The Providential Apple Pay

Apple introduced its new Apple Pay, which allows Apple users with enabled devices, such as the iWatch, to use their devices to check out at participating vendors. The announcement was well received by the industry and industry analysts.

Despite the increased attention to security issues of the payment card industry, people seem to agree that the concept from Apple of keeping your personal information secret and using a random or one time generated token seems providential.

It is too early to tell what impacts Apple Pay will have, but it will surely start the journey away from PCI DSS (Payment Card Industry Data Security Standard). The main players—Visa, MasterCard and American Express—have shown great support to ensure the service works and large retailers are also supporting this change. Mobile operators are also showing support and are devising new SIM cards for 2015.

So the question is—how secure are the devices involved with processing Apple Pay, including the wearable? Should we worry or not?

The iWatch and your iPhone will be available to use with Apple Pay using NFC (near field communication) technology, which already has its concerns. Apple has addressed some concerns by integrating its Touch ID fingerprint scanner and its Passbook ticket-buying app into Apple Pay. This new approach keeps personal information on the device—instead of moving account data into storage servers within easy reach of thieves.

What happens if you lose your iPhone or iWatch? Some argue that you could lose your wallet as much as one of these devices, however due to the potential to access an enormous amount of personal data, the security and personal information on these devices today is of greater concern.

Although Apple has tried to address security concerns there are still some legitimate questions from a normal user perspective. How does someone verify a legitimate Apple Pay terminal or application on their device? What security does the mobile network provide on their end?

As with all new features and technology, I would suspect that elite criminal hackers may already be identifying opportunities to steal identities and mass-harvest payment card information from this new service.

What do you think—will Apple Pay be secure? As auditors and security experts, where do we stand and how are we preparing for this technology?

Kris Seeburn

[ISACA]