Featured image courtesy of Apple, Inc. for use in this commentary.
In the summer of 2019, Apple launched the Apple Card in partnership with Wall Street bank Goldman Sachs and transaction interchange network MasterCharge. Apple made a fuss over its titanium substrate and elegant looks. Others give their attention to its interest rates, limits, fees, and cash back features. Truth be known, the Apple Card is a better than median deal for most but not a fee leader or interest rate leader. But it is the first 21st century credit card. After the break, I’ll explain why.
- 15 August 2020, correct inaccuracy regarding magnetic stripe.
- 15 August 2020, how do I pay my Apple Card bill?
- 15 August 2020, Added shimming reference
- 15 August 2020, Added glossary and cleaned up terminology to make it consistent with the world.
- 15 August 2020, Added compromised card procedures
- 18 August 2020, Apple Card does not work with Quicken, Banktivity, etc.
- EMV Europay, MasterCard, Visa consortium specifying the chip and pin interchange network protocol and chip to reader protocol
- NFC Near field contactless protocol used on air between a payment terminal and a account holder token or mobile device.
- EMV and NFC transaction use the physical card number. The physical card number takes its name from the fact that it is baked into the chip embedded in the card.
- Card Not Present Number my shorthand for the full card number you can read in Apple Wallet. An easily replaced virtual card number.
- Physical Card Number Apple Wallet name for the card number used for NFC and EMV transactions. Last 4 shown. It is encoded in your titanium card hence physical card number.
- Device Account Number Apple Wallet name for the card number used by Apple Pay transactions. Last 4 shown.
21st Century ???
So why is the Apple Card the first 21st century credit card? Because it is the first designed exclusively for use with modern payment interchange infrastructure. The minimal design is striking. Nowhere on the card is there a card number, an expiration date, or a magic number for use in manual transactions.
The card itself can be used in chip-and-pin readers that support the EMV protocol described in reference . It also has a magnetic stripe allowing it to be used with the deprecated stripe reading terminals.
Second, it is designed for near field radio contactless payment devices in partnership with Apple iPhone and Apple Watch.
Apple iPhone is designed for use with near field contactless readers like the one shown above conducting a transaction with Google Wallet on an early Android device. Any transaction point showing the radio waves and card symbol is able to conduct near field contact-less transactions. In the Apple ecosystem, Apple Wallet lets you select a card and carry out the transaction. Note that Apple Card itself does not have the radio parts imbedded, just the EMV card present parts.
Apple Pay and Apple Card are integrated. Any transaction point supporting Apple Pay works with iPhone Apple Wallet and with Apple Card EMV transactions. NFC transactions require that the transaction point have the proper radio parts included.
Note that Apple Pay is an optional protocol with most merchant services providers. Some include it as a free configuration option. Others bleed the merchant for a bit more vigorish to support Apple Pay. Apple Pay is offered to merchant services folk and the interchange carriers without cost. As merchants replace readers, they are adopting EMV/NFC protocols and Apple Pay as checkout is quicker and more secure.
Apple Card is about Security
Goldman, MasterCard, and Apple designed Apple Card to be identity theft resistant. It can only be used for EMV transactions. No numbers on the card to be photographed. Yes, servers photo cards for later exploitation.
The card has multiple card numbers, one for each payment channel. There is a virtual account number card not present transactions. There is a physical card number for EMV and NFC transactions initiated by the card. There is a device card number for Apple Pay transactions. You can change the virtual account number after each use if you wish.
The Apple Wallet App shows all “completed” transactions, here completed means that the EMV, NFC or Apple pAy protocol has run from start to finish without error and an accepted status was received. You’ll also see failed transactions.
Fraudulent transactions become a lot more difficult as the card must be present for most transactions. The card may be present directly, or the transaction can be Apple Pay or Apple Cash Pay if you have set it up. The EMV protocol works via hashes and transaction IDs. There is no point in the transaction where your card number is exposed to be stolen. There is no strip to copy during the swipe. There is a name on the card so you can retrieve it from your server but no other PII on the outside of the card. What there is on the card is encrypted in the EMV secure enclave on the card.
Use the last 4 of the account number to identify which of the three numbers was compromised. Report the compromise to Goldman. Goldman will carry out its fraudulent transaction procedures to reimburse you.
Activating Apple Card
Order Apple Card using Apple Wallet on your iPhone. Apple creates a card matched to that iPhone and Apple ID. Only the ordering iPhone is able to activate and use the card. Its a cryptography thing (public key and private key). To activate the card, open Apple Wallet and place the NFC antenna over the marked spot on the card’s shipping wallet. The two talk to deliver the phone’s half of the cryptographic key pair. Apple has the other half. The phone saves off its key in the secure enclave (that pesky trusted computing stuff). This cryptographic trickery complies with the EMV protocol allowing any EMV NFC reader to conduct an Apple Card transaction.
Apple Card is a Credit Card
It does not have a PIN. Some European points of sale may require a PIN for all cards. If so, you’ll need to use another card at these.
