Gartner Security Analyst Avivah Litan is arguing that many Apple Pay transactions are missing the value of Apple’s security approach because of POS issues.
“Some vendors who certified their payment card applications for point to point encryption left out certification of the contactless payments since there was very little volume in the past and they just didn’t get around to it,” Litan wrote. “What this means is that any contactless payment presented to their NFC readers is ignored by the point to point encryption process and the transactions go into their own ‘suspense’ bucket. Retailers need to be aware of this and work with service providers to implement a compensating payment process flow accordingly.”
Litan also spoke of a “token collision” between Apple Pay’s token approach (courtesy of Visa and MasterCard) and retailers’ own token systems. The Apple Pay “system collides with the merchant or acquirer based tokenization systems the merchants have spent so much money on over the past years in order to secure card data and limit the scope of their PCI” assessments.
She describes the problem: “An ApplePay token will be presented to a merchant tokenization system. The merchant tokenization system will simply tokenize the Apple Token and store that tokenized token in their system for future use since there is no way for the system to distinguish it’s an Apple token and not a credit/debit card. What are the consequences? Merchants could end up with two tokens for one card number.”
“What’s the solution? Big token mapping tables in the sky? Seriously. And Messy. Someone– likely the acquiring processor or even the card brands — is going to have to provide merchants with a table that maps their token numbers to the card issuers’ token numbers (first brought to market by ApplePay). This doesn’t bode well for on premise solutions unless they can be tied directly somehow into these monstrous mapping tables.”
Litan also challenged MasterCard’s contention that the tokens cannot be intercepted and fraudulently used elsewhere. “The one time code numbers that are part of the security scheme are not being accepted or read by terminals and their payment acceptance protocols. At least not yet and not universally. This means that if an ApplePay token is stolen from a merchant, it can be used at another merchant accepting ApplePay, assuming the consumer doesn’t have to use their TouchID biometric to confirm the payment instruction and a hacker somehow steals the consumer’s password. ApplePay token numbers are the same across merchants since they are issuer based.”