It's still impossible for Google to do it the way that Apple did. Apple had to add hardware to the iPhone 6 for one feature that to me is essential: All the security critical work is done inside a chip that Apple itself cannot access, and if Apple cannot access it, then no hacker and no rogue app can possibly access it, even on a jailbroken phone.
There are some basic misconceptions here.
A Secure Element has to be externally accessible in order to be provisioned and updated. In NFC-speak, this is done by the TSM (Trusted Service Manager). They hold the keys to the kingdom.
In early NFC wallets, it was the carriers who acted as (or contracted out) the TSM role. That's why Google was screwed. They could not install their app in the Secure Element without carrier approval and action, and the carriers wanted to block Google in order to promote their own wallet.
In Apple Pay, Apple is acting as a TSM, since provisioning and updates go through their servers. So yes, Apple can definitely access the SE.
So there is no way that Apple or anyone else except the bank learns your credit card number,
Apple sees the credit card number, expiration, and CVV during user card registration, and they see the token coming back, but they say they do not keep the full numbers.
and there is no way that anyone can charge a card on your phone without you using TouchID.
TouchID is not necessary to use Apple Pay. The device passcode works too. TouchID is a convenience shortcut, not part of the transaction itself.
It's just as impossible for Apple to do this on an iPhone 4 or iPhone 5 as it is for Google on _any_ Android phone.
It's impossible (*) on previous iPhones because they didn't have a Secure Element or NFC transceiver.
However, many Android devices have had one or both for years. Heck, an onboard Secure Element is what Google Wallet used from 2011-2014, because at the time that was the only NFC payment standard. Apple didn't invent that.
Now, some NFC devices (not just Android and not just phones) in the world just have an NFC radio, and the onboard Secure Element comes inside a carrier supplied SIM chip. After all, that's what a SIM is: a Secure Element where Java applets execute to allow access to networks. Adding payment applets and hardware is an extension of basic SIM functionality.
In fact, using a SIM to provide the Secure Element was quite popular at the beginning of NFC in phones/tablets, because again that meant the Secure Element was under carrier control. This method is even used today with NFC capable LTE devices, for Softcard.
IIRC, the Android OS itself currently allows all variations: a built-in SE, an SE in a SIM, or an SE-in-the-cloud, although Google Wallet currently only uses the last option. Of course, now that Google has removed the carrier block... and even gotten carrier buy-in... any method will be possible.
(*) It's not really impossible on any device, as there have been SIMs that include an NFC radio as well. So in theory even the oldest iPhone could have Apple Pay if Apple wanted to support that route.
Last edited: