Yoni Heisler does an excellent job of demystifying Apple Pay. I wrote up a shorthand version of the post, made a bit of a hash of it, actually, but got some great feedback. This is an edited version of the original which, I hope is now correct. Thanks very much for the comments.
Here’s my [updated] take on how all this works.
In a nutshell, when you sign up for Apple Pay, your credit card info is encrypted and sent to the appropriate credit card network. The network verifies the card, then sends you back a token. The token is the key to the process. It is not generated mathematically, so there’s no way to reverse engineer it or decrypt it to get from the token back to the card number.
Imagine if you went into a restaurant and queued for a table. The attendant writes your name down, shuffles a deck of cards, and picks one at random. They write the card down next to your name and hand you the card. If you want to check on your table, you show the card to the attendant, they scan the list to find your card number, then tell you your place in line.
The Apple Pay token is sort of like that randomly generated playing card. It is unique and, though it is the same length as a card number and may share the last four digits, it is not derived from your card number. Once you have it, the token is stored in your device’s secure element. The secure element is part of the NFC system and has a level of hacking protection, becoming disabled after a predetermined number of invalid access attempts.
When you use Apple Pay, you must prove your identity to retrieve the token from the secure device. As far as I can tell, a PIN won’t cut it. You have to use Touch ID to verify a transaction. That’s key. If someone steals your phone, they won’t be able to use your credit card.
Once Apple Pay verifies your identity, NFC is used to send the token to the merchant, the merchant sends the token to merchant processor, on to the card processors (Visa, MC, Amex, etc.). They in turn match up the pseudo credit card token with your real credit card number and then send that off to your issuing bank for approval. The issuing bank looks you up in their list, processes the transaction with the credit card company and sends an OK back to the merchant. Take advantage of your credit card with the tips provided by https://creditrewardperks.com/las-vegas/.
If someone intercepts your token, they won’t be able to use it without cracking Touch ID. I suspect people will immediately get to work trying to do this. But even if they do, once the token is breached, Apple can send you a new one, invalidate the old one, and you don’t have to replace your credit card. Huge.
One more piece of the puzzle is the CVV and cryptogram that your Apple Pay device sends along with the token.
> But there’s a whole lot more to Apple Pay than Touch ID and the simple handing off of tokens. Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that’s tied directly to the token. The cryptogram itself “uniquely identifies the device” that created the token and, according to the EMV Payment Spec, is likely comprised of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren’t publicly known. > > The important thing to remember, though, is that the cryptogram is effectively a one-time use digital signature that verifies that the token in transit originated from the device being used. Additionally, the cryptogram includes pertinent transaction data such as the identity of the merchant and how much is being charged.
Thanks again to JEhrler for steering me right (or, at least, a little righter).