When Apple unveiled the Apple Card at WWDC, it promised a new kind of credit card experience that eschewed away all the limitations of a credit card while innovating with next-gen security. But seeing as we still haven't had a chance to use the Apple Card, we could only take its word for it.
Or so that was until CISO Mag deep dived into all the security elements Apple promises from its new card and examined how revolutionary it actually is. Turns out it did something quite unexpected and delivered a credit card experience that does not compromise the user experience or security.
Apple made the process easier by only including two partners, Mastercard and Goldman Sachs. This limits the dependencies and risk.
It starts with initialization process that begins with understanding the end-to-end flow of the card's manufacturing, initialization and registration with a mobile device, this case being Apple's iPhone.
During the manufacturing process, Apple provisions Mastercard's public key on the physical card chip, which is signed by the chip manufacturer's public key and then syncs with Mastercard's tokenization service, enabling Mastercard to validate the authenticity of their public key. Mastercard's tokenization service is responsible for maintaining a registry of all trusted chip manufacturers and its certificates. This registry is held in a trust store, which verifies certificates from a trusted Certificate Authority (CA).
Once the backend is sorted through, then begins the process of communicating with the iPhone and compatible app, which CISO speculates will be the Wallet app. After which the DPAN along with the owners key will be sent to Goldman Sachs for further clearance.
The unique card identifier, or temporary DPAN, will then be combined with a owner's specific key and sent to Goldman Sachs along with their iTunes information such as billing address, full name and phone number over secure encrypted channels. Goldman Sachs would view this information in the clear but Apple asserts that Goldman Sachs will refrain from sharing or selling this data to third parties for marketing or advertising purposes. Using the information submitted from the owner's iOS device, Goldman Sachs then decides whether to approve before allowing the user to add (or bind) the card to the Passbook app.
The next and final step involves applications accessing the Apple Card payment information. This involves interaction between Apple Card Servers with the DPAN information attained in a timebound nonce.
This number, along with other transaction data, is passed over an applet to the SE to generate a payment signature. When the payment signature comes out of the SE, it's sent to Apple Card Servers over encrypted channels. The authenticity of this transaction is verified through this payment signature and the random number provided by Apple Pay Servers. After successful verification of the payment signature, the user's request is initiated.
In the end, CISO Mag found the Apple Card's security implementation to be novel and truly thorough. Apple took multiple steps to ensure the process was secure and uncomplicated. It lauded its choice to do so through hardware security control, not software. All told, the Apple Card is as secure as Apple promises.
