Apple Pay on Apple Watch with an iPhone 5

[justinthesommer]

I was thinking about this the other day... how is it possible for Apple Pay to work on the Apple Watch if it is paired with an iPhone 5. The iPhone 5 or 5s does not have the secure element and therefore is not secure to carry credit card information. CC info cannot be entered on an Apple Watch either so I wonder how this will work? Anyone have any ideas? Maybe I am reading this wrong.

Scroll to the bottom of this page: http://www.apple.com/apple-pay/

 

[Natzoo]

I was thinking about this the other day... how is it possible for Apple Pay to work on the Apple Watch if it is paired with an iPhone 5. The iPhone 5 or 5s does not have the secure element and therefore is not secure to carry credit card information. CC info cannot be entered on an Apple Watch either so I wonder how this will work? Anyone have any ideas? Maybe I am reading this wrong.

Scroll to the bottom of this page: http://www.apple.com/apple-pay/

I Think they are trying to say is that you can't make payments from your phone because it doesn't have the NFC bands but you can store your credit card numbers securely and just use your watch.

 

[matrix07]

I was thinking about this the other day... how is it possible for Apple Pay to work on the Apple Watch if it is paired with an iPhone 5. The iPhone 5 or 5s does not have the secure element and therefore is not secure to carry credit card information. CC info cannot be entered on an Apple Watch either so I wonder how this will work? Anyone have any ideas? Maybe I am reading this wrong.

Scroll to the bottom of this page: http://www.apple.com/apple-pay/

I believe the secure element in the chip is just for Touch ID, not info stored on Passbook, and Apple didn't actually store your credit card info there either. Hence why you don't have to cancel your card when you lost the phone. You just re-add it in your new one.

For Apple Pay, it's actually a matter of secure pairing between these 2 devices since the watch itself will have NFC instead of your iPhone 5.

 

[kdarling]

The iPhone 5 or 5s does not have the secure element and therefore is not secure to carry credit card information. CC info cannot be entered on an Apple Watch either so I wonder how this will work? Anyone have any ideas?

I believe the secure element in the chip is just for Touch ID, not info stored on Passbook, and Apple didn't actually store your credit card info there either. Hence why you don't have to cancel your card when you lost the phone. You just re-add it in your new one.

Secure ENCLAVE = in phone's CPU chip = authenticates user via touchID or passcode and informs Secure ELEMENT using their secret message key.

Secure ELEMENT = in the phone / watch NFC chip = stores the user account token and runs the NFC / in-app-payment transaction Java applets.

Here, I made a diagram:

For Apple Pay, it's actually a matter of secure pairing between these 2 devices since the watch itself will have NFC instead of your iPhone 5.

Yes, and that's where things get interesting.

In an iPhone 6, the secret message key used between the CPU Enclave and the NFC Element is provisioned at manufacturing time. That key is what allows the phone's CPU to send account tokens and payment authorizations to the NFC Element, along with provisioning account tokens with a reference number.

In the iPhone 5 scenario, there can be no such pre-provisioned secret key since the devices were made separately. So how does the phone's Enclave send the account tokens and overall payment authorization to the Watch's Element? What securely binds the Watch to that Phone?

Hmm. I wonder if the Watch itself also has a CPU with Secure Enclave, and it uses WiFi to directly provision itself from Apple's servers with out-of-band authentication coming from the phone. Or something like that. Just waking up today and haven't thought deeply about it.

 

[matrix07]

Secure ENCLAVE = in phone's CPU chip = authenticates user via touchID or passcode and informs Secure ELEMENT using their secret message key.

Secure ELEMENT = in the phone / watch NFC chip = stores the user account token and runs the NFC / in-app-payment transaction Java applets.

Thank you for correction. Like I said, no credit card info stored on the device, just alias information or whatever was it called.

Secure In the iPhone 5 scenario, there can be no such pre-provisioned secret key since the devices were made separately. So how does the phone's Enclave send the account tokens and overall payment authorization to the Watch's Element? What securely binds the Watch to that Phone?

The way I see it, from my non-technical brain, is Passbook is the card and Touch ID is a proof of yourself (your signature) when you make a purchase with iPhone 6. But for earlier models this proof is in your watch. Whatever that stored this information securely will be in the watch and the info will be stored when you make a sync with your iPhone 5/5s. (you don't use Touch ID on 5s for this kind of task because it doesn't have NFC)

 

[Julien]

Thank you for correction. Like I said, no credit card info stored on the device, just alias information or whatever was it called.




