[gregsadetsky]

Sorry to repeat the link (posted in my comment below yours) but this very technical & informed explanation from @rswail explains what's going on:

https://news.ycombinator.com/item?id=35698169

TLDR: Omny gets a hash of the Apple Pay card, and later, they can one way hash a card (that you give them) and match it to past purchases/travels. They (OMNY/MTA) presumably do not have access to the original card number that Apple Pay is 'masking'.

But I agree with you that the language on Apple's site makes it seem like it's more anonymous than it really is (as this hash exception makes obvious)

[noman-land]

I've yet to read the technical explanation but how is not adding a salt or nonce to the hash a good idea? It doesn't seem very hard to iterate through all possible credit hard numbers and hash them all. I'm sure I'm missing something.