Security Evaluation of Apple Pay at Point-of-Sale Terminals

Abstract

Apple introduced its mobile payment service "Apple Pay" in 2014. It allows customers to pay contactless at point-of-sale (POS) terminals and online. In this paper we will describe the components needed for Apple Pay and evaluate the security of Apple Pay for transactions at POS terminals. We will show that relay attacks cannot be avoided, in general. However, particular security features of Apple Pay prevent that relay attacks can be practically exploited. Our security analysis demonstrates that the security level of Apple Pay is comparable with the security level of payments with traditional credit cards. In contrast to the mobile payment service Google Wallet, no serious security vulnerabilities exist.