Do you have a source for this? I though the actual card number was stored securely on the device and a token was generated each time you use it.
"
Full card numbers are not stored on the device or on Apple servers. Instead, a unique Device Account Number is created, encrypted, and then stored in the Secure Element. "
-
iOS Security Guide
Does google wallet actually use and transmit the real credit card number. If so, that's why it is less fuss. Apple pay needs the banks to be able to create the alt id etc
Google Wallet uses a virtual account number. Since Google is the sole holder of this token for all the users's real accounts, the user's banks do not have to be involved in keeping track. That's why any card can be registered as a payment source.
Chip and pin isn't that much more secure. As for the lag in a switch over here in the USA that is due to the legal infrastructure around credit cards. Getting that signature is very important.
I don't know of any law requiring signatures. That's a contractual thing between the credit card companies and the merchants. For example, Visa's USA signature requirements (and exceptions) are listed in the
Visa USA Operating Regulations.
There are two layers of tokenisation that are going on here. The first one is as above, and is a static token representing your CC number. The second one is the one-time use transaction token generated for each purchase upon initialisation. Seriously read the TUAW article, it explains everything very well.
The account number being represented by a token, is the piece that's new to EMV payments.
The one-time transaction cryptogram value is what Chip & PIN / Google Wallet / etc have used all these years to make each transaction unique and unrepeatable.
One IMPORTANT security note. If all the Target and Home Depot transactions had taken place via Apple Pay, there would have been NO MASSIVE CREDIT CARD BREACH.
Yep, or if people had used Google Wallet. But what are the odds of everyone paying via NFC? Zero.
So even better, all merchants should contract with a certified third party token vault, and tokenize their storage of each transaction.
That way, the storage of ALL credit card transactions would be safer... including the far more numerous payments using an actual card.
Convenience isn't the main driver of this. Its security.
Security and consumer trust are drivers, but convenience is also absolutely a main driver. If it was only about security, there'd be a requirement for photo id validation, a signature, and a PIN... whereupon there'd be almost zero fraud, but longer lines and fewer purchases.
The whole point of the CC companies pushing non-signature purchases, contactless purchases, and so forth, is because they want us to make as many purchases as possible, so that they make more money from the resulting fees. Onerous, ironclad security is the opposite of what the credit card companies want.