Hands on with Apple Pay: NFC, barcode scan, on online purchases!

Apple Pay is a new service that lets you use a secure element chip on your iPhone 6 or iPhone 6 Plus to pay for things at retailers over NFC, via barcode scan, and online using apps. You can use Touch ID or a pin code to authorize a payment. Your iTunes credit card will be automatically imported and you can add additional ones by scanning them in. Once your bank verifies them, you can use Passbook to select which card you want to use to pay. And... it looks great.

Credit card information never leaves the secure element, is never available to apps, and never gets stored or synced to the cloud. One-time tokens are used when you pay so your real credit card information is never at risk. Apple Pay also works on the Apple Watch. Authorize with a pin and it stays authorizes for as long as you maintain direct skin contact with it.

While it won't be available at launch, Apple Pay will ship as part of a free update to iOS 8 in October. That's on major banks in the U.S., at least. More banks and more countries will follow.

I got to see it all in action at the iPhone 6 event today and it looked ridiculously easy. I've been using pin-and-chip and NFC tap-to-pay for years and it's pretty much everywhere where I live. I can pay for groceries, gas, department store and convenience store purchases, and restaurant bills all with a tap.

However, it concerns me that if I ever drop or leave my card somewhere, someone else could tap to pay for things too. In that regard Apple Pay looks better than an NFC equipped plastic credit card. The security looks better and the convenience looks better — I don't want to carry more things and risk losing them.

Likewise, after all the stories of credit cards being compromised at retailers, I like the idea of Apple Pay providing one-time tokens instead of my original card data. Worst case, that one-time token is compromised. I don't have to replace a card.

As far as I'm concerned, Apple Pay can't come soon enough. How about you?

