Apple unveils the highly-secure Apple Card
An Apple Pay–centric card with rewards and no fees
Up to 3%
10.99% to 21.99%
Purchase APR (variable)
Update: you now earn 3% cash back on purchases made at Exxon and Mobile gas stations — including gas, car wash and convenience store purchases — when you pay with Apple Pay with your Apple Card.
Apple announced its foray into the consumer credit space on March 25, 2019, during its services event. In collaboration with Goldman Sachs, the tech giant unveiled its predictably sleek Apple Card, which officially launched August 20, 2019.
Featuring a variety of consumer-friendly features, the Apple Card positions itself as a market frontrunner when it comes to benefits like security. To get a sense of just how Apple Card‘s security features differ from other cards on the market, we reached out to an expert in the field of card security, Eric Cowperthwaite, vice president of Identity Services at Herjavec Group. Cowperthwaite has more than 25 year’s experience in the security space and got his start before cybersecurity become a household term.
What’s the big deal?
Name-brand aside, the Apple Card positions itself as incredibly consumer friendly. It’s designed to help tech-savvy cardholders develop stronger financial habits and also offers rewards on purchases, similar to the high-limit, no-fee Petal® 2 "Cash Back, No Fees" Visa® Credit Card. Plus, Apple promises the Apple Card to be one of the most secure on the market.
“In general, Touch ID and Face ID is [sic] much easier for the end user. So one of Apple’s approaches to security has been to make stronger security capabilities also easier to use.”
What sets the Apple Card apart?
- Apple-approved security.
The Apple Card sports a slew of security features backed by Apple’s established security technologies, including facial recognition.
- No fees.
The Apple Card promises no late fees, no annual fees, no international fees and no over-the-limit fees – quite a rarity in the credit card market. Though missed payments still result in additional interest on your balance.
- Low interest.
Apple promises interest rates that are “among the lowest in the industry,” listing 10.99% to 21.99% variable APR as of March 2019. Apple’s Wallet app will also show you how much accrued interest you face in a given month, depending on your card’s balance.
- Cashback rewards.
The Apple Card‘s rewards system offers what Apple’s calling Daily Cash. You’ll earn 2% Daily Cash on all purchases using your Apple Card through Apple Pay and 3% on purchases made this way with Apple directly. You also earn 3% back on purchases made with Apple Pay with your Apple card at T-Mobile and Exxon and Mobil gas stations. Purchases using your physical Apple Card earn 1% Daily Cash.
- Unique reward redemption.
Unlike other cashback programs, Apple posts Daily Cash directly to your Apple Card account — as the name suggests — every day, allowing you to spend your rewards almost immediately. Redeem Daily Cash earned using Apple Pay or send it to other Apple users through the Messages app.
- Balance and spending tracking.
Apple logs and categorizes Apple Card purchases for your review. Plus, the Wallet app sends weekly and monthly spending summaries to help you better understand your spending.
A security expert weighs in
Apple extends to the Apple Card its long commitment to privacy and security. We asked Eric Cowperthwaite, Vice President of Identity Services at Herjavec Group, just what to expect when it comes to the efficacy of the Apple Card‘s security features.
A talk with Eric Cowperthwaite, Vice President of Identity Services at Herjavec Group, and Jon Brodsky, former CEO of Finder US
Eric: Yeah, absolutely. It’s Eric Cow-perth-waite.
Jon: Awesome, thank you.
Jon: So this is Jon Brodsky from finder.com. The first thing we want to ask you about, Eric, is how you got into the security space in the first place?
Eric: Oh, wow. About 25 years ago, give or take, I went to work for a company called EDS, Electronic Data Systems, which was a huge computer and information services provider that later on got bought by Hewlett-Packard.
But at the time, sort of the mid-90s, there was not much in the way of what we today call information security or cybersecurity. It kind of was developing back then. And I ended up being part of some services contracts we were doing that called for security work, and it became really interesting to me. I was a system engineer at the time, and I sort of got some mentoring that said, “This may be important down the road.”
So, in spite of all the system engineer–type folks telling me, “You are crazy,” I headed down the security path inside EDS at the time.
Jon: Cool! So you are kind of a pioneer in the space, along with a lot of other people at Herjavec Group. Is that fair?
Eric: Yeah, I think that’s fair. When you look around, there’s not a lot of people who date back 20-plus years in the space.
Jon: Very cool. Well, then, that seems that you are going to be very uniquely qualified to answer our questions on the Apple Credit Card.
Eric: Hope so. I’ve also been using the iPhone since the first generation, so maybe that helps too.
Jon: So you are an iPhone user and you are a security person. Would it be fair to say you pick that based on security concerns, or just because you like it more?
Eric: It’s fair to say that security of my devices is a component of how I choose them.
Jon: OK, that is fair.
You’re an Apple product user. And the Apple Card presentation, which happened a couple of weeks ago now, really touted their security features.
