Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
It turns out that the request to add a card does go through Apple, because Apple can add information that the bank can use to approve the request. (E.g. Name, address, zip, phone, device name, iTunes purchase history, your location, etc.)

That's how they're preventing someone from sneaking your card into their own Apple Pay Passbook entry. Their iTunes account info would not match the card info or registered devices.

I summarized the steps in this forum post.

References:

Apple Pay security and privacy overview
iOS Security

You left this out which is the most important part:

"Apple doesn’t store or have access to the card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion your Device Account Numbers, along with a card description, to help you manage your cards."

"Data Apple provides to your bank when you attempt to add a card may only be used by them to determine whether to approve adding your card to Apple Pay or improve their anti-fraud protections."

Also, "Apple Pay doesn't collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant, and your bank."

That's all they are doing. You make it sound nefarious. It's not. They don't keep anything you mentioned. In reality the bank confirms your expiration date and CCV number. They already know your address info anyway.

The itunes check would only work for a card you use for itunes it would seem.
 
Last edited:
The itunes check would only work for a card you use for itunes it would seem.

On the contrary, the iTunes account check seems to be an important piece of validation security for registering a new card.

iTunes allows an immediate comparison of, at the very least, the name of the person registering the card versus the name on the card. It'd be pretty unlikely that the bank will automatically let someone with an iTunes account name and credit card on file for John Doe, register a random card from Sue Thomas.

You left this out which is the most important part: (snip)

Apple has stated repeatedly that they do not store the full account numbers themselves. I did not think it needed to be restated.

Moreover, it's certainly not the most important part. Especially since the first card that most people will likely register for Apple Pay, is their default iTunes one that's already stored WITH ITS FULL ACCOUNT NUMBER in Apple iTunes servers.

Either you already trust their servers or you don't.

--

Which brings up this point: token purchases cannot guarantee the account number's security, if we ever use that same card number for any non-tokenized purchases. A chain is only as strong as its weakest link.

In other words, if account number security is really that important to someone, they should dedicate one card to Apple Pay and NEVER use that same card number in the clear in any other way, online or in person.

As previously posted, I already do something similar with my cards. I use one card only in person. One card only for online purchases. And one card only for recurring payments. That way, having one number compromised does not affect the others.
 
Last edited:
On the contrary, the iTunes account check seems to be an important piece of validation security for registering a new card.

iTunes allows an immediate comparison of, at the very least, the name of the person registering the card versus the name on the card. It'd be pretty unlikely that the bank will automatically let someone with an iTunes account name and credit card on file for John Doe, register a random card from Sue Thomas.



Apple has stated repeatedly that they do not store the full account numbers themselves. I did not think it needed to be restated.

Moreover, it's certainly not the most important part. Especially since the first card that most people will likely register for Apple Pay, is their default iTunes one that's already stored WITH ITS FULL ACCOUNT NUMBER in Apple iTunes servers.

Either you already trust their servers or you don't.

--

Which brings up this point: token purchases cannot guarantee the account number's security, if we ever use that same card number for any non-tokenized purchases. A chain is only as strong as its weakest link.

In other words, if account number security is really that important to someone, they should dedicate one card to Apple Pay and NEVER use that same card number in the clear in any other way, online or in person.

As previously posted, I already do something similar with my cards. I use one card only in person. One card only for online purchases. And one card only for recurring payments. That way, having one number compromised does not affect the others.

Apple pay and tokenization will help avoid large data breaches at merchants like the target and Home Depot breaches. That's the key here. It's actually great for merchants. Consumers don't directly pay for fraud charges anyway.

Also, my wife and I share an iTunes account. So it can't only work off just the name with your iTunes account.
 
You're comment makes you look daft

they must be android users.

NFC has been available on various android devices since 2009. I have been able to pay at NFC enabled credit card machines across the country for a long time now. All of these retailers that are mentioned have had NFC enabled credit card machines for quite some time and happily accept SoftCard and more. Don't be daft sir. This comment makes you look ignorant.
 
NFC has been available on various android devices since 2009. I have been able to pay at NFC enabled credit card machines across the country for a long time now. All of these retailers that are mentioned have had NFC enabled credit card machines for quite some time and happily accept SoftCard and more. Don't be daft sir. This comment makes you look ignorant.

I made an Android app that uses NFC several years ago. What's your point?
 
I made an Android app that uses NFC several years ago. What's your point?

The problem was that the Android version was full of restrictions and limitations thanks to the greed of the carriers, preventing it from properly taking off. Also marketing was poor.

People even told me they didn't even know their phone has the ability to make payments and they thought they had to buy the iPhone 6 to be able to get it.

They also didn't partner with any stores to gain turbulence in training their employees. You have a lot of employees who are clueless even though all they have to is push credit.
 
I agree. Google Wallet has been poorly marketed, in addition to carriers jacking it up trying to get their cut (Softcard, secure sim issue). Hopefully it gains traction now Apple has jumped in.
 
I agree. Google Wallet has been poorly marketed, in addition to carriers jacking it up trying to get their cut (Softcard, secure sim issue). Hopefully it gains traction now Apple has jumped in.

Google is still poorly marketing it several weeks after the Apple Pay announcement, unfortunately. I almost wish Sprint (the one holdout) just join Softcard because at least it might support EMV contactless instead of the magstripe NFC solution Google Wallet's using.
 
I realize this is a very old thread... but I wanted to come back and update some information as a small business that I posted earlier.

As expected, my CC processor is finally making available less expensive options for terminals that handle the EMV chip cards and NFC transactions. Before they were only bundling it with expensive monthly plans that go way over the top for features (gift cards, electronic signature, etc).

With the new options: If I had a compatible terminal, it would be $125 for a pin pad that includes NFC reader. I have an older terminal, so it's ~ $300 for a new terminal and pin pad.

At this point, they say no additional monthly charges... BUT... they have not yet enabled EMV or NFC on this class of terminals, so I'm holding off buying until I can test everything and return in the return window if it doesn't work.

Anyway, for $300 one time, I am def looking towards the solution that will accept EMV (chip) and NFC (apple pay).

I did read the suggestions on First Data - but based on my current usage it would cost me $75 more per month to use them based on analysis of my current statements.

As we get closer to the Oct 2015 deadline for EMV, I think we will see a lot more small business accepting NFC. But some that jumped to EMV chip cards early might be stuck in the middle.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.