Thanks to Google Pay and Apple Pay, you can now use your smartphone or watch to pay at retail stores instead of your physical credit card. This may seem tempting for the single reason that you can leave your bulky wallet at home. On top of that, many cities around the world have also embraced these apps for transit payments. But does this convenience come at the cost of security and should you be cautious about relying on these apps for everyday payments? Here’s everything you need to know about the safety of tap-to-pay in apps like Google Pay and Apple Pay.
Are Google Wallet and Apple Pay safe to use?
Edgar Cervantes / Android Authority
Apps like Google Pay, Samsung Wallet, and Apple Pay are more secure than your physical credit card. This is because they use a process called tokenization, which offers an additional layer of security over physical cards.
When you add your card to a payment app, its details like the 16-digit number and expiry do not get copied over. Instead, the app contacts your bank or card issuer to request a token. You can think of this token as a long, random number that lives exclusively on your phone. Your bank or card issuer will only issue such a token to trusted apps like Google Pay and Apple Pay. You will also have to validate your identity, typically done by entering your card details and receiving a one-time password over SMS, in order to receive the token.
Payment apps use tokenization instead of storing your card number, making them more secure.
The token is stored within the secure portion of your phone’s SoC — similar to biometric data like fingerprints. But even if someone managed to hack your phone to access this token, it wouldn’t work on a different device. Tokens are typically tied to individual devices. A portion of the token also changes every time you use it, depending on factors like the date and time, meaning it cannot be intercepted and re-used.
Another benefit to using tokens is that a malicious payment terminal cannot steal any card information when you tap your phone. The intercepted data would look like a bunch of random numbers, which is not very useful to say the least. In fact, the merchant cannot identify any personal information when you use a tokenized card.
How do payment apps like Google Pay and Apple Pay work?
Payment apps use your phone’s near field communication (NFC) antenna. NFC is a wireless technology, which you may already be familiar with if you’ve ever used hotel or office keycards. It allows two devices to communicate over short distances, such as when you bring your phone within inches of a payment terminal.
Modern credit cards come with an NFC tag baked-in, allowing you to simply tap them against a terminal to complete a purchase. However, these physical cards cannot be re-programmed to act as a different card. On the other hand, your phone can serve as a programmable NFC tag. This means that you can store multiple cards, even across different apps, and switch between them at will.
Can anyone use saved cards in Apple Pay and Google Pay if I lose my phone?
Rita El Khoury / Android Authority
No, your saved cards in Apple Pay and Google Wallet are always locked behind your lock screen password or biometrics like your fingerprint. Even on a wearable device like an Apple Watch, enabling a digital payment method will force you to use a PIN. This may seem like an inconvenience, but it prevents phone thieves from getting access to your saved cards and using them.
For this reason, using payment apps on your phone is actually safer than carrying around a wallet full of physical credit cards. If you lose the latter, anyone could simply tap your card or use its chip to rack up large purchases before you notice. Very few countries require a PIN or signature to authenticate credit card transactions.
Using Google Pay or Apple Pay is more secure than carrying around physical cards.
Apps like Google Pay can also safeguard you from other types of credit card fraud such as skimming, where scammers use a malicious payment terminal or ATM to clone your card when you swipe it. This is why you should only ever use tap-to-pay or your card’s chip — they are much more secure than the magnetic stripe.
However, there is one caveat worth mentioning — both Android and iPhone support contactless payments while locked. This can be especially handy for transit payments, which are typically low value. When I was in Japan, for example, my Pixel completely ran out of battery on the subway but I could still tap my phone at the turnstile while exiting. You can disable this behavior via the “Require device unlock for NFC” setting on Android and “Express Transit Payments” setting within Apple Pay.
How safe is Apple Pay for online purchases?
Apple Pay is just as safe for online and App Store purchases as in-store purchases because it uses the same tokenization mechanism. This is one of the rare cases where the more convenient option is also the safer option. If you use Apple Pay or Google Pay while shopping online, you don’t need to enter details like your 16-digit card number and the website can never steal or leak it.
FAQs
Google Wallet and Apple Pay are much more secure than using your physical card for transactions because you need to unlock your phone or watch to complete payments. Meanwhile, a card can be used without any authentication whatsoever.
Yes, Google Wallet is safe from hackers because your card details are stored in a different format that cannot be read or re-used even if a hacker gets their hands on your device.
Yes, both Google Wallet and Apple Pay do not store a copy of your credit card information. Instead, they communicate a device-specific token to payment terminals, which cannot be cloned or copied by a skimmer.
Yes, there is no downside to adding your cards to payment apps on your phone. However, you should set a secure lock screen password or PIN since an unlocked device can be used to complete payments instead of your card.