Apple Watch payments: what's the point, and should we worry about fraud?

However, there are discussion on Apple's support platform where users claim that they had to type in their PIN on the merchant's terminal even for a small $7 purchase. I am curious to see what the solution will be. It could be that PIN handling depends on the issuing bank's individual policy.

TRP: We've heard a lot about the security of Apple Pay. Would that be true for Apple Watch, too, or will it come with additional security risks?

RG: Apple Watch works in conjunction with an iPhone, and it's using the same security technology that is based on proven technologies: EMV, NFC and tokenisation. When a new credit or debit card is added to Apple Passbook it doesn't store real card data but only a derived Device Account Number (DAN) on a secure element that is held separate from the operating system and no part of a backup.

The DAN is a token which is unique for each device and each card. When Apple Watch processes a payment it transmits the DAN and a onetime security code to the POS terminal. When the POS terminal forwards the payment data into the payment network of Visa or MasterCard they match it to the real card data. Neither the device nor the merchant will see actual card data during this process. That reduces the risk of merchants and issuing banks, and it is a much better security level than everything we have seen before.

Moreover, Apple's promise to not track payment activities and keep them private for consumers and merchants should add more confidence than we could probably have with some of Apple's competitors in that area.

TRP: If Apple Pay is so secure why did we see stories about fraud with Apple Pay recently?

RG: The Apple Pay technology provides safety for the payment process by replacing real card data with secure tokens. As fraudsters can't steal data they focused on the enrolment process with issuing banks. At Computop we heard that fraudsters managed to trick banks into enrolling stolen credit cards for Apple Pay. Issuers should have been able to avoid that.

It seems that issuing banks didn't craft their enrolment procedures well enough. For instance, fraudsters used stolen data in order to answer so called safety questions like the cardholder's mother's maiden name, but that kind of data typically is being stolen from websites together with card data and is available to fraudsters nowadays. That enrolment process is being updated right now.

In short: the devices are safe. Current fraud issues are caused by weak authentication and enrolment procedures at the issuing banks.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.