Want Apple Card’s Security Benefits? Just Use Apple Pay

Credit to Author: Lily Hay Newman| Date: Wed, 27 Mar 2019 00:00:59 +0000

At a typically glitzy launch event in Cupertino on Monday, Apple debuted the Apple Card, a new credit card offered in collaboration with Goldman Sachs and Mastercard. Apple claims it will resolve many consumer frustrations with current credit cards: the card will be simple to sign up for, there won't be any fees, and it will be easy to redeem rewards. The company also firmly asserts that Apple Card “transforms the entire credit card experience by … providing a new level of privacy and security.”

But you don't need to wait until Apple Card comes out this summer to experience its touted security features. All you need to do is use Apple Pay and whatever credit card you already own.

"Nothing really changes with the Apple Card," says Avivah Litan, vice president of research at the analysis and advisory firm Gartner. "It's pretty genius actually. They already have the whole Apple Pay infrastructure built and tremendous adoption now across the world, so this is a competitive move."

When you add a credit card to Apple Wallet to use with Apple Pay, whether it's an Apple Card or another credit card, the service cryptographically morphs the credit card number and other details into a unique card identity that is stored in Apple's "secure element" for added protection. Completing a transaction through Apple Pay then requires that unique identifier and a one-time-use security code, along with additional biometric verification from you via FaceID or TouchID. This way, your real credit card number is never even transmitted for the transaction, and a fraudster would need the one-time transaction code and your face or fingerprint to make unauthorized charges. These same security benefits will extend to Apple Card.

Though there have been some examples of fraud on Apple Pay since its launch in 2014, security advocates generally consider these protections to be a solid improvement over typical credit card transactions. But in cases where Apple Pay isn't an option, the Apple Card is, in terms of protections, just that—a typical credit card.

The physical card is exactly the minimalist, etched titanium slice you would expect from Apple, and it takes a good security step by displaying only your name, without a card or CVV number. But if you use the card at a store for a regular chip transaction, it seems to function like any other credit card. There's no tech in the card itself; it can't complete contactless payments. The card also appears, based on photos from Apple's announcement, to have a magnetic strip on the back, which comes with its own set of security woes. And though the card number isn't physically displayed, you can access it in Apple Wallet and use it to make online purchases just as you would with any other credit card. Apple would prefer that you do online transactions with Apple Pay anyway, but if you don't there aren't any additional special attributes of Apple Card protecting you.

And Apple's arrangement with Goldman Sachs and Mastercard—as issuing bank and payment network, respectively—is a standard setup for a branded card.

"In general for all merchants this is going to be treated as another Mastercard transaction and it’s going to follow all of those rules," says John Drechny, CEO of the Merchant Advisory Group, an independent industry body. "And if merchants accept the card online they’re still going to have the same liability arrangement with the payment network. I don't believe it will be any different than a normal co-branded deal."

As is the case with any other credit card, the bank and the payment network involved in routing and executing transactions will have normal data access. Which isn't all bad. Banks analyze consumer financial data to spot patterns and attempt to reduce fraud. They just also typically share and sell this data for other purposes.

That's one area where Apple Card could prove to stand out, and would be in line with the company's emphasis on data privacy. Apple noted in its announcement that "Goldman Sachs will never share or sell your data to third parties for marketing or advertising." Apple did not make mention of whether Mastercard has agreed not to share or sell user data, and did not return a request from WIRED for comment.

As for Apple itself, the company says that it won't have access to any user transaction data or purchasing information. Apple Card features meant to help users track their spending and analyze statement information will all be populated locally on users' devices, not on Apple servers.

"Apple gets the best of both worlds by becoming a card issuer and partnering with a bank," Gartner's Litan says of Apple's decision to box itself out of accessing user data. "They can keep their nose clean."

Overall, Apple's efforts to increase Apple Pay usage are commendable from a security and anti-fraud standpoint. And it's clear that the purpose of Apple Card is to drive adoption and use of Apple Pay. But the Apple Card itself is a little more run of the mill.

https://www.wired.com/category/security/feed/