I have a iPhone 5S, but don't want the watch. I wonder if I can still make online payments with it instead?
In theory, Apple Pay could use the main CPU's Secure Enclave as an Secure Element... and I think they even patented such a method... but my gut tells me this is Apple and they want us to upgrade our phones instead
As cool as this sounds, I don't understand how this is going to gain traction if it's limited to people with the latest iPhone or Apple Watch.
If you mean Apple Pay, well... in a few years, most people will have the latest iPhone.
If you mean NFC payments in general, MC and Visa are pushing very hard for USA merchants to include support when they convert to EMV terminals by late 2015.
Considering how they are touting their hardware security measures, don't expect them to allow non-iPhones to use Apple Pay.
Many non-iPhones have Secure Elements either internally or have support for one in a SIM. So that's not an issue.
Of course, they don't have TouchID, but then, neither does the iPhone 5 or 5C, and Apple says those can be used with the AWatch to pay. So it doesn't sound like TouchID is a hard requirement.
With Apple Pay, your iPhone creates a virtual credit card.
To be specific, the backend systems (CC scheme or banks) will create the virtual card number when we register a real one. The real info will not be kept in the phone. Only the virtual (token) one will be.
Also any bank specific graphics associated with that particular card will be sent back to the phone to display.
The NFC terminal doesn't realise it's not a real card. It send the data about the credit card for example to Visa, Visa has worked with Apple and figures out that this is an Apple Pay virtual credit card and accepts it, so the NFC terminal accepts your card.
Yep. The virtual account number will have a special bank identifier (just as current cards do) to indicate that it's a tokenized value, so the system will know it must look up the real account number.
The nice thing is that this virtual credit card will be used only _once_ for that one payment.
Apparently the token card number itself will not change very often, if at all. There's no need for it to, since you cannot do anything with it, without knowing the other device and transaction specific cryptograms that will be sent along with it.
It's the same reason why there's usually no encryption of chip & PIN card numbers. Also, there are a limited number of account numbers available. Rotating them constantly is wasteful.