Key Takeaways
- Apple Pay and Google Pay use tokenization to protect your credit card number from being stolen during transactions.
- Both services have strong security measures. They encrypt your data, and use passcode or biometric authentication to prevent fraud.
Virtual wallets like Apple Pay and Google Pay are extremely convenient, but are they safe? How do they protect your information from people that would try to steal it? Here is what you need to know.
How Do Apple Pay and Google Pay Work?
Apple Pay and Google Pay allow you to use your phone to tap-to-pay, much like you would with a credit card. But how do they work under the hood?
When you first add a card to either service, the card number is transmitted to an intermediary called a Token Service Provider(TSP). Token Service Providers take your credit card number, otherwise called your Primary Account Number(PAN), and assign you a second number called a token, or Digital Primary Account Number(DPAN).
We called it a number, but tokens are actually alphanumeric strings.
Once you’ve been assigned a token, every time you use your phone to pay for something, your phone transmits the token over NFC instead of your actual credit card number. Whoever you’re paying then transmits your token to the TSP, and the TSP is the one that links your token back to your regular account number. That information is then forwarded along to your bank (or other financial institution), and your payment goes through.
This extra layer is there to prevent your real Primary Account Number from being stolen or otherwise abused. A merchant can’t do anything with your token alone—they require the TSP to provide the connection between themselves and your bank.
How Secure are Apple Pay and Google Pay?
Google Pay and Apple Pay are very secure, and as of the time of writing, there has never been a large-scale breach associated with either of them. There are four big features that contribute to this:
- Apple Pay does not store your full credit card number, so even if Apple is compromised and their encryption fails to protect the data (which is unlikely), your card number can’t be stolen.
- Google Pay encrypts all the card data stored on their servers. If the data is ever stolen, it is unlikely that anyone will be able to break the encryption in the foreseeable future.
- Apple and Google Pay use tokenization for transactions. Just like with credit cards, this means that whoever you're paying can't steal your credit card number and use it for fraudulent transactions later.
- Neither service will allow you to view or modify the payment methods attached to your account unless you confirm it using your phone (or another authorized device).
Even if your Google or Apple account were to be hacked, neither service will allow you to use, modify, or view your payment methods without you using your phone (or other device) to confirm that it is you. This ensures that a hacker won’t be able to go on a spending spree with your cards.
What Makes Them Vulnerable?
The biggest (known) security vulnerability of both Apple Pay and Google Pay is the device you use to authenticate transactions. Typically, this is your phone, but it could also be a smartwatch, or your Mac, for example.
The most common problem is your pin. Anyone that knows it (or has their biometrics added to your phone) can use it to make a payment.
Additionally, it is possible that bugs could open up attack avenues for hackers. These sorts of things are rare, but they do happen. Google Wallet had a bug in 2023 that could have exposed users' card numbers to a malicious NFC device, and Pixel devices once had a bug that allowed someone to bypass the lock screen using an extra SIM card. Apple Pay had a glitch with Express Transit Mode that would have allowed a payment to occur without user authorization.
Luckily, these sorts of issues are usually patched pretty quickly. Security fixes like that are why it is important to keep your devices up to date.
Are Apple and Google Pay More Secure Than Credit Cards?
Generally, yes. Modern credit cards also use tokenization if you use tap-to-pay or insert the chip into the card reader, which is a huge improvement over the old magnetic strips, but they suffer from an enormous security fault: your credit card number is literally printed on the card itself.
Credit cards don’t typically prompt you to use a pin for a transaction, either—if you drop your card, anyone can pick it up and use it. In the United States, the most you’re liable for if your credit card is stolen and used fraudulently is 50 dollars. However, that is a hassle you can avoid entirely.
On the other hand, Apple Pay and Google Pay can be configured so that every transaction—regardless of the value—requires a pin, passcode, or biometric authentication. This is the default setting in the United States, though other nations vary. Typically, you can’t charge more than about 50 USD anywhere without authenticating.
Like we mentioned previously, is always possible that your phone’s security could be bypassed, but it is important to emphasize how exceedingly rare such exploits are in the grand scheme of things. You’re much more likely to accidentally lose a card than you are to have your phone’s security bypassed.