Do you think that the Apple Card is going to be more secure than a magnetic stripe credit card?
Eric: So, there’s kind of three components to credit card security. The first one is the physical card itself and how you maintain the security of the card and the numbers on it. That kind of thing.
And then there’s the electronic information related to the card, which is all contained in the magstripe on the back of the card, right? Most major credit cards breaches you’ve ever heard of occurred because the magstripe level 2 data was being intercepted and stolen within a merchant. So that electronic data is your second major important component of the credit card’s security.
And then the last component, which is really new to us, is when you are storing a credit card in these wallets that have been built by Chase or Google or Apple — that you can store multiple credit cards in there, and you can pay with your phone just reading the information out of the wallet, etc. That’s the third major component of card security, and it’s really new to the table, right? It’s only been a big deal over maybe, what, the last three years or something.
Jon: Yeah, that’s true. And you led perfectly into my next question here, which is: Is it actually more secure to have it on your phone versus on the card?
Eric: Without going too deep in the bits and bites and technical piece of this, the short answer is yes. And the reason for that is that on your device, whether it’s an Apple device or some other competing device, the card information is stored in a sequestered physical component on the phone.
There is a linkage made to the issuing bank. And you are not actually giving them your card number, you are giving them the card information that is presented by the wallet, which is not the same as your card number.
And then on the back end, it’s all connected back to the issuing bank. So the card information never goes to the merchant in the way that it does when you do a magstripe swipe.
Jon: I didn’t realize that. So all the information is, for lack of a better term, hashed somewhere on the way. Is that right?
Eric: Yeah. And it’s been tokenized in its presentation to the merchant.
Jon: And is there a way for a sufficiently smart criminal to spoof those tokens and those hashes?
Eric: If you have the original credit card information, you could then input it into a wallet and do what it creates when you put it in a wallet on an Apple device. It creates a new token, right?
Do you use a wallet on your phone by any chance?
Jon: I do have a wallet on my phone that has a fingerprint ID that fails about 40% of the time.
Eric: So, when you put a card into that wallet, one of the things it does is it talks to the bank to make sure it’s OK to do it. And the issuing bank actually contacts you and says, “Hey, I’m doing this.”
You may recall that the first time you put your card in the wallet, Bank of America, or whomever your original bank was, sent you a note saying “I’m adding this card. Is that OK?”
Eric: So it becomes much more difficult to add a card in a fraudulent fashion to an Apple Wallet, or Google Wallet, or any of those. I don’t want to say it’s just Apple that makes that safe.
The other aspect of the card security that is really a big deal here, the more we think about it, is whether the Apple phone is safe. Are we making it difficult to access the phone both physically and electronically?
Of course, we all know about Face ID, and Touch ID, and that kind of thing, which is a big step up from four-digit PIN numbers. But it’s demonstrated to have some weaknesses still. So more secure than a PIN number, but not 100% foolproof.
Jon: And how many people, if you have an estimate handy, actually use those security features, versus keeping their phone unlocked or using something that is relatively easy to break, like a four-digit PIN?
Eric: I haven’t dug into this particular issue very much, so I’m going to be a little bit vague here, unfortunately. But it appears that because of the way that Apple does this — they just ask you during phone setup to turn on Touch ID or Face ID — that, and please don’t quote me as this is exactly right, maybe 90% of people with phones with those capabilities are using them. And one of the reasons why is that Face ID is a thousand times easier than a four-digit PIN.
Jon: It is, except when you have a 5-year-old that keeps staring at the phone, wondering whether you unlocked it or not.
Eric: That’s exactly true. But it turns out you aren’t careful sometimes about the direction you hold the phone or whatever.
But, yeah, in general Touch ID and Face ID is much easier for the end user. So one of Apple’s approaches to security has been to make stronger security capabilities also easier to use.
Jon: Got it. That’s super helpful. So it sounds like the big thing here that Apple is touting — from your perspective, at least, from a security point of view — is their wallet, which is among many, many other wallets on the market, as you mentioned.
Do you think there is any intrinsic difference to the Apple Wallet based on what we’ve heard so far versus a Google Wallet, or a Samsung Wallet, or any of the other 500 wallets out there? Chase Pay …
Eric: I don’t think there is any, when you get down to the technical level of how it’s implemented, any huge difference with the soul, with one exception. And that exception is that those other wallets on an Apple device — if you are an iPhone user, like a lot of people are, and they are using Chase Pay, or business wallet, or whatever — can’t actually use the sequestered physical storage that the Apple Wallet uses. And that makes a difference.
Other than that, there’s not a huge difference.
Jon: So what about the 55% to 60% of the market that is on Android. Is there an equivalent sequestered portion of the phone?
Eric: My understanding is that there is, and it works with Google Wallet. And then for Samsung phones, with whatever wallet they have.
Eric: To caveat that just a little bit, I haven’t looked at them as much as I have with Apple. So I’m not 100% sure.
