A Payments Primer

Examining the current state of credit card payments before Apple Pay’s public launch

10 min readOct 15, 2014

Since there appears to be a lot of misconceptions around the current state of credit card payments, I’m writing this customer-oriented overview to help clear things up. Please let me know about any inaccuracies, as the underlying technology is quite complex and certain implementations (such as Apple Pay) have not yet been analyzed in real-world use. What follows is my current understanding of the payment space, drawn from the sources below, friends in the industry, and personal experience. I’ve tried to simplify the technical details as much as possible, and focus on traditional retail POS units instead of newer card processors like Square or Stripe.

Terminology

Payment Networks: Visa, MasterCard, American Express, and Discover.
Issuing Bank: The bank that provides the funds used in credit card transactions.
Acquiring Bank: The bank that receives funds from a credit card transaction.
PAN: Primary Account Number. This is the 16 digit number printed on the front of every debit and credit card, and what you think of when you hear “credit card number”.
CVV: Card Verification Value. The CVV2 is a 3–4 digit value printed on the back of the card, and is often requested for online payments. The CVV1 is transmitted to the terminal during a transaction.
Terminal: POS (Point-of-Sale) device that handles transaction processing and communication with the payment networks.
Reader: POS device that physically interacts with a card or mobile phone. The reader and terminal are often the same device.

Payment Methods

Swipe-and-Signature

Swipe-and-sig is by far the most common method of credit card payment in the United States. Your card information, including the card number (PAN), CVV1, expiration date, and cardholder’s name are all transferred to the terminal in this type of transaction. A signature is required by the card networks for all transactions above $50, and requiring a signature for smaller purchases is at the discretion of the merchant. Requiring a signature for purchases below $25 is currently prohibited by the terms-of-use for all the major card networks, but this is rarely (if ever) enforced.

The practical downside to swipe-and-sig is that all the information necessary to complete any transaction is transmitted from the card to the reader, the reader to the terminal, the terminal to the card networks, and the card networks to both the acquiring and issuing banks. Merchants generally store card data internally to track customers, and this opens the door for large security breaches, such as Target, Home Depot, and Kmart. Swipe-and-sig is also susceptible to man-in-the-middle attacks, where a skimmer is physically attached to a legitimate terminal. Additionally, the signature requirement provides a dubious level of security. Most critically, the signature cannot prevent a fraudulent transaction, though it theoretically could be used to reverse a successful fraudulent transaction.

Chip-and-PIN

Chip-and-PIN is the most common method of credit card payment outside North America. A chip-enabled terminal interacts with the smart chip on the front of the card via a series of challenge-response messages, and does not require either a swipe or full insertion of the card into the reader — only a “dip.” Chip-and-PIN provides two important benefits over swipe-and-sig: encryption and identity verification.

Encryption of the card data transferred to the payment terminal is provided by the EMV (“Europay, MasterCard, and Visa”) specification. This encryption reduces the likelihood of successful skimming attacks, and makes large data breaches near impossible. In the case of an EMV-compliant reader and terminal, the EMV cryptograms are transmitted over the payment networks instead of the card information (though it is possible to decipher these cryptograms under certain circumstances).

The identity verification comes from a PIN entered by the customer before the transaction can complete. Thus a stolen card may only be used if the PIN is known as well. In the case of an EMV-compliant reader and mag-stripe terminal, the reader will still require a PIN but transmit the card details to the terminal as if the card had been swiped. While this is not as secure as a full EMV transaction, the identity verification is still a major benefit over swipe-and-sig.

In the real world, it has been shown that use of chip-and-PIN dramatically reduces fraud. The weaknesses of this system are based on the fact the the true card data is used in each transaction, and many terminals in use around the world do not encrypt the PIN and are susceptible to PIN-harvesting attacks.

Chip-and-Signature

Chip-and-sig is exactly the same as chip-and-PIN, but drops the requirement that a customer must enter a PIN to complete a transaction. Chip-and-sig exists primarily because US customers are resistant to using a PIN with credit card payments. Chip-and-sig offers less security than chip-and-PIN, but is an improvement over swipe-and-sig. Chip-and-sig is on track to replace swipe-and-sig at all major retailers in the US over the coming months (more on this later).

