Tokenization also works for online payments, usually by redirecting the consumer to a payment portal (or capturing the traffic to the site), collecting the card, and then passing the token back to the online site's systems.
In both scenarios there are still exposure points. In point of sale (PoS) terminals, the credit card number is potentially still exposed every time you swipe it. In online transactions, it is exposed to attack on the computer you enter it from, the network you connect to, and the payment site that collects it.
Now back to our story
Apple has established partnerships with enough issuing banks and payment networks to cover the majority of credit cards in the United States. Each of these is responsible for taking the card number you scanned on your phone and issuing the device account number. Unlike my example above, in which the token is on a per-merchant basis, with Apple Pay you get a unique token for each card and each iPhone.
Right at the start, this is a powerful combination of usability and security. Enrolling a card is dirt-simple and effectively frictionless (you might think having the card in hand is a security control, but that's easy to fake). Using per-device tokens means that only the bank that issued the card (or its payment network) ever has your card: You don't have to trust Apple with it. This is different from the Google Wallet system, in which Google holds your cards on their servers. (For the record, Google is exceptionally good at maintaining that kind of security).
The next steps are even more interesting.
The Device Account Number (token) is sent to your device and stored in the secure element. Secure element isn't an Apple term like Secure Enclave. It refers to protected memory on smart cards that's reserved for high-security operations. If you have a SIM card in your phone, it has a secure element; so do most NFC chipsets. The secure element is the hardware piece that card brands require of anyone performing contactless payments.
Previous contactless phone-payment options required users to unlock their phones and (usually) enter a second passcode to unlock the card number from the secure element. Apple skips all this thanks to Touch ID. Just hold your phone near an NFC reader, approve with your fingerprint via Touch ID, and the Device Account Number (not your credit card number) is used for payment. This is dramatically faster and easier than entering passcodes.
Apple Watch will have its own secure element and Device Account Number. We don't yet know the process for registering your card on the watch, but it is expected you'll be able to use the watch without an iPhone to make payments. Go for a run wearing your Apple Watch, and you'll be able to buy water at a gas station without pulling out a wad of sweaty cash from the tiny pocket in your running shorts. Security-wise there is a clear assumption here that physical possession of the watch is sufficient, but then again, so is physical possession of a credit card. Taking the Apple Watch off your wrist locks the screen, requiring a passcode to unlock, so there is still additional security.
Sign up for MIS Asia eNewsletters.