By now, pretty much everybody has heard about the identity fraud going on with Apple Pay. Stolen card data from the card-not-present channel and even some of last year's stolen Target and Home Depot card data from the card-present channel, seem to be finding its way comfortably into Apple's Mobile Wallet. Effectively, stolen card data is being converted into 'legitimate' Apple Pay 'cards'.
The common view among bloggers and industry experts is that this is not an Apple Pay problem. It basically says that Apple was not responsible, in the first place, for properly authenticating cardholders during the enrollment process. Instead they say it was the responsibility of card issuer to identify the user of the card before it got into the wallet.
I simply disagree. Apple and the payment industry cannot continue to blame each other and hope that the problem will simply disappear somehow. No, it won't happen! y expectation is that, unfortunately, the problem may grow further if nothing is being done to fix it. In my opinion, both Apple and the payment industry bear an equal level of responsibility for the current situation and both could have done a much better job by introducing simple steps that would have prevented it from ever happening.
There are several main issues at play here, which each individually may require separate consideration and analysis.
First Issue - Putting Consumer Convenience Ahead Of Strong Security
The first issue is that consumer convenience took precedence over a strong KYC process and security. My only guess would be that the expectation that Apple products must be completely frictionless contributed a great deal to the pressure to collectively enable an easy enrollment process, potentially knowingly full of security holes.
What Could Apple Have Done To Make the Enrolment Process More Secure?
Apple, as the mobile wallet provider and approved Token Requestor, could and should have taken several steps to secure the enrollment gates. We all know how much pride Apple takes in the fact that they fully control every aspect of iPhone6/6+ production and manufacturing. I assume, by the same logic, that they fully control the NFC chip as well and I believe they could have easily provided a proper Apple Pay Enrollment App capable of:
- Utilizing the NFC chip as ‘mPOS like’ contactless card reader to offer ‘tap & enroll’ method for owners of contactless Visa payWave, MasterCard PayPass and American Express ExpressPay chip-cards to capture card data with dynamic CVV.
- Capturing the cardholder’s digital hand signature, during the enrollment process, especially when manually entering the pure magnetic stripe data into the wallet.
These two measures above, separately or together, would provide a generic and universal solution for securing the enrollment process. Such an Apple Pay Enrolment App would clearly be independent of any issuer’s proprietary or discretionary process. I can only assume that this would be relatively simple to be implemented by Apple and thus effectively convert the current 'card not present' enrolment process (prone to identity theft as with any online purchase) into something that would resemble the much more secure 'card present' process.
What Could Issuers and Payment Networks Have Done To Make Enrollment More Secure?
In retrospect, the card issuers and payment networks also could and should have resisted pressure for a completely frictionless process, by sticking to their guns and insisting on applying proper security measures as part of the process, like:
- If the consumer card is already 3D Secure enabled, use it and let the issuer properly authenticate the consumer
- If the consumer card is already stored inside payment network provided wallets like MasterPass, V.me or Visa Checkout, make sure Apple imports the card info from those wallets - as part of the process, let the digital wallets properly authenticate the consumer
Then the issuers and payment networks should REJECT any card being entered into the Apple Pay wallet, which hasn't successfully passed one or more of the enrollment criteria listed above.
Second Issue - Availability Of Unprotected Card Data
The second issue is the vast availability of unprotected sensitive card data, which can be stolen and used by fraudsters. This is the payment industry's chronic issue, which is hurting it well beyond Apple Pay.
All of today’s plastic cards communicate the PAN, unprotected, to the physical point of sale (POS) terminals. That applies to both magnetic stripe cards and even EMV chip cards. This is currently a somewhat neglected issue by the payment networks, issuers and EMVCo. For example protection of plastic card PAN data in POS transactions is not covered by the "EMVCo Payment Tokenization Specification -Technical Framework", which is mainly focused on mobile NFC / QR based and online payments.
To secure the physical card data in the card-present channel, the payment networks could easily take advantage of the built-in EMV chip computing power and offer a complete end-to-end protection of the sensitive payment card data at point of sale, which is independent of merchant’s willingness to adopt acquirer-proprietary P2PE solutions. Complete end-to-end protection of plastic chip-card data at physical point of sale, could be offered by adopting either one of these concepts:
In the online world, mainstream digital wallets like Visa Checkout or MasterCard MasterPass, etc., which are used to securely store card data for online payments, still provide to the online merchants unprotected card data during online transactions. These digital wallets should integrate tokenization services provided by the same payment networks, offering them ASAP.
To conclude - the road from here is not easy and clearly requires a concerted effort by the mobile wallet providers like Apple Pay, Samsung Pay or even the imminent Android Pay and the main payments industry players to:
- Fully close out all 'PAN leakages' across all payment channels
- Collaborate and implement comprehensive, as generic as possible, card enrollment processes, using the available and existing best practices in payments security