It is not a debit card. You accumulate a bill that closes at the end of the month (28th?) and is carried interest free until the end of the following month. I opened my card in mid-August. It will generate a statement on 30 August. I must pay by 30 September to avoid interest charges.
Credit Line Sizing
Apple set my credit limit at about 10% of my yearly income based on the number I gave them (about twice my Social Security). It appears to be all about Goldman’s opinion about your income statement accuracy and what they can learn about you from the credit bureaus. Spousal income is not considered.
Apple Touch or Face ID controls access
To use Apple Wallet and Apple Card, you must have an unlocked iPhone with you. Apple Touch, Face ID, and iCloud credentials control access to the Apple Card credentials used for transactions. The secure enclave in the T2 chip stores the Apple Card credentials.
Old School Transactions
On Friday, I ordered some music from Qobuz. I payed for it with my Apple Card by using the card number, expiration date, and CCV obtained from Apple Wallet. These are generated uniquely for each card. At any time, you can request a replacement trio, well just because. Or if you don’t trust the Russian Internet merchant. Those numbers are good until you say they are not and replace them.
Wallet is Really Useful
Apple Wallet App gives you access to your transaction history as it is built up, your balance, payment date, and payment process. Click the Pay thing and run through the dialog. You will also receive transaction alerts.
Paying your Apple Card Bill
You pay your Apple Card bill using Apple Wallet to manually initiate an ACH transaction to transfer money from your bank account to your Apple Card account. This requires having your ACH credentials stored in Wallet which keeps them in the secure enclave on the T2 chip.
Apple Card Doesn’t Play Nicely with Personal Finance Programs
Apple Card is not designed to be used with personal finance programs such as Quicken, Mint, and Banktivity. Basically, Goldman Sachs does not offer a net portal for the purpose. Also, the card has multiple account numbers, one for each transaction environment. Only the least used card not present number is exposed for your use. The physical card number and device card number are hidden.
Apple Wallet provides a mechanism for exporting the transactions listed n a statement (they’re in your wallet) to an external computer for transfer to a personal finance manager. Reference  gives the export procedures. The import procedure is destination specific.
Apple Card is still vulnerable to fraudulent transactions. So far, most have happened when the online card not present numbers were used and leaked by a compromised website.
Other fraudulent transactions have occurred when the EMV chip and pin interface was shimmed in a terminal and the transaction copied and used to construct a fraudulent magnetic stripe card.
Apple Card wisely uses three credit card numbers, one for card not present transactions, one for EMV transactions, and one for NFC transactions. Apple Wallet allows you to lock the apple card physical card disabling EMV and stripe transactions. You can continue to make NFC transactions using Apple Wallet and Apple Watch.
Card Not Present Number Compromised
If your card not present virtual card number has been compromised, you can kill it immediately from within Wallet by requesting a new one.
Physical Card Number Compromised
If the physical card number has been compromised, immediately lock the physical card using the lock procedure in Apple Wallet. Order a replacement card by card by running the lost or stolen procedure within Apple Wallet. You will still be able to use Apple Pay which uses the device card number.
Device Card Number Compromised
This should never happen. Apple Pay uses transaction tokenization and stores transactions locally on the secure element (T2 Chip). Report this to Apple Support! Yell really loudly. I can find no mention of a compromised Apple Pay device number.
In the US, most merchants absorb the merchant services costs. Vending machines selling candy and soda are the notable exception. Each transaction has three components, the fixed transaction charge, typically $0.25 for US providers, an interchange fee of 2% to 3% of ticket that has an interchange component and a merchant service component.
Some merchant services providers use tranches for transaction pricing with A, B, and C originators. The pricing bins are for card present, card not present, and risky business transactions. For some reason, lodging charges are risky (reservation deposits and cancellations gum up the works). Restaurants are also risky. Risky is risky in regard to the merchant services provider getting paid. Restaurants are risky because they have a short half-life. Non-profits are typically given preferred rates as little goes wrong for their merchant services provider.
More enlightened merchant services providers offer interchange plus pricing. They pass through the Authorize.net or other interchange network charge adding a surcharge proportional to the ticket face value. For a small non-profit, many merchant services providers will offer interchange plus pricing that averages out about 2.9% of ticket. If interchange plus pricing is available, that is the preferred pricing.
Shimming is the new skimming. You can protect yourself from shimming attacks by using the terminals NFC payment interface where ever possible. Shimming has the ability to compromise your Apple Card physical card number.
Crooks sandwich a shim between the card and the terminal. The terminal and card chat for the EMV transaction. The shim snoops on the exchange and stores the messages in flash. The shim can be inserted in the terminal and concealed. If you feel any unusual resistance inserting your card into the reader there may be a shim present.
From what the shim overhears, an unscrupulous person can recreate the contents of an old-fashioned card stripe and make a fraudulent card. This is a risk when your card disappears during the transaction and is then returned. A reputable establishment will perform the card transaction in your presence using a regular chip and pin reader.
It is possible to tamer with chip and pin readers but this is becoming increasingly hard as equipment becomes more tamper resistant to fraudulent setup alteration.