Hacker News new | ask | show | jobs
by evanspa 4296 days ago
With Apple Pay, your physical credit card number is NOT stored on the iPhone 6's secure element; instead, a token is (the token is effectively an alias to your credit card number; it looks like one too - is 16 digits, etc, so will work nicely w/existing payment infrastructure). So there's additional security there. If your iPhone 6 is stolen, you can report it stolen, and the issuing Bank of your credit card will simply invalidate your token. You won't have to worry about replacing your physical credit card. In contrast, if the merchant --- whose app you have your physical credit card number stored within --- is hacked, you'd have to get your credit cards replaced, which is of course more onerous than the former.
1 comments
induscreep 4296 days ago
Just curious...does Google Wallet also do the same thing?
link
evanspa 4296 days ago
No, Google Wallet doesn't. When performing a tap & pay at a merchant NFC terminal using Google Wallet with your Android phone (running 4.4+), your Google Wallet Mastercard card is the card-account actually being used vis-a-vis transaction authorization. Then, later, Google will charge your card that you've configured to be your default-payment card. I do not know if Google is fully implementing Mastercard PayExpress spec, but they are implementing some of it at least. Thing is, because Google Wallet is HCE-based, and thus there's no secure element, they cannot permanently be storing the encryption keys needed to generate the cryptogram(s) and such that are part of a standard EMV transaction (Mastercard and/or the issuing banking of your Google Wallet Mastercard - Bancorp[1] would never allow permanently storing the encryption key w/out a secure element).

[1] https://support.google.com/wallet/answer/2676665?hl=en

link
induscreep 4296 days ago
Interesting. Does this mean that transaction data (what I bought, when I bought) is visible to Google, unlike Apple Pay (claimed)?
link
evanspa 4296 days ago
Yes, it is.

http://www.google.com/wallet/faq.html#tab=faq-security

link
untog 4296 days ago
I don't know, but I do know that Google Wallet has some kind of 'ghost' credit card number - that's the one that gets sent to the terminal, then presumably Google charges my actual card in the background somewhere.
link
astral303 4296 days ago
no
link
rubenv 4296 days ago
Care to back that up with sources or a reference?
link