CSI Resources

touch id on a cell phone

Apple Pay is Only as Secure as You Are

  • by Derrick Bretz
  • Mar 24, 2015

Like all things Apple, their product developments are prominent in the headlines. But this time, Apple is coming under scrutiny for card fraud occurring on their mobile payment platform, Apple Pay.

Recently, Apple Pay card fraud has been linked to poor verification efforts by banks already participating in Apple Pay’s mobile wallet. And just to be clear, that’s not a failing of Apple Pay—that’s the fault of participating bank’s whose enrollment and secondary transaction checks at the time of authorization are failing to mitigate fraud.

Keep reading to learn how your foray into Apple Pay can be successful and secure.

3 Paths to Validation: Red, Green and Yellow  

When cardholders apply for Apple Pay, banks must first validate the identity of cardholders. Some bigger banks do it for themselves, while others work with issuer processors—like CSI—to provide verification and follow up.

In the current enrollment process, there are three paths used to validate cardholders: red, green and yellow.

  • Red: Not validated
  • Green: Validated
  • Yellow: Questionable validation

Initially, when Apple Pay launched, there was no yellow path. During enrollment, Apple would assign cardholders assurance scores. Then Apple passed those scores to the network token providers—Visa or MasterCard. Based on those scores, Visa/MasterCard would approve (green) or decline (red) the issuance of those tokens.

The issue comes with the yellow path, which was introduced about four weeks after Apple Pay launched. Cardholders identified as yellow are told to contact their banks to perform additional verification steps. Then token creation can be enabled. 

Apple Pay Enrollment Issues Ensue 

Many of the card issuers and card providers use call centers to perform the verification process for the yellow path. And some call centers only ask basic questions in the validation process to help get their cardholders enrolled quickly.

So when fraudsters with card-not-present, or “stolen,” credentials attempt to enroll them in Apple Pay, they’re assigned the yellow path. Sometimes call centers validate these fraudsters because many organized fraud rings have enough personally indefinable information to pass these basic validation checks, like social security numbers, addresses, telephone numbers, email addresses, etc.

Taking Validation a Step Further

Often, these call centers fail to detect fraudulent enrollments because fraudsters have identification information readily available. Being more creative and spending a little more time verifying identity credentials could help. For example, call centers could ask enrollees to reference two to three recent physical retail locations where they completed transactions and the amounts spent. That kind of information is both timely and harder to come by for fraudsters. 

This example is an important first step, but because merchants don’t require proof of identification at check out with Apple Pay, validation efforts need to go a step further. 

CSI Card Services does this. We not only have fraud parameters in our systems that validate credentials passed to us, we also look at the behavioral intent of what’s happening after the incident of fraud takes place. This is what our Card Sentry solution does today. By considering factors that may qualify as out-of-pattern behavior for cardholders, we insure our systems are effective in combating fraud.

Risk for Reward: Influencing the Future of Mobile Payments

Ultimately, the responsibility for validation and the prevention of fraud falls to the banks and their issuer processors, not to Apple Pay. And for all its risks, Apple Pay is worth doing. But, why?

It’s not just because Apple Pay’s infrastructure is under constant development and fraud issues will improve. It’s also because investing in programs like Apple Pay is a part of a larger strategic move by banks like yours to influence the future of mobile payments.


Derrick Bretz leads strategic product development and quality improvement initiatives within CSI Payment Services. In his role, Derrick enhances payment and commerce experiences and customer education through the use of data analytics. Having helped develop CSI’s initial mobile offerings, Derrick continues to provide leadership on mobile commerce initiatives.