Apple Pay Retaining More Card Data Than It Claimed?

The security system associated with the soon-to-be-released Apple Pay has been nearly universally praised as a significant advance in helping mobile payments go mainstream.

Apple’s two-factor authentication, which pairs something-one-has (a phone) with something one is (a biometric scan), is considered superior to the two-factor protection offered by EMV.  EMV pairs something-one-has (a card) with something one knows (a PIN), which is considered superior to just a swipe card–but less secure than the biometric since a PIN can be stolen or guessed in a way a fingerprint really can’t be.

The second feature of Apple’s security package is tokenization, which prevents merchants from ever seeing  customer card data as plain readbable text .

Unfortunately, it seems the tokenization part of the security protocol may not quite be working as well as initially hoped.  According to Venture Beat, “the payment token (at least the one used for in-app purchases, as the company has not released enough technical details about in-store purchases) contains encrypted cardholder data — primary account number, expiration date, and cardholder name — which in my opinion reduces the Apple Pay security score a bit.”