EMV Contactless (Mag-Stripe Mode)

EMV contactless in mag-stripe mode operates in a similar manner to swipe-and-sig. The primary difference is that instead of the card transferring the PAN, CVV, expiration, and cardholder name, the CVV1 is not transferred. The terminal and card perform a “handshake,” and a dynamic, unique CVV (called an iCVV or CVV3) is generated by the card. This occurs on a per-transaction basis and is linked to the unique transaction ID, making it extraordinarily difficult to create a new, fraudulent transaction using the provided data. The CVV3 takes the place of the CVV1 and is verified by the payment networks. However, the PAN and cardholder’s name are still exposed and vulnerable, as the transaction runs through the payment networks like a swipe-and-sig payment. Additionally, there is no secondary authentication factor (such as a PIN) to verify the customers identity. The card networks prohibit merchants from requiring signatures for this type of payment, though again, this does not appear to be enforced. EMV contactless payments are also subject to lower limits than swipe-and-sig payments due to the lack of secondary authentication. If you have a contactless card without a chip, the card is operating in mag-stripe mode. According to the card networks, there have been zero fraudulent contactless transactions made in the United States since their introduction.

EMV Contactless (EMV Mode)

EMV contactless in EMV mode operates just like a chip-and-sig transaction, but includes the dynamic CVV3 found in mag-stripe contactless. Additionally, EMV mode specifies a shared secret between the card and the issuing bank independent of the payment networks. This has the advantage of encrypting the PAN, expiration date, and cardholder’s name, but also does not provide secondary authentication. This mode is the primary method of contactless payment in Europe. In the US, some newer chip cards operate in EMV mode for contactless payments.

EMV Contactless via Mobile Phone

EMV contactless via mobile phone uses the NFC transmitter found in most modern smartphones to “impersonate” a physical credit card. This type of transaction can be run in either mag-stripe mode or EMV mode as described above (currently, Google Wallet uses this specification in mag-stripe mode). The primary difference between EMV contactless and EMV contactless via mobile phone is that this type of transaction requires a secondary authentication provided by the phone. It is important to note that the secondary authentication is entirely provided by the phone and that the implementation does not involve the card networks in any way. For example, Google Wallet can be configured to require a PIN entry on the device, which will then report that the transaction was originated by a verified identity.

Security & Liability

Tokenization

All the major card networks have supported mag-stripe and EMV transactions for many years. As described above, contactless payments run using one of these two modes and thus do not require major changes on the card network side (aside from implementing verification of the random CVV). However, tokenization requires explicit support from the payment networks, and likely the issuing banks as well. The basic idea behind tokenization is that the PAN and expiration date are not only hidden from the merchant, but are hidden at every step of the transaction process, including (critically) the acquiring bank. This is accomplished by generating either a merchant-specific or card-specific alternate “card number” (which for compatibility reasons conforms to all the requirements of a standard 16-digit card number, with the additional guarantee that the last 4 digits will be identical to the last 4 digits of the true PAN) and expiration date. Tokenization isn’t a new type of transaction; rather, it is an additional layer of security that can be added on top of an EMV contactless via mobile phone transaction. The primary benefit of tokenization occurs when a transaction is run in mag-stripe mode — this ensures that the true card information is not transmitted to the merchant or a malicious entity monitoring the terminal.

Card Present

Currently, liability for credit card fraud falls on the issuing banks and/or the merchants. Because fraud is much more likely to occur via online transactions than use of a stolen physical card, the fees imposed by the card networks are higher for online transactions (“card not present”) than physical use at a card terminal (“card present”). Cloud-based mobile wallet solutions such as Google Wallet and Softcard (formerly ISIS Mobile Wallet) operate as “card not present” transactions and fees are higher accordingly. Apple Pay is currently the only mobile wallet that operates as “card present.” [Correction: Google Wallet recently began operating as “card present” for in-store purchases.]

Liability Shift

Currently, the United States only makes up about a quarter of the world’s credit card transactions, but is responsible for half of the world’s fraudulent transactions. Because of this, the card networks are shifting fraud liability to merchants in October 2015 in certain circumstances.

