ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Perspex: What You Should Know About Apple Pay

Updated on January 14, 2015

Could the wallet and cash and credit cards become obsolete?

If Apple Pay and other makers of new soft-plastic have anything to say about it, the answer is yes.

But why would we want to get rid of credit cards – and what’s wrong with cash? Consider the following: In 2014 credit card breaches cost hundreds of millions of dollars to credit agencies and merchants. It cost credit unions and community banks approximately 200 million dollars to reissue about 21.8 million credit cards. And one retailer, Target, says they will spent about 100 million to upgrade to new NFC and chip-enabled payment terminals that are compatible with all NFC devices as well as Apple Pay. Black market hackers generated about 53.7 million dollars from stolen and re-sold credit card data, card numbers selling for somewhere between $18 and $36 depending on card limit. Hacking is big business but so is new technology and ways to hack-proof payments systems. And here’s why – consider the following retail hack accounts from 2014:

Home Depot

On September 8th, Home Depot confirmed that any customer who shopped in a U.S. or Canada store from April 2014 forward was impacted by a credit card data breach. According to one security researcher, Home Depot hackers reportedly used the same malware that affected Target.


On August 20, shipping company UPS discovered malware that could potentially expose the data processed in 51 US stores in 24 states. Customers potentially affected in the breach were notified and offered identity protection as well as credit card monitoring.


Nearly 3 million credit cards were impacted by two separate security breaches at Michaels, the arts and crafts store chain in the US. Michaels released this information April 17, 2014. The breach occurred over a period of nine months, and affected 7 percent of cards used in stores.


During the 2013 holiday season, hackers made their way into Target's systems, exposing customers' card data, names, mailing addresses, phone numbers, and e-mail addresses. In January, the retailer announced that the breach potentially affected 110 million customers-- or up to one-third of the US population.

PF Changs

P.F. Chang's, the nationwide Chinese food chain, fell victim to hackers who exposed credit and debit card data, as well as card holder names and the cards' expiration dates. A total of 33 locations were affected, but the company has not been able to determine if any specific customer's data was stolen.


Using malware, hackers made their way into hardware company LaCie's database, putting anyone who shopped between March 27, 2013 and March 10, 2014 at risk. That's nearly one year of customer data. In response to the attack, LaCie temporarily shut down its online store until its website could be secured.


eBay's database of names, phone numbers, encrypted passwords, email addresses, physical addresses, and dates of birth was comprimised in late February and early March, 2014. It's unclear if the breach gave hackers access to customers' financial info.

Near Field Communication (NFC) is a way of communicating between devices (such as a smartphone and a computer, or a smartphone and a passive tag) that utilizes electromagnetic radiowaves. Bluetooth and WiFi use regular radio transmissions which are relatively easy to hack . NFC is contactless which means that the devices (think ccredit card or debit card but basically on your phone as an application) do not have to touch. Instead, they communicate in an electromagnetic envelope when the phone is held near the NFC terminal. A unique encrypted code passes between the two devices and because it creates a unique identifier for each retailer and each transaction, NFC is reportedly more secure than regular credit card information..

Passive NFC tags, such as those on in-store items, can hold information (such as pricing and SKU information) that can be read by your phone when you hold it near the tag. Holding your phone near the tag places your phone in receiver mode in which state it can gather information and read it which can help users shop more efficiently. .These NFC tags, which are passive, cannot transmit or receive anymore information more than the limited information that is stored. Exchanges between passive NFC and active NFS are finite.

Active NFC means that both devices are able to send and receive information (not just one to the exclusion of the other). Both devices can transmit and receive importation information. But that information, at least with Apple Pay, does not include;

  1. your name
  2. your credit card information
  3. the security code on the back of your card

What is noted is the card that you used to make your purchase (but not the card number) and a unique, encrypted transaction number (or token) specific to that merchant and that differs for every transaction. And it is this tokenization that makes Apple Pay different from other purveyors of soft-plastic.

Why is this safer than credit cards and debit cards? Simple, because your card information is not stored on your phone or even by Apple. And even if someone gains access to your phone, you can locate your phone and turn off your Apple Pay with remote “Find My Phone”. And if your phone is stolen, you won’t need to replace your credit cards because again, the numbers are not stored and so are secure.

In NFC the devices speak to each other but all information is encrypted in such a way that it is impossible to work backward to the starting point to obtain the credit card number.

When you make a credit card transaction, your card information is relayed between several points – this is true for Google Wallet and Softcard as well. But with Apple Pay, Apple does not store your credit card information or name anywhere (except iTunes where, if you signed up for iTunes you can provision your phone to work off your iTunes account and by then also taking a photograph of your credit card with your phone and then having the bank verify that the card is legitimate).

The new iPhones (iPhone 6 and up; if you have the old iPhone 5, you’re out of luck) incorporate NFC as do most smartphones. In fact, NFC technology is not new – it is about ten years old.

So what’s new now? As of October 2015, all merchants in the United States will be required by law to have NFC compatible terminals. The terminals will read a data chip on a card that is not swiped but is nonetheless read. Apple is betting that since merchants have to have the NFC-equipped terminal, they will opt to have Apple Pay as an easy payment option for consumers, giving Apple a huge market-share if the plan works. In other parts of the world, EMV and NFC are pretty much the standard. But in the United States, only 14% of merchants are currently equipped to handle the new technology.

All of this technology is being used in concert with a technology which Apple says is unhackable – a Touch ID fingerprint with roots in subdural fingerprint imaging. The security checkpoint: a fingerprint, a biometric, is necessary to first unlock the Apple iPhone and is then repeated to make a purchase (touch finger to screen to confirm).

But is this hackable? The short answer so far is no, but Apple Pay has not passed into common use yet, though a lot of stores have it, including McDonalds, Disney, Bloomingdales, Macy’s, Petco, Walgreens, Sephora, and more. According to Apple’s own figures, Apple Pay is accepted by some 220,000 stores and odds are that if NFC is accepted, so is Apple Pay.

And while it does seem for the time being that Apple Pay is the most secure way to pay, almost nothing is infallible. I found two tech guys who were able to spoof the biometric fingerprint check. By making a graphite infused Apple Pay without having a live hand and finger-print, silicone cast, the two testers were able to get into another person’s iPhone and Apple Pay without their actual hand. How is that possible? The silicone print made from the person’s finger was soft enough to flatten out the way a real finger would and had enough definition that it met the fidelity requirements needed to get into the phone. This again was taken from the person’s actual finger using a relatively soft silicone cast that allowed for a lot of detail in the fingertip swirl.

When testers tried to a second time to spoof the biometric fingerprint security by using a print taken from a photograph (a copy of a copy) that was then laser-etched and silicon cast there was not enough fidelity for the print to work. For any print to work it needs;

Capacitance, which is the ability to store an electrical charge to operate the touch-screen,


Fidelity - how it compares to the original, how true or accurate the copy is.

In order to be serviceable, a copy needs both capacitance and fidelity. First, it needs to be able to first fool the touch screen (using a hotdog, for example, will not fool the touch screen and generally won’t allow you to using the touch features.) A silicon mold will work. If the mold then has enough detail caught and enough flexibility/movability and softness like a human finger, it meets all capacitance and fidelity requirements and so breezes through the biometric security checkpoint.

How likely is it that someone can get a cast of your fingerprint taken from you? Not very and with the tokenization and encryption of numbers, Apple Pay has set to be the new safety standard bar for credit higher than it has ever been before.

NFC enabled phone and NFC chip: How they communicate
NFC enabled phone and NFC chip: How they communicate


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)