The way I see it, from my non-technical brain, is Passbook is the card and Touch ID is a proof of yourself (your signature) when you make a purchase with iPhone 6. But for earlier models this proof is in your watch. Whatever that stored this information securely will be in the watch and the info will be stored when you make a sync with your iPhone 5/5s. (you don't use Touch ID on 5s for this kind of task because it doesn't have NFC)

It's called 'tokens' and it is issued by your finical institution in place of your CC number. The Watch will store the 'tokens' just like an iPhone 6. The iPhone 6 uses your fingerprint to ID you. the Watch once paired will use it's HR sensor to identify you. If you remove the Watch you must pair or put in a PIN to prove it's you. The HR sensor is a little like keeping your finger on the fingerprint reader all the time.

Here is a FANTASTIC and easy to read explanation of the way Apple Pay works.

http://www.kirklennon.com/a/applepay.html

 

[kdarling]

The way I see it, from my non-technical brain, is Passbook is the card and Touch ID is a proof of yourself (your signature) when you make a purchase with iPhone 6. But for earlier models this proof is in your watch. Whatever that stored this information securely will be in the watch and the info will be stored when you make a sync with your iPhone 5/5s. (you don't use Touch ID on 5s for this kind of task because it doesn't have NFC)

Right, except that of course, TouchID is only proof to the phone that the current user has a registered print. It's an optional and convenient shortcut for entering the device passcode.

TouchID does not identify us to the bank, which is why using it does not replace a credit card signature (or a debit card PIN), nor is it even required to use Apple Pay, according to Apple. The passcode can be used instead.

It's called 'tokens' and it is issued by your finical institution in place of your CC number. The Watch will store the 'tokens' just like an iPhone 6.

Which brings up a question. Does the Watch use the same account tokens as the linked iPhone? Or does the Watch get its own set like other iOS devices.

The iPhone 6 uses your fingerprint to ID you.

It uses your fingerprint to ID you as someone who is registered to use it, yes. That doesn't indicate whose finger it was, though.

the Watch once paired will use it's HR sensor to identify you. If you remove the Watch you must pair or put in a PIN to prove it's you. The HR sensor is a little like keeping your finger on the fingerprint reader all the time.

The idea that it uses HR sensors to ID the user, seems to have been made up later on by bloggers. There's no such method that I know of.

More likely, the sensors are simply used as a skin proximity check, as was originally reported.

Which makes me wonder if you could slip a piece of plastic under the Watch, then take the combination over to a different wrist and use it to make purchases, or if it spends extra power actually watching for some kind of heartbeat.

It also depends on whether or not the Watch has to talk to the paired phone for each purchase, something we don't know yet.

 

[Julien]

...Which brings up a question. Does the Watch use the same account tokens as the linked iPhone? Or does the Watch get its own set like other iOS devices.

....Which makes me wonder if you could slip a piece of plastic under the Watch, then take the combination over to a different wrist and use it to make purchases, or if it spends extra power actually watching for some kind of heartbeat.

It also depends on whether or not the Watch has to talk to the paired phone for each purchase, something we don't know yet.

1) All tokes are unique and tied to the seal number of the device. If you replace your iPhone it would get a new token.

2) The Watch monitors you pulse full time. The plastic would have to have a pulse to work.

3) We do know and you don't need your iPhone with you. You can go for a run with just your Watch and stop by the store and use Pay without having your iPhone. The purchase is token and this token would be stored on your Watch until it is in range of your iPhone. The purchase token and the Watch token would then be sent to your bank.

 

[kdarling]

1) All tokes are unique and tied to the seal number of the device. If you replace your iPhone it would get a new token.

Sure, but the question was: does the Watch get its own set of tokens?

At least for use with pre-6 iPhones, it would have to. That means using the paired phone to enter account numbers, and then transferring the returned tokens to the Watch. (Or perhaps the Watch getting tokens directly from Apple via WiFi.)

The reason this comes up, is because a prime piece of security cited by Apple, is that the phone can only communicate with (and provision) the NFC section via a secret shared message key that's set at the factory.

When the watch is mated with a phone, there is no such key, so I'm curious about the logistics of provisioning and authentication.

2) The Watch monitor you plus full time. The plastic would have to have apples to work.

Part of a sentence missing?

3) We do know and you don't need your iPhone with you. You can go for a run with just your Watch and stop by the store and use Pay without having your iPhone. The purchase is token and this token would be stored on your Watch until it is in range of your iPhone. The purchase token and the Watch token would then be sent to your bank.

There's no need for the Watch to use the phone to send tokens to our bank. That's done by the merchant terminal.

Re: standalone. That would be handy. Do you have a link to someone reliable saying that the Watch can be used to pay without a phone around?

Thanks!