Merchants will be liable for the full amount of a fraudulent transaction if the purchase is made with an EMV chip card on a non-EMV compliant terminal. This encourages the card networks and issuing banks to distribute chip cards to all their customers (all new/replacement credit and debit cards in the US are EMV-compliant), and merchants to upgrade their terminals. One of the most common EMV-compliant terminals is a popular model made by VeriFone, which also happens to include support for NFC. Today, most VeriFone terminals have NFC disabled and the EMV reader blocked while merchants test these new technologies (such as those found at Target, Best Buy, and Express).

Apple Pay

Today, there is only one implementation of tokenized EMV contactless via mobile phone: Apple Pay. While many of the technical details of Apple Pay are still unknown, it combines all of the currently available security mechanisms developed by the card networks and issuing banks.

Data Security: At no point is your real credit card information stored either on an Apple Pay device or on Apple’s servers. The tokenized card data is stored in the “Secure Element” of the Apple Watch and iPhone 6 (not to be confused with the Secure Enclave, which is used to store fingerprint data).

Tokenization: The card number and expiration date received by the merchant is not the actual PAN or real expiration date. There is also no mathematical process to reconstruct the true PAN from the card number used in each transaction. This provides security when NFC readers are used with non-EMV-compliant terminals in mag-stripe mode.

CVV: Apple Pay stores the private key needed to dynamically generate a random CVV in the Secure Element. Unlike cloud-based wallet solutions, this private key is never transmitted over the Internet or even accessible by the iOS operating system.

EMV: At an EMV-compliant terminal, Apple Pay runs in EMV mode. In legacy mag-stripe only terminals, the NFC reader converts the payment information into a swipe transaction and the transaction runs in mag-stripe mode.

Cardholder’s Name: The cardholder’s name is not part of an Apple Pay transaction. This has interesting implications for merchants, but is beyond the scope of this article.

Secondary Authentication: Apple Pay completes the identity verification step using Touch ID instead of a PIN on iPhones. The Apple Watch completes this step automatically, as the watch auto-locks with a passcode when its rear sensor loses contact with the wrist. This does not prevent a malicious actor from attempting to charge an Apple Watch by bringing a portable NFC reader within range of a victim’s wrist [Correction: The Watch requires a double press of the side button to initiate a payment]. However, the Watch will vibrate and display a notification that a payment has been made, and the victim can report the transaction through the usual channels. This is an improvement over traditional contactless cards, which cannot notify their owner when they have been used.

Weaknesses: Touch ID has been shown to be susceptible to highly targeted attacks. If your phone is lost or stolen, it is a good idea to remotely disable Apple Pay with iCloud’s Find My iPhone tool. Unlike the remote wipe, alarm, and message features of Find My iPhone, remote Apple Pay termination occurs on the side of the payment networks (meaning that the phone can be off, offline, or in Airplane Mode but payments will still be disabled immediately). Also, the level of effort required to bypass Touch ID in practice is significant enough to not be a concern for average users.

Accepting Apple Pay

Because Apple Pay is an implementation of a combination of standard card protocols, Apple Pay can be used at any card terminal that accepts NFC contactless payments. Merchants that do not want to accept Apple Pay must disable NFC on their terminals entirely (Target and Best Buy plan to keep NFC disabled on their VeriFone terminals, Walmart’s EMV terminals do not support NFC).

Conclusion

It’s fairly clear that adoption of any of these newer payment technologies will curtail credit card fraud in the US. The biggest barrier to adoption is merchants, but I do not believe the timing of Apple Pay was a coincidence — the upcoming liability shift should greatly increase the number of NFC-capable card readers in operation over the next year or so. Whether Apple Pay is more secure than the alternatives in practice remains to be seen, but it is beyond a doubt safer than traditional swipe-and-sig. In terms of Apple Pay itself, adoption will be limited by the market share of iOS devices (in two years, the lion’s share of actively used iPhones in the US will have NFC). However, if Apple Pay is successful among the millions of current iPhone 6 users, social pressure may spark interest in Android-based solutions like Google Wallet. While we won’t be seeing the end of plastic anytime soon, we can hope that this week will mark the beginning of the end of magnetic stripe purchases in the US.