to authenticate the payment experience in the environment today," he says.
"Tokenization addresses all points of weakness across the payment system," Hopper said. "We hope that this is a technology that proliferates over time, and I think Apple Pay is a great kickoff to making the payments system more secure from that perspective."
Even though Apple Pay is being touted as an ultra-secure payment method, there is a question of liability if and when something goes wrong. There are few systems hackers haven't been able to breach these days—so now is the time to figure out who will be responsible if such a thing were to happen.
"USAA has a zero liability policy and members are never liable for any losses related to unauthorized [or] fraudulent activity, this does not change with Apple Pay," Vikram Parekh, assistant vice president at USAA Bank tells the Daily Dot.
"The bank has liability for any purchases made when Apple Pay is offered and used as the form of payment. This is true for both face-to-face and for “in-app” purchases," Parekh explains.
Parekh says USAA will offer Apple Pay beginning on "Nov. 7 for USAA MasterCard and USAA Visa cards." Since publishing, USAA has said it does not want to commit to a date at this time.
"Using the Apple Pay functionality is extremely secure and customers are still protected—zero liability for fraudulent transactions still applies," says Chase spokesman Paul Hartwick.
PNC will also extend the full protections it offers on its credit cards for customers who use Apple Pay.
"A digital identifier will substitute for card numbers, protecting customers from potential mass theft of credit and debit card information" says Tom Trebilcock, vice president of digital at PNC Bank, speaking about the tokenization process.
"If card information is ever stolen or misused, the same protections that are in place for those cards are in place for Apple Pay," he says.
Hopper said that the risk and liability is reduced for all parties involved, thanks to the tokenization process that Apple is using.
"From Navy Federal's perspective we're excited about the whole tokenization process," Hopper says. "The whole process of providing a payment token as opposed to the financial account number actually reduces the risk to the system and to everyone participating in it, from the customer, to the retailer, to the payment networks, to the issuer, and to Apple."
Hopper continued, "Obviously Apple has—I think it's been widely reported—over 800 million payment cards on file. That's a risk to them today because they have all of these financial account numbers, and they want to get those out of their hands. The way they're going to do that is through this tokenization process."
"Across the entire payments ecosystem we're encouraged to have these financial account numbers taken out of the system and replaced with a unique device account number, and it really reduces the risk and liability to all participants in the payment system," he says.
Banks will be able to tell whether you paid using Apple Pay, or your standard credit card, thanks to transaction data; Chase and USAA confirmed that they will be able to tell if Apple Pay was used in a purchase.
Hopper says that Navy Federal will "be able to see if the transaction was done over magstripe, if it was done over a chip, or if it was done via NFC (Near Field Communication) or Apple Pay, because of the nature of the data that is going to be passing back to us in the system."
The real question, of course, is when are we going to be able to use this thing? Chase customers will be able to use Apple Pay when it launches. PNC and Navy Federal both say they will offer it "later this fall."
Apple is expected to talk about Apple Pay once again at next week's event, though we've already been given a vague release date of sometime "this month."
Update 6:13pm CT, Oct. 9: This story has been updated where appropriate with new information from USAA.
Photo via jeepersmedia/Flickr (CC BY 2.0) and Apple | Remix by Fernando Alfonso III