No payment method is entirely safe from fraud. But Apple Pay provides cardholders with several layers of security that can protect against some common forms of credit card theft.
If you want to try Apple Pay, knowing how it works is important as well as how your credit card information is safeguarded and what you can do to stay protected while using it.
What Is Apple Pay?
Apple Pay is a mobile wallet for Apple devices such as iPhones and Apple Watches that allows you to make purchases in stores, in apps and online securely without handing over your credit card information every time.
In a store, the mobile wallet uses near-field communication technology – it allows two devices placed within a few centimeters of each other to exchange data – to transmit your card information. You just need to verify your identity with the Touch ID or Face ID feature, then tap your device to the store’s card reader to process the payment.
To keep your information private, Apple Pay creates a unique token every time you use it, so merchants never get your actual card number. “Instead of being static data that is easily cloned if stolen,” says Andrew Barratt, managing principal at Coalfire, a cybersecurity advisory firm, “it adds some dynamic elements to the data that are used when processing your card payment, making cloning for fraudulent use more difficult.”
What’s more, Apple doesn’t store your card number on your device or its own servers.
Why Apple Pay Is More Secure Than Using a Physical Card
Trusting technology can be scary, especially if you’re accustomed to a certain process. But using Apple Pay can protect your credit card information in ways that using the card can’t.
It requires extra verification. With a physical credit card, all a thief needs to successfully make a purchase is your card and a merchant who doesn’t match cards with IDs. And the four credit card payment networks – Visa, Mastercard, American Express and Discover – no longer require signatures.
With Apple Pay, however, someone who steals your device will have a hard time using it to make purchases. The app requires that you verify your identity using your passcode or the Touch ID or Face ID feature, and the latter two can be tough to fake.
It doesn’t share your card information. Every time you make a purchase with Apple Pay, whether in a store, in an app or online, the mobile wallet creates a unique code for processing the transaction instead of sharing your credit card number.
“The credit card number is never given to the merchant, and when used online, never travels across the internet between your device and the merchant site,” says Thomas Reed, director of Mac and mobile at cybersecurity firm Malwarebytes. “If by some chance a criminal were to intercept this data, it’s a one-time-use code, so it couldn’t be abused in the same manner as a credit card number.”
Your credit card’s EMV chip uses the same technology, called tokenization. But not all merchants have chip readers, and EMV chips don’t work when you make in-app and online purchases. As a result, Apple Pay can especially be helpful for mobile and online shopping, where storing your credit card information could make it vulnerable to data breaches.
Your information can’t be skimmed. If you’re shopping with a merchant who requires you to swipe your card instead of use the chip, the static information on the magnetic strip can easily be stolen if a thief has installed a card-skimming device on the card reader.
Because Apple Pay doesn’t share static information or require a swipe, Barratt says, it’s significantly safer than using a physical card in that way.
It doesn’t store your card information on your device. Apple neither shares your card information with merchants nor keeps your card information on your device or its own servers.
“An attacker who gains access to your device or your iCloud account would not be able to get your credit card information,” Reed says. The same goes if a hacker somehow manages to gain access to Apple’s servers.
You can suspend the service. If you’ve activated the Find My iPhone feature or a similar feature on another Apple device, you can suspend the Apple Pay app by placing your device in “lost mode.” This will keep you from having to cancel all of your credit cards, which is what you’d need to do if you think someone has stolen your wallet.
Tips for Staying Safe When Using Apple Pay
Serious security concerns have not emerged with the technology Apple Pay uses, but some potential pitfalls await if you’re not careful with your device. Here are some tips for ensuring that your device and your credit cards stay safe.
Keep your device passcode secure. Even if you use the Face ID or Touch ID features, you’re required to have a passcode on your Apple device as an alternate way to verify that it’s yours.
If you share your passcode with others or use one that’s easy to crack – such as 0000 or 1234 – it could give them easy access to create their own biometric profile. Biometrics allow consumers to be ID’d and authenticated based on a set of recognizable and verifiable data specific to them, such as fingerprints.
If they can create their own profile, they’ll be able to make purchases through your Apple Pay function.
Set up Face ID or Touch ID. While biometrics aren’t required to use Apple Pay, they’re not as easy to get past as a four-digit passcode.
Don’t allow others to add their biometrics. Permitting a significant other, family member or friend to add Face ID or Touch ID credentials to your phone may not seem like a big deal. But if the relationship turns sour, they’d have easy access to use your Apple Pay app if they can get hold of your device.
Avoid adding cards on an unsecure Wi-Fi network. Public Wi-Fi networks are convenient ways to get online at the coffee shop or the airport. But be wise about what you do when you’re connected.
That’s because hackers can effectively eavesdrop on the information you send from your device to a service or website. Fraudsters can even create a counterfeit mobile wallet registration system similar to Apple Pay’s and lure you into sending them your card information unknowingly.
In general, add your card information to your Apple Pay app at home on your password-protected Wi-Fi network. If you need to change something away from home, consider first setting up a virtual private network.
Act immediately if you lose your device. If someone steals your device or you misplace it in a public place, don’t count on your passcode to keep a thief from gaining access, especially if the passcode is not particularly strong.
“A stolen phone or watch may still be used to make a payment if stolen when unlocked or subjected to an attack that can defeat the unlocking process,” Barratt says.
Access the feature that allows you to place your device in lost mode as soon as you realize the device is gone, even if you think you might find it. That way, there’s no chance of someone using it to make unauthorized purchases.
Making the Most of Apple Pay
If you like the security and convenience that Apple Pay provides, consider setting up one or more cards with the app. If you have multiple cards, adding all of them to the service will allow you to select the right card for the right purchase to maximize your rewards and other benefits, all without needing to carry that card in your wallet.
Keep in mind, though, that not every merchant accepts contactless payments. Check where Apple Pay is accepted to make sure you have the right payment method when you need it. Once you have it set up, Reed recommends using it whenever you can. “It’s faster and more secure,” he says. “I’m a big fan of Apple Pay and wish I could use it everywhere.”