At this point, a bank must decide between green-lighting the customer based on the information Apple can send the bank or pushing the customer down what's called the “Yellow Path” and making them provide additional verification.
Verification from banks can take a number of forms, and Apple’s own iOS Security White Paper from 2014 explains, “Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification."
What is card tokenization?
Card tokenization is the process of replacing the traditional card account number (PAN) with a unique digital token in online and mobile transactions. Tokens can be restricted for transactions with a specific mobile device, merchant or transaction type. The tokenization process happens in the background in a way that is invisible to the consumer.
A payment token is a numeric substitute for a primary PAN and can be processed by all participants in the payments ecosystem. Payment tokens map back to the original PAN, providing the account issuer with the full transaction details.
How is the cardholder authenticated in Apple Pay?
When the cardholder adds a card to Apple Pay, both Apple and the network run the request through a number of risk parameters to ensure that the requester is indeed the valid owner of the card. This may include things like history in iTunes, address verification or other authentication requests. These requests will use existing infrastructure to send through things like a zero auth request, AVS request, etc. If it passes, the card will be tokenized and enabled on the phone. If however these checks fail, the cardholder will go into what is called “yellow path” authentication. In this scenario, the cardholder is directed to call their credit union, which will need to authenticate the cardholder using its current authentication protocols. The credit union will then need to go to the Life Cycle Management portal to “release” the token so that it can be sent to the member.
Life Cycle Management portal: Each of the networks, Visa and MasterCard, provide an online portal that allows you to manage the life cycle statuses of tokens, such as disabling or resuming a token. CO-OP will provide details of how to get access to this tool during your enrollment.
token Life Cyclemanagement: Token life cycle management is the process of managing the status of the token based on various events such as a PAN being lost or stolen, mobile device being lost or stolen, etc. A token can go through various life cycle status updates such as Active, Suspended, Deleted during the course of its life.
When members contact the credit union, you can disable a token using the life cycle management portal. Members can also go to Find My iPhone and report the phone as “lost,” which will automatically suspend tokens directly with Apple.
EMV stands for Europay MasterCard [and] Visa, its original champions. This payment technology involves bank cards with an embedded microchip that contains unique cardholder information, including the cardholder’s name, card number and expiration date. Instead of swiping a mag stripe card and signing to authenticate a purchase, EMV-capable point-of-sale (POS) machines will read the chip on the card and then ask the cardholder to enter a PIN to authenticate. The card itself verifies the PIN and then sends a unique transaction code. This code is hard to forge, making card cloning much more difficult for cybercriminals. This approach to EMV is often called chip-and-pin.
Thus, the ABC’s of how a card is loaded into your Apple Pay account:
- Load in the card information
- Apple encrypts the data and sends it to its own servers
- Apple Un-encrypts and sends the data to the card network
- Apple re-encrypts the data knowing the card’s bank and sends to that bank
- Bank receives the card information, along with certain information tied to the iTunes account on the device
- Bank either gives a greed, yellow or red light. Green = immediately approved. Yellow = additional security questions to confirm validity of the user’s id (done through the Apple interface). Red = Card not accepted.
- Pay away! (assuming it got approved)
Now it is point 5 & 6 where the fraud is actually occurring, outside of the Apple ecosystem. There is only so much that Apple can provide as regards user information. The weak point is pre-encryption, between when the card is swiped through old hardware, going through a potentially outdated hospitality management platform, and passing finally over to the payment gateway.
Red, Yellow, Green Path