Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all.
- Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year.
- Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and PayPass) has it’s own variances. Some encrypt certain elements or have certain fields they want, and others do not. Apple Pay understands these rules and will transmit the proper data regardless if you are using a Visa, MasterCard, Amex, or Discover (or, potentially PayPal).
- Apple Pay is only the NFC implementation of those technologies. There is no P2PE included. It’s just the digital version of the physical card. The terminal still must have that feature turned on for you to take advantage of P2PE.
- EMV, by default, transmits some data that PCI DSS considers sensitive as routing information. With this implementation, EMV Tokens are transmitted through the system, but the payment brands’ position is that they must be protected just like a PAN. In the case of a normal EMV transaction (chip), PANs are in the clear. You need to be aware that EMV by itself, or Apple Pay’s EMV Token implementation, will not stop someone from taking credit cards (or Tokens) off of your network. You must deploy some form of P2PE in the terminal to address that.
So, even though the Apple Pay is using EMV Tokens, they are actually valid card numbers in the sense that they have to be backwards compatible. P2PE is still one of the better options for securing this data through your enterprise and reducing your scope dramatically.