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I agree, Rene. I am really looking forward to this taking off. When I first read about the idea in the days/weeks before yesterday's event, I thought it was a snoozer. But it looks like they did this feature up real nice, have gotten a critical mass of banks and card types on board, and did the security and privacy with care and skill. I only wish Apple would play up their care for customers' privacy vs. Google's exploitation of it. I greatly prefer being the customer and not the product!!
  • The "one time" aspect of ApplePay is built into the NFC standard. NFC protects against replay attacks using the CVV3 standard. There is a counter that must always go up. If a card is cloned, the counter will not increment in lock step with the real card. This is why Google and now Apple have to use "virtual cards" with new numbers. If they used the SAME number as on your plastic NFC card, it would cause problems. This is NOT a new idea, but a implementation requirement! The NFC part was actually pretty boring. NFC has been built up without the help of Google or Apple for many years. It is nice that a phone can emulate a card, but all the backend stuff (CVV3) had to be in place first. The only thing Apple added was the biometric auth.
  • But biometrics is the real thing in here Sent from the iMore App
  • I've been using NFC payments from my phone for years now (Android) and the concept works pretty well so it is good to finally see Apple on board. The one piece that is concerning about their approach (which isn't a new approach as Softcard attempted it a few years ago) is that by using device-based cards and tokens as opposed to virtual cards and tokens (which is how Google Wallet and other NFC wallets work), you limit the number of users since your bank is the one to issue the device card versus the wallet service. For people who use smaller banks or credit unions, they may never be able to use Apple Pay. To be clear, because there is a lot of confusion about NFC, especially in the Apple universe since it is new to apple products, Apple's approach doesn't necessarily make their implementation more secure from a payments perspective to other NFC wallets. Both Apple Pay and Google wallet prevent the merchant from seeing your real information as both use one-time use tokens. The key security difference can be compared to using Paypal to buy something versus a gift card. In the Paypal method, the merchant never gets your credit card info, but if someone hacks your PayPal account, they can potentially purchase something through it whereas the gift card is completely random and not tied to you other than the funds on it. If lost, it can be deactivated and a new one can be given to you. However, the only record of that card is what you have in your hand. All of that is to say that Google Wallet requires you to store the card at Google (like you would if you were using Paypal's wallet) versus Apple Pay in which you are giving a token from your bank that is linked to your account and stored on your device, but is never sent to the merchant (they get a random, never tied to you number). In Google's case, the security is as strong as your password/pin and on Apple, it is as strong as the device itself. In both cases of use, your real info is always protected. The one thing I would like to see is if Apple Pay will work at gas pumps. In the US, you typically cannot use gift card or prepaid card numbers. For Google Wallet, the number that the machine gets is usually classified as a prepaid card and is never accepted at the pump, which is where a lot of card skimming happens. If the numbers used by Apple Pay show as real debit or credit and not prepaid debit or credit, it will be a win for Apple Pay.
  • Very strong comment! Posted via the iMore App for Android
  • You realize if it has MC, VISA, or AMEX, it's not about the bank, right? Thats why they went directly to MC, VISA, and AMEX... The Bank part is for debit cards and store CC's only. Example: Home Depot cards are from Citibank. THATS what those bank partnerships are about. If it's a check card with a MC or VISA logo it will work; period. Little banks / credit unions don't need partnerships w/Apple. Not many people get debit only cards these days.
  • Sorry, my friend, but that isn't the reason for the visa, MC, or Amex partnership. The reason for it is because of the device-card approach that Apple is using. When you make a payment using NFC, what is transmitted to the merchant is a virtual card on either the visa, MasterCard, or amex network. The network that is chosen is on the same network that your original card is issued on. Because everything happens at the device level, your phone must be able to generate a random card number that is valid on the network (meaning you must have a data connection) and will be accepted. Without the partnership, the card that is generated for use would never be authorized on the visa, MC, or amex network. This is different from Google Wallet, per say, since the random card that is used is issued by the bank that google uses (since they store your card). Thus, Google doesn't directly have to have agreements with the networks, just their banks. The reason why it will NOT work with any card and just the cards issued from the banks listed is not for debit card reasons as all credit cards are issued from banks just as debit cards. Rather, the reason why it won't work with every card issuer is because your device, not Apple, must store a card that is issued to your device. In order to get the device card, your bank must issue it (if you use the bank that I worked on developing their system for a couple of years back, the device card shows up in your account as a separate card issued to you). The unfortunate problem with that system is that it is on the expensive side to build and maintain. Smaller banks and credit unions usually don't invest funds heavily into integrating into these types of systems (its why smaller banks and CUs don't have mobile check deposits or many of the nice features that draw you to bigger, yet more expensive banks). If you have an Android phone, use a carrier that supports Softcard, and have a credit card issued by one of the banks listed (Capital One stopped supporting Softcard so you can't use theirs), you can actually get a glimpse today of how the process of device-based NFC and how Apple Pay works. You will have the exact experience as you will with Apple Pay. Or, you can wait until October and see it with an iPhone 6. Either way, no, you will not be able to use any card from any bank, credit or debit. Nor will it work with non-us cards at launch (regardless of the bank of issue), which is my only drawback to device-based NFC versus hosted wallet based NFC. Edit: Just found the Apple press release which confirms this. https://www.apple.com/newsroom/2014/09/09Apple-Announces-Apple-Pay/#mn_p The press release states that it will support any visa, MC, or amex credit or debit card issued by the 6 initial banks listed, which together make up over 80% of the US card transaction volume. Apple's site shows that they will be adding a few more US banks soon, but for now, it is just cards (credit or debit) issued by those 6 banks.
