MasterCard Exec Shares Amazing Security Details Behind Apple Pay

In a recent interview with Bank Innovation, Jorn Lambert, group executive of digital channels at MasterCard, has shared the technical details for how Apple Pay will work when it goes live in the US next month. He explained how Apple Pay will not only use a cryptogram, but a dynamic token as well for each transaction, which will be a 16-digit number that looks exactly like a credit card number.

3b21ff7052f12ca4faa0d6950b301b6c3a3a1f80 xlarge 2x

Lambert said that when a consumer will input his credit card into his iPhone, the networks, Visa, MasterCard, and American Express, will send a token and a cryptogram to the iOS device, which will store them on a special chip. The iOS device, in this state with the cryptogram and token installed, will be known as the “token requester”. He further added that Apple will store the token and cryptogram data on the phone in a “secure element”, which is a separate, secure chip within the iPhone especially dedicated to its security.

“This secure chip is also the only element within the device that can produce a token and cryptogram. When the consumer walks up to a checkout counter holding his iPhone stocked with a token and cryptogram, Apple Pay asks the consumer whether he wants to pay using his device and the NFC terminal sitting there on the checkout counter. He “says” yes in only one way: by using his fingerprint scan. This is the only authentication of the transaction.

This authentication prompts the “secure element” to send the token and cryptogram to the merchant. The network decrypts the cryptogram and determines whether it is authentic or not. If it is deemed authentic, the network will pass it along to the issuer (i.e. the bank), which then decrypts the token. In other words, every party to the transaction decrypts something”.

Once the issuer decrypts the token, the issuer/bank authorizes the transaction and money is credited to the merchant, with all of this happening in a split second. Pretty amazing eh?

“Technology runs through my veins...” | Follow me: @DrUsmanQ

  • aaloo

    I see. So that’s why we need the credit card issuers to be on board. So even if I put my Canadian credit card in the passbook, the Canadian bank won’t send a cryptogram to it and I won’t be able to use it via NFC.