suppo69 kirjoitti:Ei ole. Ikinä, eikä koskaan.
Koodi: Valitse kaikki
When you add a credit or debit card with Apple Pay, the actual card numbers are not stored on the device nor on Apple servers. Instead, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element on your iPhone or Apple Watch. Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.
The “Device Account Number” is Apple’s term for a payment token. Rather than attempting to build some entirely new, proprietary payment method, Apple took the emerging technology of tokenization (another product of EMVco), and created a new implementation on top of it. The primary scenario in the tokenization specification is that the merchant still reads the PAN from your card, but when the payment is authorized, the merchant is given a token that they then save in their system instead of your actual credit card number. This solves the problem of hackers stealing your number that has been stored, but doesn’t help if the PAN is intercepted before then, such as the case if a malicious program has been loaded onto the card terminal itself.
A payment token “refers to a surrogate value for a PAN that is a 13 to 19-digit numeric value that must pass basic validation rules of an account number, including the Luhn check digit. […] Payment Tokens must not have the same value as or conflict with a real PAN.” In other words, to a merchant, a token looks just like any ordinary credit card number. A token for a Visa credit card will be 16-digits and start with a 4, but it cannot be used like a normal credit card number. A thief could steal a PAN and easily use it to make an online purchase, but a token won’t work. To clarify the most common misconception regarding Apple Pay, the Payment Token is not single-use. Every time you use a given card with a given phone, the same token is used. This is still secure, however, because the Payment Token can be used for transactions only as part of the overall tokenization scheme. Specifically, a token can’t be authorized without the token cryptogram, referred to in Apple’s press release as a “dynamic security code.” A token cryptogram is “generated using the Payment Token and additional transaction data to create a transaction-unique value. The calculation and format may vary by use case.” If someone were able to steal that token from a merchant, they couldn’t use it for an online purchase, or load it onto a fake credit card to use; the number would be declined because the thief cannot generate the dynamic security code.