How safe is Apple Pay?

People sometimes give newcomers afraid of Apple Pay or Google Wallet a little flak, but personally, I get it. If you’re used to paying with conventional cash or cards, something like Apple Pay may seem a little too easy to be reliable, never mind safe. With iPhones and Apple Watches, your device is even talking wirelessly to retail payment terminals, which raises the specter of someone snatching your bank info out of thin air.

How much of a threat is that though, really? And how secure is Apple Pay in general? Most likely, it’s other aspects of your digital life that need to be locked down to prevent fraud.

How Apple Pay transactions are protected

A quick overview

Nathan Dumlao / Unsplash

Once you’ve added a card to your iPhone, iPad, or Mac — a process that involves confirming details with the card provider — related data is saved on-device, using an encrypted system called the Secure Element or Secure Enclave. I say “related” deliberately, since as Apple notes, your actual card number isn’t saved locally, or even sent to Apple servers. Instead the technology uses a token-based infrastructure, with a Device Account Number standing in for your card.

It’s these tokens that are transmitted when you make a transaction via Apple Pay. As a consequence, even merchants don’t get to see your card number.

For additional security, Apple Pay transactions need to be authenticated every time, typically via Face ID, Touch ID, or a passcode. Apple Watches are the one exception to this requirement, but you can’t use Apple Pay on a Watch if you haven’t previously synced a card from an iPhone, then unlocked your Watch when you put it on. If you take off a Watch and put it back on, you’ll have to re-enter your passcode before you can do anything. There’s a Secure Element or Enclave on each Watch so you don’t have to keep your iPhone nearby.

Related

How to use Face ID to hide apps in iOS 18

iOS 18 lets you hide apps, making them more secure from other users.

Is Apple Pay safe?

No easy access points

Apple brags that it’s safer than using a conventional credit or debit card, and overall, that’s probably true. Since your card details are never exposed, whether digitally or in person, it’s essentially impossible to steal them without reverse-engineering Apple’s token system. That’s a tall feat for a rival corporation, much less a criminal gang. With conventional card payments, there’s a higher risk of that data being intercepted somewhere, be it from lax online security at a merchant, or a criminal installing a skimmer at a payment terminal.

That’s not to say Apple’s security is invulnerable, but the biggest threat is from people stealing one of your devices and/or breaching your Apple Account. If someone is able to hijack your Apple Account, they may be able to track down card details somewhere, say if you have them saved in Notes or a weak password app. Even if they get their hands on one of your devices, though, they won’t be able to use Apple Pay directly without guessing your passcode, or somehow tricking Face ID or Touch ID. The odds of that are low.

Related

The iPhone’s foldable future: 4 things Apple needs to get right

There’s a high bar if Apple’s going to be late to the foldable party.

How can I protect my Apple Pay data?

Some common practices are all you need

Your best defense begins by using a long, hard-to-guess passcode — at least six digits, and nothing like your birthday or an obvious dialpad pattern. I’d also recommend making sure your iPhone, iPad, or Mac is set to auto-lock relatively quickly, and you should trigger a remote wipe using Find My if you’ve lost your device with little chance of recovery.

Protect your online presence by using complex passwords, as well as two-factor authentication for as many accounts as possible, not just the one you have at Apple. A vulnerability in one account can potentially be used to hack into others. Also, be on the watch for scammers tricking you into sharing sensitive data — no legitimate business is going to ask you for credit card details via chat, especially if you didn’t begin the interaction.