Jon: But if that was the case, and I totally get that you are not 100% sure, then it sounds like the best wallet you can use is the one that comes preinstalled from the manufacture on whatever device you use.
Eric: I think that is a completely true statement.
Eric: Where I would say that I like the Apple idea of the Apple Card is, one, we get rid of any physical security issue on the Apple Card, because we’ve gone to a chip. And we’ve eliminated all of the physical — the number, and that CVV, and etc. — off the card.
Jon: That is super interesting, so thank you.
One last question here as we are running on time: You’ve listed a few things that consumers can do to protect themselves and their personal information when they have a wallet. What about when they don’t?
What about for all of us who are still using plastic cards, the rare metal card or the even rarer wooden card?
Eric: Of the two components of card security that have always been issues, one is the physical card itself, right? If someone else gains access to your physical card, they can charge a bunch of money on it and there is nothing you can do to stop them.
So protecting physical access to your card is very important, and this is why Apple is touting the fact that it doesn’t have any information on it, except for the chip, which means you have to do chip-and-PIN or chip-and-signature. Good idea.
The second aspect is where your card is used and where the magstripe is swiped. So being cognizant that there are lots of bad guys out there who capture credit card information using things called card skimmers, which are false fronts deployed on top of either an ATM or a POS device.
You want to be really thoughtful about not using, say, an ATM that is just in the wall of a building out on the street, because it’s extremely easy to install a card skimmer on those ATMs. Same thing with POS devices, small convenience stores like the one down your street — and I don’t mean to pick on those guys, but this is just reality: That’s where most POS card skimmers get installed at.
Think about a gas station – There is one person working there. If he gets distracted, it’s really easy for a malicious person to put a card skimmer on a POS, honestly.
Jon: Yeah, that’s true. One final final question, but it’s an easy yes/no: You think you are going to apply for an Apple Card when it comes out?
Eric: Being the ridiculously invested-in-Apple-devices guy that I am, I probably will.
Jon: Good to know. Thank you very much for your time.
“Protecting physical access to your card is very important. And this is why Apple is touting the fact that it doesn’t have any information on it, except for the chip, which means you have to do chip-and-PIN or chip-and-signature. Good idea.”
Can the Apple Card measure up?
While the Apple Card has a lot going for it — including an enormous pre-existing potential userbase — there are plenty of other terrific credit card options out there. Here are a few of the factors that might just rankle Apple’s plans.
- Average reward rates.
As far as cashback cards go, 2% is only slightly above average, especially considering that Apple Pay acceptance is limited. If you use the physical Apple Card for purchases, you earn only 1% cash back on your purchases.
- Constrained rewards program.
As of May 2019, it sounds like Apple’s Daily Cash provides few opportunities beyond cash back to your account. What’s more, you’ll need Apple Pay to take advantage of Apple’s rewards structure. If you’re a frequent flyer and you’re looking for a card to help you earn miles, this won’t be the card for you.
- Signup bonus.
The Apple Card didn’t launch with a signup bonus and Apple only recently added one to the card: $50 in Apple Cash after you spend $50 at Walgreens. Certainly strange bedfellows, and not exactly the kind of valuable signup bonus that entices a consumer to apply.
“…the card information is stored in a sequestered physical component on the phone. There is a linkage made to the issuing bank. And you are not actually giving them your card number […]”
As VP of Identity Services, Eric’s core responsibilities will include hiring, and retaining, top talent and investing in training, with a commitment to improving HG service delivery methodologies. Eric is a veteran security leader with 30+ years of experience across multiple industries, including manufacturing, healthcare, state and local government, and financial services.
Previously, Eric has served as a CISO at Providence Health & Services, Global Director of Information Security at Esterline Technologies, and has held a variety of Professional Services roles with expertise in risk management, governance, system engineering, and operational delivery.
With deep connections to industry-leading Identity technology providers, Eric maintains a breadth of competencies in the Identity market. Eric has also served in the US Army for 10 years and upon returning to Sacramento, CA, he earned his Bachelor of Science in Computer Engineering from CSU.
Apple hopes to shake up the playing field by offering a consumer-friendly, tech-forward credit card. Given Apple’s history, they might have just enough clout to make an impact. You might just want to check out the Apple Card if you’re an Apple enthusiast looking for a simple-to-use, no-fee credit card.
Advice for those using plastic credit:
For consumers opting out of digital wallets and sticking to plastic, Cowperthwaite advises you to consider two components of card security.
- Protect physical access to your card, ensuring no one has the information to gain access to your account.
- Consider where you use your card and where your magnetic stripe is being swiped.
“Be really thoughtful about not using an ATM, for example, that’s just in the wall of a building out on the street because it’s extremely easy to install a card skimmer on those ATMs,” Cowperthwaite explains. “It’s the same issue with POS devices. Small convenience stores like the one down your street, and I don’t mean to pick on those guys but this is the reality, is where most POS card skimmers get installed.”