From this article in the Washington Post:
How does the merchant’s system take that information and run a credit card authorization, and subsequent settlement? I just don’t understand the information path if the merchant never even sees a credit card number.
I’m interested, too. Apple is claiming that this is much, much more secure than our current way of swiping a debit card. I want to understand more before I rely on their claim.
When MBNA was a thing, I had a little desktop app from them that I got with my account, where I could enter a limit and an expiration date and generate…a whole new card with a unique number! I could use it anywhere I was able to use a credit card number (online, of course) and the credit was applied to my real card.
It was especially great for signing up for 60-day-free-trial stuff. Set the thing to expire in 30 days, with a limit of under what the renewal price would be, and there was a guarantee that I wouldn’t be charged!
Anyway, I’m guessing that the Apple Pay works the same way and there is some sort of agreement in play with one of the credit card companies. You’re really getting a valid Visa number and Visa is aware of it and allows the proxy number to be charged, and Apple is able to turn around and charge your real card number that they have access to on the chip in your phone.
Apple’s system goes one step further and does double tokenization.
When you add a card to your phone’s “digital wallet”, it asks the card network for a “Device Account Number”, a per-device token. That’s the number that is stored on the phone and not your actual credit card number. The card network remembers which credit card number is assigned with which device token.
Then, when you make a payment, the phone sends the device token to the card network and asks for a transaction token. The card network sends back a new token (presumably one that looks an awful lot like a credit card number) that is then sent to the merchant.
The merchant can then process that transaction token as if it were a credit card, the network knows which real credit card account is associated with the transaction token it just handed out, and you’re charged appropriately without anyone ever sending your real card number.
The nice advantages of this two-token system is that if an attacker with a powerful radio receiver happens to steal the transaction token as it’s transmitted to the merchant, they can’t do anything with it since the card network has already marked it as processed (I guess there could be a problem if the attacker were able to process a payment before the merchant was; but that’s a much smaller attack window than handing your credit card to a server at a restaurant so it’s probably fine).
And if your phone is lost or stolen, you can disable the device token without having to cancel your real credit card. So that’s way more convenient.
It’s a nice system. I like it.
Sources:
http://www.apple.com/apple-pay/