Snippet: We have all seen the reports about Apple Pay fraud plastered over the Web. Less informed commentators seem to blame Apple, but is this problem really their fault this time?

We have all seen the reports about Apple Pay fraud plastered over the Web. Less informed commentators seem to blame Apple, but is this problem really their fault this time?

As I suggested in my previous blog post on this topic, Apple Pay is nothing more than institutionalized card cloning. The only barrier standing between a fraudster loading your credit card onto their mobile phone, as opposed to your doing so, is a concept called “identity proofing.”

Every time a new credit card is linked to Apple Pay on a mobile device, the card number is sent off to one of the payment networks and exchanged for a “token,” which will be used in lieu of the card number for transactions in the future. Before this exchange can take place, a real-time call is made to the bank that issued the card to request its permission to do so. It’s at this step that many card issuers flounder.

Some of the larger card issuing institutions in the United States have developed thorough identity proofing processes. They might email or text you a sign-up code using information that they have on file for you as a cardholder. So, if someone stole your credit card details, they would not easily be able to pair your card to their device because they would not have access to this code. This neatly demonstrates the principle behind any typical two-factor authentication system.

Other issuing banks, however, opted simply to approve these token requests blindly – or based only on minimal reputational data they receive with the request. This has resulted in Apple Pay racking up fraudulent charges up to 100 times the industry average: from a rate of 0.06 percent on conventional credit card transactions to over 6 percent on Apple Pay at certain issuers. 

This isn’t Apple’s fault. Or it mostly isn’t. It’s true that issuers weren’t given a lot of time to implement proper verification processes in time for the big launch. But many issuers deliberately opted for a simpler means of onboarding users in order to boost adoption. This was not completely bone-headed of them, seeing as about 80 percent of US iPhone 6(+) users have still never tried Apple Pay.

Apple must be commended for finally ushering in a new era in payment card security: tokenization. Before Apple, tokenization existed, but issuers rarely had a reason to implement the technology, and card networks seldom had a reason to standardize it. The hard part is now over: EMVCo has succeeded in promoting global standards, and card networks and issuers alike have adopted the technology. All that now remains is for issuers to play their part in rigorously verifying the issuance of these payment tokens. If they can solve that problem, it’ll finally spell the beginning of the end for card-not-present fraud. And that will not only benefit Apple Pay, but all of us.

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.