Are Apple Pay and Google Pay secure?

How do you pay for things?

Do you insert a physical debit or credit card or tap that card against a payment terminal? Perhaps you’re among the average 30 percent of Canadians who reported using mobile payments in 2020. Without a doubt, that number has only gone up since. 

I’ve been in love with the concept of mobile payments and digital wallets since Apple Pay first came to Canada in 2015. During Apple Pay’s early days in Canada, I encountered many situations where I was the first person to pay with my Apple Watch in a store. Of course, those stories are far less common seven years since launch. 

My goal to someday replace my keys and wallet with my phone is well on track. I no longer need house keys, car keys, or my physical bank cards. My phone covers everything, minus my mailbox key and driver’s license. In a previous article I wrote, you can learn how I started to replace my physical wallet by learning about all the different items you can add to the Apple Wallet app. 

Even though Apple Pay has been available in Canada since 2015, Samsung Pay since 2016 and Google Pay (formerly Android Pay) since 2017, there is still a lot of hesitation with using smartphones and smartwatches to pay for things in place of our traditional credit and debit cards.

Let’s explore what payment option is the most secure and if mobile wallets should be the future of payments.

What is a Mobile Wallet?

If you use Samsung Pay, Google Pay or Apple Pay, you have a mobile wallet. In their most common form, mobile wallets are digital versions of our debit and credit cards on our mobile devices like smartphones and smartwatches. All mobile wallets are also digital wallets, with the difference being that digital wallets aren’t exclusive to mobile devices. Digital wallets can also support cryptocurrencies and digital cash. Still, for this article, we’re focusing on how secure a digital debit or credit card is compared to tapping or inserting a physical card.

How secure is tapping my bank card?

Functionally, tapping your debit or credit can is very secure. “Tap” or contactless payment, as the feature is officially called, uses a technology called NFC which stands for near-field communication. NFC is a wireless communication protocol which can transmit data between two devices that are very close together. 

The primary risk with tapping your debit or credit card is there is no form of authentication; anyone with the card can make a payment. To mitigate this risk, most cards have a limit of $100 to $250. In my experience, banks will let you disable contactless payments on debit cards but not credit cards. This is because credit cards offer fraud protection, unlike debit cards. 

A lesser secondary risk is contactless skimming. You may have heard stories where people use a device to wirelessly capture card details from your debit or credit card. This is incredibly rare for two reasons. First, the scammer would have to be physically very close to you. Second, NFC generates a random transaction ID every time it communicates with a device, meaning the scammer can only complete one transaction at most with the captured details. 

How secure is inserting my bank card?

In general, inserting your physical debit or credit card is very secure. In Canada, we have a reasonably modern financial system, at least compared to our neighbours south of the border. Canadians just about never have to swipe their payment cards, which is excellent because, unsurprisingly, swiping your card is far less secure than inserting it or using a mobile wallet. 

When inserting a chip-enabled debit or credit card, you enter a pin to verify the transaction is authorized. Then your transaction is securely transmitted to the bank. However, there are two situations where chip-inserted cards are not ideal. 

The first is related to security. Skimming is where an unauthorized device is used in place of the legitimate payment terminal, and it captures your card number and sends it to the scammer. Skimmer attacks aren’t common but are most often used at bank machines and self-served gas pumps because they aren’t attended by staff. 

The second is related to privacy. When swiping a card using its magnetic stripe, the merchant can see the card number, expiration date, and CVV number. In contrast, when using a chip-enabled card, the merchant doesn’t get the card number and instead receives a random transaction ID. However, they can still possibly get the transaction amount, date and time, your name, address, and phone number. 

How secure is Samsung Pay, Google Pay, or Apple Pay?

All three mobile wallets function similarly on the surface, with a few differences underneath. While inserting your card is reasonably more secure than tapping, it’s less convenient. All three mobile wallet platforms improve on the weaknesses of using tap while providing similar convenience. Smartphones and smartwatches use an NFC chip, like your debit or credit card, to conduct contactless payments. 

The primary difference is that your mobile device leverages different technologies to prevent fraud. First, passcodes and biometrics like facial recognition or fingerprint sensors prevent unauthorized payments. It’s pretty slick to pull out your smartphone, verify with a biometric and wave your device to pay. Additionally, as far as I know, banks still maintain the $100 to $250 contactless payment limit. Although I’d argue that should be removed for mobile wallets since they have some form of authentication. Not to mention, leveraging biometrics is far more secure than the four to six-digit pin you’d use on your physical card that someone could shoulder surf. 

In terms of skimming, mobile wallets win here too. Since you don’t insert your phone, skimming isn’t possible. Regarding wireless skimming, our smart devices are intelligent enough to know whether a payment is legitimate, unlike your regular card. 

The main difference between these three mobile wallets is how they operate behind the scenes. Samsung Pay and Google Pay securely store payment details on a company server instead of a device. There isn’t anything necessarily insecure about this since the data is encrypted. However, the server-based approach could, in theory, be compromised. However, this would be to an incredibly sophisticated attacker. Ultimately, Samsung and Google likely took the server-based approach to collect data. 

Apple being Apple opted for the privacy-first approach and stores all card details on a device instead of a server. Apple devices supporting Apple Pay have a special chip called a Secure Enclave. The Secure Enclave is encrypted and physically separate from the main processor, leveraging its own memory and storage. This means that even if someone does compromise the processor or other parts of the system or even physically gets a hold of the device, they can’t access your card details. Your health data and other sensitive information are also stored on the Secure Enclave. 

Samsung Pay, Google Pay, and Apple Pay all provide the same service. All three also do it more securely than by using a physical card. The primary difference is that Apple takes a more privacy-focused approach by completing processes on-device instead of on a server like its Android counterparts.

Are Mobile Wallets the future of payments?

Personally, I firmly believe mobile wallets are the future of payments. Ideally, they’ll be the future of our house keys, car keys, and IDs too. When we migrate systems onto our heavily connected devices, there will undoubtedly be risks. However, when done right, leveraging the computer in your pocket or wrist is a better option than a physical card because it can provide additional security and privacy benefits. Ultimately, if you prefer a physical card, that’s fine, our payment networks are very secure, and the risk is low.

But if you’re currently on edge about using your mobile device to pay for things, do it. Paying with your smartphone or smartwatch is easy, convenient, and secure.