What Apple Pay tokenization means for PCI DSS compliance

Apple Pay is a mobile payment system for Apple iPhone 6 and Apple Watch, and was released in the UK today. It has been making waves in the US for sometime due to the attention it provides to securing credit card transactions.

Tokenization, the technology underpinning Apple Pay’s security model,it is not new, but Apple Pay may providethe big push it required to go mainstream.

From the consumer’s perspective, Apple Pay is an ideal way to conduct a transaction with a merchant because it preserves the consumer’s privacy during the transaction. In a normal credit card transaction, the merchant reads the consumer’s name and credit card number from the magnetic stripe on the back of the card. US card transactions we are talking about here, in the UK we have been using Chips for sometime and Apple has taken on a similar stance to these contactless chips within the UK and the rest of the EU via their internal NFC chip. During an Apple Pay transaction, the merchant receives only an anonymized one-time-use code that facilitates the transaction making it secure.

The basic concept is that when a user sets up the technology on his or her phone, Apple Pay authenticates the payment card and sets up a secure trust relationship between the Apple device and the bank that issued the credit card. Once the device establishes the trust relationship, it gains the ability to request tokens that serve as a proxy for the credit card number.

When the device is presented at the point of sale to conduct a contactless payment card transaction, the phone communicates with the payment terminal using Near Field Communication (NFC). The merchant issues a transaction request and the phone prompts the user to verify the transaction and authenticate.

What’s unique about Apple Pay, at least on the iPhone 6, is that this authentication uses Apple’s new Touch ID biometric authentication features. The phone then sends the merchant a one-time-use token that the merchant can pass along to its payment processor. The transaction then settles normally, without the merchant ever being exposed to the customer’s personal information. (The Apple Watch doesn’t support Touch ID, so it is believed that a different form of two-factor authentication will be employed in support of Apple Pay transactions.) http://searchsecurity.techtarget.com/tip/What-Apple-Pay-tokenization-means-for-PCI-DSS-compiance

Right now there is not much of an impact on PCI DSS as the merchant still needs to be compliant. Eventually, it may be possible to combine Apple Pay with other technologies designed to accommodate non-NFC transactions such as P2PE and NFC and this might be real game-changer for PCI DSS compliance, but it is still at least several years away.