Apple's take on Hardware Security for Web Payments

As an avid Web user since 20 years back I have always wondered when chip-cards would also become usable for on-line payments.  It was somewhat surprising that it was Apple who finally pioneered this although their chip-card is a virtualized multi-card scheme running in a "Secure Enclave" (Apple terminology) which is a part of the main CPU.

Anyway, the stumbling block never was smart card middleware as some people have suggested.  The core problem is rather that since there's no such thing as "Trusted Web Application", you obviously need a "shield" [1] between the untrusted open Web and the "chip-card".   However, Apple didn't have to create anything special here since they already had the trusted application; the Apple Pay "App".

Although slightly simplified, the only thing left was an interface to the Apple Pay App:


1] Merchants do not have any a priori relation to customers' chip-cards so GlobalPlatform-like access control schemes doesn't apply here.  In addition, things like PINs shouldn't be dealt with by external parties which is why certified payment terminals are mandatory in physical shops:

Received on Friday, 17 June 2016 06:48:19 UTC