 

[Just1n12]

You enter a passcode when you first put on the Apple Watch, only you should know it and the watch knows its you so when you double click the contacts button to bring up Apple Pay and hold your watch to the terminal it buzzes and there is a tone similar to that of the Apple Pay on the iPhone 6/6+. You use the Apple Watch companion app to input your credit card info so you can use Apple Pay, no matter if you are on a iPhone 5 or later. Watch FTW!

 

[matrix07]

...The passcode can be used instead.

And in that case it will represent your ID (signature) much like Touch ID did, and much like when you enter the code to log in the phone, it's to let your phone know that it's you.
Notice the ID in the name?

which is why using it does not replace a credit card signature (or a debit card PIN),

You don't have to sign when you're using Touch ID. You have to sign for debit card because it's required by law. Naturally Apple will want to work to get rid of this redundance (using Touch ID & then having to sign) but it will take quite some time.

 

[kdarling]

And in that case it will represent your ID (signature) much like Touch ID did, and much like when you enter the code to log in the phone, it's to let your phone know that it's you.
Notice the ID in the name?

The device passcode and TouchID are only used to enable the device app, not as ways to identify that user as the cardholder or to take legal liability.

The latter are what a card PIN or signature are for, and why they're still required... at least until laws and credit card policies can change.

You don't have to sign when you're using Touch ID.

That would be nice, but that's not the way it works.

We still have to sign if the transaction goes above whatever purchase limit the merchant or card scheme has set.

The Apple Pay FAQ even notes it:



A merchant terminal has no idea if an NFC payment app was enabled via retina scan, fingerprint, voiceprint, device passcode, or no passcode at all.

And it doesn't care, any more than it cares whether we keep a physical card secured in a chained leather wallet or not.

The only way a fingerprint could truly ID us as the cardholder, and replace a chip card PIN, is if the print was obtained at a bank, kept on file with them, and compared by them. Something like that has been proposed as a future EMV user authentication method.

 

[matrix07]

The device passcode and TouchID are only used to enable the device app, not as ways to identify that user as the cardholder or to take legal liability.

The latter are what a card PIN or signature are for, and why they're still required... at least until laws and credit card policies can change.

What you're saying is in the realm of too technical term that I don't even wanna go there. What I'm talking about is the general concept.

That would be nice, but that's not the way it works.

We still have to sign if the transaction goes above whatever purchase limit the merchant or card scheme has set.

The Apple Pay FAQ even notes it:

View attachment 525661

A merchant terminal has no idea if an NFC payment app was enabled via retina scan, fingerprint, voiceprint, device passcode, or no passcode at all.

And it doesn't care, any more than it cares whether we keep a physical card secured in a chained leather wallet or not.

The only way a fingerprint could truly ID us as the cardholder, and replace a chip card PIN, is if the print was obtained at a bank, kept on file with them, and compared by them. Something like that has been proposed as a future EMV user authentication method.

Unfortunately, you are simply wrong, or dead wrong whatever you prefer. You don't need to sign when using Apple Pay with credit card. But Apple doesn't control all the chains in the system, hence the quote from Apple you captured. It just tell you: looks, sometimes you might need to sign. If you're right, the user will have to sign every-single-time which is not the case here.
Are you using Apple Pay, w iPhone 6/6s?

 

[kdarling]

What you're saying is in the realm of too technical term that I don't even wanna go there. What I'm talking about is the general concept.

The general concept is easy:

TouchID means nothing special to the merchant's terminal or your bank. Heck, they don't even know when it's been used. It's not part of the transaction. At all.

Unfortunately, you are simply wrong, or dead wrong whatever you prefer. You don't need to sign when using Apple Pay with credit card. But Apple doesn't control all the chains in the system, hence the quote from Apple you captured. It just tell you: looks, sometimes you might need to sign.

Apple doesn't control any of the chains. To the networks, it's just another contactless credit card transaction, and will trigger the same rules.

If you're right, the user will have to sign every-single-time which is not the case here.

Nobody said you had to sign every time. As I noted, and as any credit card or NFC payment user knows, many merchants nowadays only require signatures above a certain threshold.

 

[matrix07]

Nobody said you had to sign every time.

And when you don't sign, it's Touch ID that confirm your identity.. much like your signature confirm the purchase made by you. So yes, it's a part of a process.. in which you are wrong again.. here:

It's not part of the transaction. At all.

_________________________________

As I noted, and as any credit card or NFC payment user knows, many merchants nowadays only require signatures above a certain threshold.

As I said, Apple doesn't control everything so the rule&regulation of each store may differ however, for a credit card purchase, there is no amount threshold. You're confused THAT with debit card transaction. The best scenario for credit card purchase is.. you don't need to sign at all.. whatever the amount you paid. Just hold your iPhone 6 with your thumb on the Touch ID to confirm your identity and goes. (of course the rule of store or CC company varies but we're talking about the optimum situation, in which most of Apple Pay partners are providing.)
It is very simple really.

