posted: August 31, 2019
tl;dr: How Apple implemented the five simple steps to dramatically improve security that I told Visa about...
Consider this post to be an early, partial review of the Apple Card, with a full review to follow once I have more experience with it. Back in December, I wrote a post entitled “Five simple steps Visa could take to dramatically improve security”. As it turns out, Apple has effectively implemented all of my suggestions, as described below, while Visa has dawdled. Instead, Visa has been busy foisting their latest security flaw upon an unsuspecting public: contactless payment credit cards, which let you or any thief who steals your card quickly make purchases without providing a PIN or any other type of verification that the card is actually yours.
I wasn’t fully aware that Apple was developing a credit card when I wrote my post, but I am thrilled to see how they implemented each of my suggestions:
1. Remove printed and embossed account info from the card
The Apple Card provides two ways to make purchases: via a virtual credit card built into the Apple Wallet app on an iPhone, and via a physical credit card. The physical Apple credit card is an interim solution that is only needed (and which should only be used) when making purchases at merchants who have not yet upgraded to wireless point-of-sale terminals. To incentivize users to make purchases with the virtual Apple Card on their iPhones, Apple smartly doubles the cash back for wireless purchases, from 1% to 2%. This reflects the greater security of the wireless payment system, which will result in less fraud: Apple passes some of those savings along to their customers.
So the physical Apple Card exists for the time being. Apple smartly removed the printed and embossed account info from the card, so they get a 100% from me for fully implementing this suggestion. You cannot use the physical Apple Card to make a purchase from a merchant who only has the mechanical, carbon-copy and paper-based purchase system, but when was the last time you ran across a merchant like this? The good news is that, when you hand your Apple Card to a merchant, they (or anyone else observing) can’t see (and potentially photograph or otherwise record) your account info, as they can do with a Visa card.
Your account info is stored and accessible, if needed, in the Apple Wallet app, which only you should have access to since it is on your iPhone, which requires Face ID, touch ID, or a passcode to unlock. Visa is loath to remove the account info from their cards because they don’t have another device where the account info could be stored. They could potentially develop an iPhone or Android app and put the account info there instead of on the card, but this would complicate their system and they’d be beholden to Apple to release their app for them.
2. Eliminate the magnetic stripe
Apple gets a 75% on this item for mostly implementing this suggestion. Your iPhone does not have a magnetic stripe or EMV chip, and it is the preferred and incentivized way for Apple Card users to make purchases. So Apple is definitely migrating away from the insecure magnetic stripe, which stores your account info in plain text which is easily readable by a credit card skimming device. The physical Apple Card, however, still has a magnetic stripe and EMV chip. Apple evidently concluded that there are still enough merchants out there who have not yet upgraded to wireless terminals that they need to offer a way to purchase by using these legacy technologies.
Apple does appear to be fully aware of the security problems of the magnetic stripe and also static card numbers. The Apple Card app inside Apple Wallet contains a “Request New Card Number” feature, which presumably can be invoked to change the card number if a user suspects it has been compromised. I haven’t had a reason to use this feature yet, but it is great to see that Apple is thinking ahead. In the meantime, I’m one of the few credit card users who won’t use my credit card if the merchant only has the magnetic stripe as a payment option. Sorry, Jack at Square.
3. Eliminate the signature
Apple gets a 95% from me on this item. There is no signature on the physical Apple Card, nor in the virtual Apple Card on your iPhone. You don’t have to give Apple your signature, as it will never be verified. The only reason the grade is not 100% is that some merchants will still ask for a signature, such as at a restaurant where what they really want is for you to fill in a tip. The only way for Apple to fully eliminate the signature would be to embark upon a massive retailer education effort. So, as an Apple Card user, you may still be asked to provide your signature. Feel free to make a nice big X to express your displeasure about the signature (and leave a good tip); it won’t prevent the retailer from taking your money.
4. REQUIRE PINs
Apple gets a 75% on this item. For purchases made using the virtual Apple Card on your iPhone, you have to be able to provide the iPhone itself and you have to authenticate at the time of purchase by using Face ID, touch ID, or presumably the passcode (I haven’t tested this yet), which is effectively a PIN. So even if someone steals your iPhone, it will be difficult (but not impossible) for them to use it to make a purchase.
The physical Apple Card, however, behaves much the same as a Visa card: a PIN is not required to make a purchase. A thief can lift your card and immediately start making purchases. However, the next item makes it much more likely that you are immediately going to notice that this has happened.
5. Provide more detailed transaction descriptions
100%!!! In fact if I were handing out bonus points I would award them here, as Apple exceeded what I had asked for. In comparison to a monthly Visa statement, Apple provides much better, more detailed, geo-located information about purchase history in the Apple Wallet. Gone are the days of scrutinizing cryptic entries such as “AMZN Mktp US*MO21M5HJ2” on a Visa statement weeks after a purchase has been made and trying to determine if that is potentially a purchase a thief made on Amazon by using your credit card.
But Apple goes one step further: whenever you use the Apple Card, either the iPhone app or the physical card, a notification describing the purchase appears on your iPhone usually within seconds or up to a minute later, in my experience so far. Thus you get a near real-time notification that the card has been used, which can quickly inform you of unauthorized purchases. I’m someone who turns off almost all notifications on my phone, because I don’t want to be interrupted by trivial events. I will, however, keep these notifications enabled, as someone using my credit card is one of the few things that I do want to be notified about.
There are other security features built into the Apple Card. It is clear that Apple rethought the whole credit card system and focused on security, with the goal of reducing fraud and hassles for Apple Card customers. The lower levels of fraud will enable Apple to offer more attractive rates and fees, and to take business away from flawed competitors such as Visa. They already have my business, and I heartily recommend that you give them yours, if you care about security.