  • Nice comment Posted via the iMore App for Android
  • Other than the biometric part, I think Google's implementation is better in that it has more flexibility. I thought it was cool that when I bought something last night with Google Wallet, that the payment notice popped up on my iOS device. I wonder if Google Wallet for iOS will support NFC or has Apple locked out other apps from using it? Even beyond payments, does iOS support NFC for QRCode like functionality?
  • In theory, since Google Wallet can use either the secure element or Host Card Emulation, it should be possible for Google Wallet to work unless Apple just flat out blocks the app. While Google's method is more flexible in that you can use any card (even prepaid and gift cards) from any US bank, it also requires strong password/pin for your Google Account and, to my knowledge, can't be used outside of the US (since the random cards that get issued from Google Wallet don't work outside of the US). Unless they have changed that requirement and I don't know about it....
  • Not many people get debit only cards these days. Care to cite that? I use my debit/check card more than cash these days, and almost never touch my actual credit card.
  • This is the best explanation of both payment systems I've seen. Mobile Nations should be shooting you an email asking you to write for them :p Posted via iMore App
  • Lol, thanks! While it would be nice, I doubt that actually happens although explaining (and deploying) technology is my day job these days.
  • Thanks for confirming my understanding on how this all works. I was a little unclear on the secure element on the Android side. I know Android used to use it but I thought the motivation to drop it was Verizon. Verizon locked it out because they use it for SoftCard (aka ISIS). Mapping virtual cards to real cards does give it more flexibility. I try to use NFC and Google Wallet over magstripe whenever I can. The system is way more secure than old fashion magstripe. I really hope that iMore now understand why it was so cool to have the feature on a phone.
  • i am looking forward to this SO MUCH. i just hope they're not too slow to get australia hooked up! Sent from the iMore App
  • Shouldn't take long, the reader in the video looks just like a standard PayPass/PayWave terminal and the technology sounds the same (tokens etc.)
  • I'm looking forward to it taking off but I don't see it as a reason to buy the iphone 6 or 6 plus right now. I'll probably fool around with it but it's not going to replace my actual wallet anytime soon. Apple wants to solve a problem, make the user experience simpler, and of course get a chunk of the revenue, but it'll take baby steps.
  • Just wanted to confirm, but Apple Pay NFC will work wherever Google Wallet NFC does, and vice versa? Posted via the iMore App for Android
  • Yes. NFC payments are a standard. You can use either wallet wherever NFC is accepted. Apple isn't reinventing what is already in place.
  • I'm a long-time BB user. I REALLY like Apple's security approach with Apple Pay, basically abstracting your CC info, so at worst you lose your phone and de-authorize it. One-time, random payment tokens is also a secure approach. I wonder if Apple will come out with a peer-to-peer option similar to PayPal - that would be killer.
  • This is actually how all NFC wallet apps work (random, one time use tokens for payments). The front ends (the piece between your phone and the merchant) are the same across all wallet apps (Google, Apple, Softcard, etc). However, the back end (device based versus hosted) is what is unique to Softcard and Apple. And, that is the piece that I'm mostly concerned about. Hopefully, Apple will implement a deactivation process similar to Softcard (should you loose your device). Otherwise, theft of the device and not being able to contact the phone to deactivate (phone stolen and tuened off, for example) will result in you having to call every bank that you have cards setup for to have the device cards terminated on their end.
  • If you loose your phone, You only have to use Find My iPhone to disable it. The phone has to be connected to Wifi or cellular to use Apple Pay so Apple Pay is disabled as soon as it's brought online.
  • Yes, but that is for a phone that turns back on. What I'm referring to is a device that is stolen, wiped, or are otherwise never brought back online. Since you are being issued tokens from the bank, those tokens still exist even if a device is stolen. What I am hoping to see is that a stolen device also has tokens disabled on the bank side as well. I should have probably made that more clear.
  • They need to take advantage of their itunes base not only on the credit card base, but also have the ability to pay for items with itunes balance. That will allow the younger iphone base who can't get credit cards or people who simple don't want credit cards or can't obtain them. Also if they could find a way to pay for items via NFC phone to phone it would be fantastic for purchases at farmers market booths etc. Sent from the iMore App
  • I am excited about this but I hope some retailers adapt and adopt quickly. I live in a small town in the ole dirty south and a lot of mom and pop stores use ancient cash registers. At least the majority have implemented a credit card terminal. I feel like a man from the future sometimes around here.