March 9, 2015
By now, pretty much everybody has heard about the identity fraud going on with Apple Pay. Stolen card data from the card-not-present channel and even some of last year's stolen Target and Home Depot card data from the card-present channel, seem to be finding its way comfortably into Apple's Mobile Wallet. Effectively, stolen card data is being converted into 'legitimate' Apple Pay 'cards'.
The common view among bloggers and industry experts is that this is not an Apple Pay problem. It basically says that Apple was not responsible, in the first place, for properly authenticating cardholders during the enrollment process. Instead they say it was the responsibility of card issuer to identify the user of the card before it got into the wallet.
I simply disagree. Apple and the payment industry cannot continue to blame each other and hope that the problem will simply disappear somehow. No, it won't happen! y expectation is that, unfortunately, the problem may grow further if nothing is being done to fix it. In my opinion, both Apple and the payment industry bear an equal level of responsibility for the current situation and both could have done a much better job by introducing simple steps that would have prevented it from ever happening.
There are several main issues at play here, which each individually may require separate consideration and analysis.
The first issue is that consumer convenience took precedence over a strong KYC process and security. My only guess would be that the expectation that Apple products must be completely frictionless contributed a great deal to the pressure to collectively enable an easy enrollment process, potentially knowingly full of security holes.
Apple, as the mobile wallet provider and approved Token Requestor, could and should have taken several steps to secure the enrollment gates. We all know how much pride Apple takes in the fact that they fully control every aspect of iPhone6/6+ production and manufacturing. I assume, by the same logic, that they fully control the NFC chip as well and I believe they could have easily provided a proper Apple Pay Enrollment App capable of:
These two measures above, separately or together, would provide a generic and universal solution for securing the enrollment process. Such an Apple Pay Enrolment App would clearly be independent of any issuer’s proprietary or discretionary process. I can only assume that this would be relatively simple to be implemented by Apple and thus effectively convert the current 'card not present' enrolment process (prone to identity theft as with any online purchase) into something that would resemble the much more secure 'card present' process.
In retrospect, the card issuers and payment networks also could and should have resisted pressure for a completely frictionless process, by sticking to their guns and insisting on applying proper security measures as part of the process, like:
Then the issuers and payment networks should REJECT any card being entered into the Apple Pay wallet, which hasn't successfully passed one or more of the enrollment criteria listed above.
The second issue is the vast availability of unprotected sensitive card data, which can be stolen and used by fraudsters. This is the payment industry's chronic issue, which is hurting it well beyond Apple Pay.
All of today’s plastic cards communicate the PAN, unprotected, to the physical point of sale (POS) terminals. That applies to both magnetic stripe cards and even EMV chip cards. This is currently a somewhat neglected issue by the payment networks, issuers and EMVCo. For example protection of plastic card PAN data in POS transactions is not covered by the "EMVCo Payment Tokenization Specification -Technical Framework", which is mainly focused on mobile NFC / QR based and online payments.
To secure the physical card data in the card-present channel, the payment networks could easily take advantage of the built-in EMV chip computing power and offer a complete end-to-end protection of the sensitive payment card data at point of sale, which is independent of merchant’s willingness to adopt acquirer-proprietary P2PE solutions. Complete end-to-end protection of plastic chip-card data at physical point of sale, could be offered by adopting either one of these concepts:
In the online world, mainstream digital wallets like Visa Checkout or MasterCard MasterPass, etc., which are used to securely store card data for online payments, still provide to the online merchants unprotected card data during online transactions. These digital wallets should integrate tokenization services provided by the same payment networks, offering them ASAP.
To conclude - the road from here is not easy and clearly requires a concerted effort by the mobile wallet providers like Apple Pay, Samsung Pay or even the imminent Android Pay and the main payments industry players to: