With the launch of Apple Pay, mobile payments are about to become the Next Big Thing. But are they secure? Do they protect your privacy? Here's what you need to know. Posted: November 11, 2014, 9:00 am

1. 21ct.com http://www.21ct.com/blog/security-and-privacy-here-s-how-apple-pay-google-wallet-currentc-stack-up/
Security and Privacy: Here's How Apple Pay, Google Wallet &
CurrentC Stack Up
Posted by Scott Spinola on November 11, 2014
in Cyber Tips
In the U.S., mobile payments have been around for years, and
contactless (aka, “tap-and-pay”) credit cards have been around
for longer than that. With the introduction of Apple Pay this
September, mobile payments took a dramatic step forward in
visibility and likely will see a similarly dramatic increase in use.
Google Wallet, for example, actually saw a 50% increase in
use thanks to the buzz surrounding the launch of Apple Pay.
Clearly mobile payments are about to become the Next Big
Thing.
With the holidays approaching, many people will be getting
new mobile devices that offer the new mobile payment systems. But are they right for you? Most people don’t
fearlessly jump on every hot new technology trend. Most of us are more discerning and cautious (or perhaps even a
bit techno-phobic), especially when it comes to new-fangled ways to buy stuff. Before we jump into mobile payments,
we want to know if they’re secure and protect our privacy.
We’ll reward your curiosity in this review of two of the more prominent mobile payment systems: Apple Pay and
Google Wallet, and also share what we know about CurrentC, which is expected to launch some time in 2015, which
is already making headlines (mostly negative ones).
How Do Mobile Payments Work?
Before we review the mobile payment systems themselves, let’s take a look at how they work.
The benefits of mobile payments vary depending on the particular system (we’ll cover those below) but the main
benefit they all share is the promise of a thinner wallet: you don’t need to carry your physical credit cards around
(theoretically anyway). They do this by using your phone to replace the physical credit card in the typical purchase:
Activate → Authorize → Finalize
With standard in-store credit card purchases, you “Activate” the purchase by swiping your card in the credit card
terminal. The credit card terminal then sends the transaction information (credit card number, cost, merchant info,
etc.) to a series of card issuers and processors to “Authorize” the purchase (it’s pretty convoluted so we’ll spare you
the details) and (hopefully for you) send an approval back to the credit card terminal to “Finalize” the sale. Mobile
payments let you “tap-and-pay” (placing your phone on the credit card reader) or, with CurrentC, scan a special kind
of bar code called a QR code instead of swiping your credit card to “Activate” the purchase. That may seem like a
small change, but, as we’ll see below, how they each do that is what makes the systems so different in terms of
security and privacy.
Apple Pay and Google Wallet are both available wherever credit card terminals are enabled for tap-and-pay
transactions that sport the symbol shown at the top of this post. Unfortunately, these terminals are only in about 10%

2. of merchants (so, alas, you’ll still need to carry some cash or cards around). This availability will likely increase
dramatically in 2015 when a new law requiring “chip-and-pin” terminals (which use tap-and-pay technology and are
more secure than swipes) in the U.S. goes into effect. CurrentC will likely only be available at merchants who are part
of their MCX consortium.
With the preliminaries out of the way, let’s take a closer look at Apple Pay, Google Wallet, and CurrentC.
Are Mobile Payments Secure?
Since U.S. consumers have pretty good protection from liability for credit card fraud (as long as you notify the card
issuer in a timely manner of unauthorized charges), the primary security concern with credit card transactions is that
retailers store your credit card number and other personal information both to complete the transaction and after the
transaction for tracking purposes. As we saw with the breaches at Target and other retailers over the last year, this
puts you at risk of attackers hacking into those systems and stealing your sensitive data to commit identity theft.
Different mobile payment systems handle your sensitive information in very different ways that affect the security of
their system. Since no system is completely secure—not a credit card swipe and not mobile payments—let’s take a
look at the varying degrees of security each system offers.
Apple Pay Security
Apple Pay is unique among major mobile payment systems in that it never actually stores your credit card information
in its system. When you add a credit card to Apple Pay, it connects to the card issuer who then provides a unique
device account number, which is a random number that links the card to the device and which Apple Pay stores
inside your iPhone on a computer chip specifically designed for securing financial information. Apple never stores
your credit card number on your iPhone, in iCloud, or on its servers, and doesn’t share it with merchants during
transactions.
What’s more, when you make a purchase with Apple Pay, you verify the purchase with a fingerprint scan on the
iPhone’s Touch ID home button (Apple Watch uses your unique cardiac rhythm). Apple Pay then creates a one-time
security code and sends it with the device account number to the credit card terminal, which sends it and the
transaction info for authorization.
Even if an attacker were somehow able to get the device account number, it’s useless to anyone but the card issuer
because it’s not a real credit card number, is only valid on your device, and requires a randomly generated
transaction ID to complete a purchase. And if they steal your device, they’d have to replicate your fingerprint or
cardiac rhythm to complete a transaction. All this makes Apple Pay much more secure than a credit card swipe and
also more secure than other mobile payment systems.
Google Wallet Security
Instead of using your credit cards directly, you make payments in Google Wallet with a Virtual Card (actually a
MasterCard branded pre-paid debit card account issued by Bancorp), to which you add funds from your preferred
credit or debit card. Your “real” credit card information is not stored on your phone and is not given to the merchant
during the transaction. Also, the virtual card number (like the device account number in Apple Pay) is not useful
outside Google Wallet. Making an in-store purchase with Google Wallet requires you to enter your Wallet PIN, which
is less secure than your fingerprint or cardiac rhythm. Also, unlike Apple Pay, Google stores your credit card
information on their servers, as well as your date of birth, address, and bank account information if you chose to fund
your account with it. This is definitely a higher risk than Apple Pay, though (to be fair) Google has an excellent
reputation for security. Still, anyone can be breached and this is an added risk.
Google does offer some protections to users to offset these security risks. Their Google Wallet Fraud Protection
“covers 100% of all verified unauthorized transactions in the US.” Notably, this only covers Google Wallet

