With the announcement of Apple’s new credit card have come a flurry of questions: When is it coming out? How does it work? How do you use it? And, perhaps most importantly, is the Apple Card safe? There are few things to consider when it comes to the security of the Apple Card, from the Apple Pay system it utilizes for contactless transactions to how the physical card that goes along with it is implemented. No credit card is completely secure, of course, and the Apple Card has its weaknesses just like any other — but the good news is that the system also does seem to improve on traditional credit cards in some respects.
When it comes to actually making payments, Apple Card’s security is essentially one and the same as Apple Pay’s: It uses what’s known as tokenization, a little piece of hardware called the Secure Element, and your own face scan or fingerprint to keep your financial info locked down. According to Free Code Camp’s rundown on how Apple Pay actually works, when you add a debit or credit card to Apple Pay, the information first goes to Apple’s servers, then to your card network (think Visa, Mastercard, etc.). The card network then validates the information with the bank that issued you the card. Next, the card network generates a Device Account Number — that is, it makes a token — and encrypts it before sending it back to Apple. This is the information that’s then stored on the Secure Element in your device — not the credit card number itself.
Per Apple itself, the Device Account Number can’t be decrypted by Apple; it’s never stored on Apple’s servers; it’s not backed up to iCloud; and it’s isolated from the actual operating system of your device. Apple also doesn’t store or have access to the original card numbers when they’re added to Apple Pay.
All of this still happens when you add an Apple Card to your Apple Wallet; it works just like adding any other card to the app. In the case of the Apple Card, the card network is Mastercard, while the issuing bank is Goldman Sachs. These two entities work in tandem to validate your info and create and encrypt the Device Account Number for your Apple Card, which is then stored on your phone’s Secure Element.
When you make a payment using Apple Pay at a store, you first have to authenticate the payment on your device — typically with your Touch ID or Face ID — after which the Secure Element creates a one-time-use, dynamic security code specific to the transaction you’re currently making. This security code and the Device Account Number stored on the Secure Element are then sent to the point-of-sale terminal at the store using Near Field Communication (NFC) technology. Your card network, issuing bank, or payment network then use the security code to verify the transaction, and voila! You get a check mark and a little message telling you, “Done!” flashing on your phone screen letting you know that the payment went through.
Something similar happens when you use Apple Pay online; your Device Account Number and one-time-use, dynamic security code get sent to the app or website on which you’re making your purchase, with the authentication for the purchase being undertaken by your device (again through Touch ID or Face ID).
The bottom line is that your actual credit card number is never sent at any point during the transaction, keeping your information safe from anyone who might try to intercept it. What’s more, even if someone manages to get a hold of your iPhone itself, they won’t be able to use your Apple Pay info, thanks to the fact that your Face or Touch ID is required to authenticate any purchases made with it. As Lily Hay Newman pointed out at Wired back in March, Apple Pay is generally thought by security advocates to be “a solid improvement over typical credit card transactions” — and since the Apple Card is essentially an extension of Apple Pay, it will share the benefits afforded by the Apple Pay infrastructure.
Then there’s the physical Apple Card — the little sheet of titanium you can get alongside your approved Apple Card application for use at brick-and-mortar stores that don’t accept Apple Pay (as long as they do accept Mastercard, that is). One of the selling points Apple is pushing is the fact that the physical Apple Card doesn’t have a number or a CVV printed on it — the assumption being that your card is more secure without it. (“That’s one less thing to worry about when you hand over your card at a restaurant or store,” the Apple Card’s Security and Privacy page states.)
This, though, may be less of a boon than the ad copy for the card would have you believe; these days, it’s far more common for credit card information to be stolen electronically than it is by someone literally seeing the number printed on your card. As William Noonan, a special agent who was once in charge of the U.S. Secret Service’s cyber operations branch, put it to Bankrate in 2018, “Back in the beginning, they got the imprint of credit cards from the carbon copies they dug out of the trash. Technology has changed things.” Skimmers, phishing, malware, keyloggers, and data breaching are all commonly used methods for stealing credit card information — and none of them require seeing the physical card to work.
The good news, though, is that you can lock your titanium card directly within Apple Wallet in the event that you get separated from it. To do so, just go into Apple Wallet, tap “Apple Card,” tap the three dots that denote the “More” button, scroll down to Physical Card, and tap Lock Card. Then follow the prompts on the screen to complete the process. When the card is locked, no purchases can be made on it until you unlock it — and if you really need to, you can easily request a whole new card, too.
More useful than the lack of printed number on the physical card is the Apple Card’s virtual card number — or, perhaps more specifically, its ability to generate new virtual card numbers quickly and easily. This virtual card number (not to be confused with your physical card’s number or your Device Account Number) is what you’ll use if you’re making an online purchase without Apple Pay: You can find it your Apple Card profile in Apple Wallet, then either copy and paste or simply type it into the appropriate field at checkout. You’ll notice, though, that there’s also a blue button in the middle of the Apple Card screen that allows you to “Request New Card Number” — and if you tap that button, your old number is immediately invalidated and a new one is generated for you. As Matthew Panzarino noted at TechCrunch, this ability is “great for situations where you are forced to tell someone your credit card number but do not necessarily completely trust the recipient” — or just if you think the number has been compromised for any reason.
Panzarino also points out that a number of other apps and services exist that allow you to do this already; however, he asserts — correctly, I think — that “Apple Card… will doubtless be the largest body of consumers to ever have easy access to a virtual card number with an easy to use interface and will expose many more people to the concept.” After all, why would you use a separate service just for this if you can do it all within one app?
There are a few other bells and whistles built into the Apple Card that also look to bolster the payment method’s security. For example, you get a notification on your phone every time you buy something with the Apple Card — so if you get a notification for a purchase or transaction that you absolutely didn’t make, you’ll know immediately that something’s off, allowing to then contest the charge, change your virtual card number, and so and so forth. (The Apple Card website states, “Don’t recognize a charge? Just tap to let us know. That’s it. We’ll take it from there, and you won’t be liable for any fraudulent charges.” Personally, I would want to know exactly what Apple does in response to this kind of notification, but that information isn’t immediately available.)
You can also get in touch with a Goldman Sachs rep 24/7 via text message by tapping the “Support” button within Apple Wallet (Apple told The Verge that “Goldman Sachs employees are being trained using Apple tools and technologies, including specific language around helping people understand credit issues”). According to Apple, Goldman Sachs will also use never share or sell your data to third parties, although they will use it to operate Apple Card. And lastly, your transaction history, spending summaries, data cleanup, and categorization all occur locally on your device itself — Apple never sees it.
The bottom line is that, while Apple has gone out of its way to beef up the security on the Apple Card — the Apple Pay functionality is particularly effective — the Apple Card is still, y’know, a credit card. We’ll still need to be smart about how we use it; also, no matter how smart we ourselves might be, no credit card is impervious to theft (yet, at least). Don’t put all your eggs in one basket, as the saying goes — but if you want to apply for one anyway, head here for more info. The Apple Card will roll out to the general public later this summer.