Is Apple Pay really that secure, though?
There's one thing that has bothered me for a while and I cannot get an answer on Apple's discussion forums. There is at least one merchant where my paper receipt contains the last 4 digits of my ACTUAL credit card, even though I use contactless pay. This happens regardless of whether I use my iPhone or my Apple Watch to pay, and regardless of which credit card I use. Everywhere else, the last 4 digits will be that of the device account number as it should be. At this particular merchant, payments show up on my credit card bill as having been paid using the contactless method (as they should). But the paper receipt I get baffles me.
What does it mean that the last 4 digits of my ACTUAL credit card are always printed on the receipts from this merchant? Are they receiving my actual credit card number when I use Apple Pay? They shouldn't be, and it bothers me to no end only because it means Apple Pay may not be as secure as Apple claims.
I don't know for certain, but I suspect this is what's happening:
Apple Pay generates a unique token, which is passed to the vendor's terminal. The vendor's terminal passes the token to the credit card processor/bank, the credit card processor/bank returns the information to the vendor's terminal. Perhaps this particular bank has chosen to pass back the actual last-four. Perhaps they're not supposed to be pass back the actual last-four but are doing it anyway? It may be worth an inquiry.