3. transactions, not the theft of your bank account or credit card information if their servers are breached.
Is My Privacy at Risk with Mobile Payments?
A standard credit card transaction involves quite a bit of information about you. At a minimum it involves what you
bought, where you bought it, how much you spent, and your credit card number. Many retailers save your purchase
history for each card so they can track your purchase patterns over time and deliver targeted advertising to you, err, I
mean provide refunds without a receipt. Mobile payment systems differ widely in what information they collect and
store on you.
Apple Pay Privacy
Because Apple’s business model is not dependent on user data (it makes its money largely on hardware and digital
media sales), it really has little incentive to track your purchases so Apple Pay doesn’t provide any of your identifiable
personal or financial information to the merchant and doesn’t save the transaction information on its servers. For
those of us who fall more on the paranoid side of the fence, this is welcome news. You have a very high degree of
privacy with Apple Pay—more so than with any other transaction except cash. Merchants can store the unique
transaction code to facilitate refunds, but the code is created in such a way that they cannot connect it with other
transactions and so cannot track you via Apple Pay. If Apple eventually adds loyalty cards to the Apple Pay system
(which it’s rumored they will do), the privacy aspect of the transaction (though probably not the security aspect of it)
would presumably change in some way since loyalty cards are specifically designed to track your purchases (though
Apple is still unlikely to do any tracking themselves).
Google Wallet Privacy
Google’s business model is highly (almost exclusively) dependent on monetizing data it collects on its users. This
model extends to Google Wallet. While Google doesn’t share your personal information with merchants during a
Google Wallet transaction, they do collect both your online and offline purchases and add them to the data it collects
on you from its other apps like search and Gmail. That means Google can tie your Google Wallet transactions to your
web surfing activity and create an even more detailed digital profile on you for its ad targeting business. Some people
find that a bit creepy.
So What About CurrentC?
CurrentC is the mobile payment system announced by MCX, a consortium of major retailers who are devising their
own payment system in an attempt to avoid the fees charged by credit card companies, but also so they can collect,
monitor, and analyze your purchase data.
Since CurrentC is not yet available (and because reports of how it does and does not work are often confusing and
conflicting and probably subject to change before launch) it’s hard to make definitive statements about the system.
Most sources agree that, to create a CurrentC account, you need to hand over your bank account number, driver’s
license number, and (most frightening of all) your social security number. They do this because the main goal of the
system seems to be to remove transactions from the credit card process altogether and avoid those fees. Many
people think storing this kind of sensitive financial and identity information online is a truly bad idea.
One interesting note about CurrentC is that, even though it is not launched yet, you cannot use Apple pay and Google
Wallet at MCX merchants. That’s because many of them (like RiteAid and CVS) actually turned off their tap-and-pay
terminals after Apple Pay launched in an apparent attempt to buffet their yet-to-be-released system from competition.
Unfortunately, this also blocked all tap-and-pay transactions including Google Wallet and tap-and-pay credit cards.
This is not a failure of Apple Pay or Google Wallet, but a decision made by the retailers. It’s unknown if this practice
will continue until and after they launch CurrentC.

4. Conclusion
If You’re Concerned About Privacy :
Since Apple Pay does not store any of your financial or purchase information, it’s the clear winner in the privacy
department. Since a major intent of both Google Wallet and CurrentC is to track your purchases, they fall way behind
Apple Pay here.
If You’re Concerned About Security:
Apple Pay and Google Wallet both use virtual credit card numbers, device validation of transactions, and don't store
your credit card information on your phone (it’s still unclear how CurrentC handles transaction security and
information sharing), which makes them more secure than a credit card swipe. Apple Pay comes out ahead, though,
with their combination of fingerprint or heartbeat scans versus Google’s and CurrentC's less secure PIN validation
and the fact that they don’t store any of your financial or personal information anywhere in the Apple Pay system while
Google Wallet and CurrentC store it all, including your address, birth date, and bank account number. That makes
Google Wallet and CurrentC targets for attackers and thus much less secure overall than Apple Pay. And if CurrentC
does, in fact, require your social security number and driver’s license, it’s hard to see how any security professional
could recommend it. It’s shaping up to be a security disaster waiting to happen.
Ultimately, your choice of phone will likely determine the choices you have for a mobile payment system, since in-
store purchases are limited to their own mobile devices (Apple Pay on iPhones and Google Wallet on Android
devices). For those who either aren’t particularly committed to either the Apple or Android ecosystem—or are just now
jumping on the smart phone train—an iPhone 6 with Apple Pay is a great choice to protect your security and your
privacy as you enter the brave new world of mobile payments.
About Scott
Scott is a veteran technology writer, focusing on security, analytics, and fraud detection.
He also writes short stories, has a near encyclopedic knowledge of early eighties rock
music, is a sucker for liner notes, and owns a guitar signed by the late great Bo Diddley.
Connect: @ATXWriter | Google+
View all posts by Scott »