 

[jabingla2810]

Wow, I can't believe how far behind the US is when it comes to payments.

You don't half make it look difficult.

Bring Apple Pay to Europe where we are ready and waiting.

 

[kdarling]

And when you don't sign, it's Touch ID that confirm your identity..

Again, no. TouchID is not any part of an EMV purchase transaction authentication. It has nothing to with identifying the user to the merchant or bank. Heck, it's not even required.

TouchID is meant to make the transaction easier and quicker, while making the user feel safer.

As I said, Apple doesn't control everything so the rule&regulation of each store may differ however, for a credit card purchase, there is no amount threshold. You're confused THAT with debit card transaction.

Debit cards use a PIN.

Credit cards use a signature.

As any American knows, you're asked for a signature above the merchant's cut off, which depends on the type of merchant.

The best scenario for credit card purchase is.. you don't need to sign at all.. whatever the amount you paid.

That's possible, but Apple Pay does not get any special treatment in that respect.

It's treated like any other contactless payment, whether it's a card, Apple Pay or Google Wallet.

Wow, I can't believe how far behind the US is when it comes to payments. You don't half make it look difficult.

Yeah, the signature thing in the US is an out of date requirement, but easier than remembering a PIN for every card. Americans tend to use multiple cards (such as store specific cards), so not requiring PINs is seen as important for earlier adoption.

Bring Apple Pay to Europe where we are ready and waiting.

You'll still need to enter a PIN above the contactless limit, and Europe seems to have low limits.

Australia seems a good choice. They have, what, about an $100 contactless limit.

 

[matrix07]

Heck, it's not even required.

I'm not sure why you want to keep being wrong but it's amusing. Try using Apple Pay when your thumb isn't on Touch ID. Guess what'll happen? You think there will be options to sign instead? No. You have to use physical card for that.
It's a part of the process. Where the info being used is irrelevant. When you're using credit card for purchase, your signature isn't transmitted when the card is swiped either but without your signature the transaction won't be complete.
Conceptually Touch ID is the same as your signature. If you want to argue, using selective evidences that proves contrary just to be defensive, then carry on. But it's futile.

That's possible,

Possible? You go on and on but you don't know this for a fact?
It happens every day. It is the core of the design. Looks at videos on YouTube to educate yourself. The steps in Apple Pay are like this:
1. When your phone is close to the NFC terminal the screen will lit up, your default card selected. You don't have to do anything.
2. Put your thumb on Touch ID. There'll be a blink sound and you're good to go. No signature required.

Steps other than this is just the doing of incomplete & not fully compatible systems.

 

[Rogifan]

^^
I thought Whole Foods required a signature for anything over $50. Is that not the case when using using your phone with Touch ID?

 

[Julien]

^^
I thought Whole Foods required a signature for anything over $50. Is that not the case when using using your phone with Touch ID?

While signature may be required they are not checked. Next CC purchase you make with a digital pen just draw an X, a heart or sign it Barack Obama and hit done.

 

[Rogifan]

While signature may be required they are not checked. Next CC purchase you make with a digital pen just draw an X, a heart or sign it Barack Obama and hit done.

Sure but you still have to do something, meaning Touch ID does not replace a signature if it's required.

 

[fousfous]

In France I never had to do a signature, so touch ID is ready for France

 

[kdarling]

Sure but you still have to do something, meaning Touch ID does not replace a signature if it's required.

That is correct.

TouchID is used to enable the device & Apple Pay app, but it has nothing to do with whether or not a purchase signature (or PIN) is required, nor... as so many people have found out... does it replace one when it is required.

While signature may be required they are not checked. Next CC purchase you make with a digital pen just draw an X, a heart or sign it Barack Obama and hit done.

If you're gonna do that, the "X" is a better choice. (Personally I make the same swirl action each time.)

Actually signing someone else's name... even as a joke... could turn out to be a bad idea in case there's ever a dispute and it goes to court.

In France I never had to do a signature, so touch ID is ready for France

Yep, no signature required for you

Instead, you'll still have to enter your card's PIN when above the contactless limit.

 

[matrix07]

Sure but you still have to do something, meaning Touch ID does not replace a signature if it's required.

If is the key word. An exception is not the rule. It just shows how primitive this industry is.

 

[bige12]

There should be a companion app that has to be download to the iPhone so the watch can be paired with the iPhone and you can change the settings of the watch through the iPhone 5 5s and 5c. I think that is how apple pay is going to work with phones I mentioned