A lot of banks and credit unions participate in Apple Pay. In fact, nearly 3,000 U.S. financial institutions do - up from 1,600 just two years ago.
When Apple Pay was first being adopted, I wrote a blog post discussing the potential data security and transaction risks Apple Pay could pose to client data. There’s the risk of stolen credit cards being used via Apple Pay, the risk of third-party apps designed to accept Apple Pay, and the risk that biometric security (like thumbprints and face recognition) are not as secure as we might think.
Yet, as one community bank customer of ours reminded us, Apple Pay is not a direct vendor. Apple Pay is rolled up through Visa, a critical vendor. The bank pays Visa, not Apple Pay for the service. Customers decide to add the bank’s card (or any other card) onto Apple Pay.
This raises an interesting question. Should financial institutions (FI) using Apple Pay have to review Apple as a vendor?
Assessing the Apple Pay Security Guide
Let’s look at the facts.
Apple’s iOS Security guide 12.1, dated November 2018, offers some insight. The guide clarifies that there is a Device Account Number (DAN) created and encrypted when cards are added. The DAN is isolated from iOS. Apple cannot access the DAN either, and the full card number is not stored. This clearly distinguishes Apple’s service and access from those that Visa has.
Meanwhile, downloading the Apple Pay app is something that is initiated by the consumer and not something that is automatically provided by the FI with the VISA card they've issued. The consumer also chooses which cards to put in this virtual wallet.
Based on these two facts, we’d tentatively say that Apple Pay is not a vendor, but there are more questions to ask. It would be a good idea to ask Visa:
- What exactly is the business relationship between VISA and Apple?
- Does the FI need to approve access to the customer’s account at the customer’s request?
- Or is the FI affirmatively approving VISA’s access to the consumer’s account?
- Who is responsible for fraudulent activity?
Internal Questions About Apple Pay
FIs might also want to consider issuing a disclaimer about the separation of the business relationships between the FI and Apple. This question is probably best addressed by the FI’s internal legal team.
With this information, banks and credit unions can make a case for whether Apple Pay is a vendor or whether that relationship is appropriately managed by Visa, MasterCard, or another financial services company.
As the world of vendor management (including third-, fourth- and fifth-party vendors) grows more complicated, it’s important to take a step back and consider the big picture to make sure you’re not missing a critical relationship. There are huge opportunities out there, but also big risks.