A Defending Digital fan listened to a podcast episode I shared about securing your credit and debit cards, then she said,
I’d be interested in listening to/ reading more about accounts like pay pal and Amazon pay, and the safety (or not) of using them to pay on other shopping sites.
What a great question! I’ve looked into this subject in the past, and this was a good opportunity to see what’s changed recently. These payment options go by several names, including digital wallets, mobile payment apps, mobile wallets, contactless payments, and cashless payments.
By the way, if you ever have a question related to digital security or privacy, please send it in!
Note: this page contains affiliate links. Please see Affiliate Disclosure.
As we saw in the post Which Passwords to Change After Credit Card Fraud, credit and debit card fraud is a massive problem. Allow me to remind you of some of the stats.
the number of credit card numbers exposed in 2017 totaled 14.2 million, up 88% over 2016.
More than 32% of Americans complained about credit card fraud in 2016, double the rate from 2015, according to the Federal Trade Commission.Experian
According to the 2016 Consumer Card Fraud Study from ACI Worldwide and Aite Group, nearly one-third of consumers have experienced card fraud in the past five years, and 17% of credit card and debit cardholders say they’ve fallen victim multiple times in that timeframe.Credit.com
The FTC received over 133,000 credit card fraud reports in 2017.
“Card-not-present fraud” is far more prevalent than traditional credit card fraud. Thanks to the increasing popularity of online shopping, card-not-present fraud is now 81 percent more common than point-of-sale credit card fraud.Comparitech.com
According to ACI, 21% of Americans have dealt with debit card fraud in the past 5 years.CreditDonkey.com
So you may be wary of using a credit or debit card online, or even in a store. You probably have one or more digital wallets or mobile payment apps, such as Apple Pay, Google Pay, Samsung Pay, PayPal, Venmo, Zelle, and Chase Pay. But you may wonder: are these methods of payment more or less secure than using a credit card?
How to Increase Your Security
The short answer is that in general, digital wallets or mobile payment apps provide better security than using your credit card, online or in person. Why?
When you pay with a digital wallet or mobile payment app (Apple Pay, Google Pay, Samsung Pay, PayPal, Venmo, Zelle, Chase Pay, etc.), the merchant (entity you’re paying) doesn’t receive the details of your credit card, debit card, checking account, or other underlying source of funds. Usually they receive a unique, one-time code that’s only good for that purchase. So if a rogue employee tried to steal the transaction details, or the company was hacked, they wouldn’t get your credit card details (or the details of whatever other underlying account you paid with).
The app generates a one-use authentication code, good for the current transaction only. Even if someone filched that code, it wouldn’t do them any good. And paying with a smartphone app completely eliminates the possibility of data theft by a credit card skimmer.PCMag
Speaking specifically of Apple Pay, but referencing technology that’s used by several wallets and apps, another PCMag article says,
Touch ID and FaceID comprise a strong first layer of security, but you can never be too safe when it comes to your money. So Apple Pay takes things one step further by obscuring your real card data with anonymized digital tokens. When you make purchases, this anonymous data is the only information retailers receive. Other services like Android Pay and Samsung Pay use a similar fake-number system, but Apple Pay’s single-use tokens change with each transaction (Samsung Pay’s don’t). In fact, your financial service sends a Device Account Number that’s stored on the device in a special chip called a Secure Element. All this makes Apple Pay the most secure payment choice, and even more secure than a plastic card.PCMag
Also speaking specifically of Apple Pay, but referencing technology that’s used by several wallets and apps, MacRumors.com says,
Apple Pay is still more secure than a traditional card-based transaction. With Apple Pay, a cashier does not see a credit card number, a name, an address, or any other personally identifying information. There is no need to take out a credit card or confirm the authenticity of a credit card with a driver’s license or ID card, because all of that information is stored on the iPhone and protected by several built-in security systems, including Touch ID.MacRumors.com
ForgetComputers.com describes how the technology in digital wallets and mobile payment apps works:
Apple Pay is significantly more secure than a magnetic-strip credit card and has advantages over chip-embedded cards too. … the store where you shop gets no data about you—they don’t know who you are, where you live, what your card number is, or anything else unless you showed a rewards card or provided your phone number. Most importantly, you don’t have to worry about your credit card number being jotted down, scanned, or skimmed. … When you pay with Apple Pay, the Secure Enclave chip transmits the Device Account Number, along with a few other details, including a one-time transaction code. Everything is encrypted, so even if an attacker were listening to the traffic, no transaction details would be revealed.ForgetComputers.com
So, you should use a digital wallet or mobile payment app instead of a credit card, debit card, check, or other “traditional” form of payment whenever it’s an option.
Of course, there are still security risks with digital wallets and mobile payment apps. So, it’s worth taking steps to to increase your security as you use them. Let’s take a look at them.
Get my 5 most popular Internet safety articles!
Use a Reputable Wallet/App
Not all digital wallet or mobile payment apps have equal security. In general, payment software from large, recognized companies (Apple, Google, PayPal, etc.) is more secure than software from companies you’ve never heard of.
Do a search for digital wallet mobile payment reviews and look for authoritative results from websites in the tech or financial industries.
If you’re considering a particular wallet or app, do a search for its name plus the words security safety; for example, Apple Pay security safety. Again, look for authoritative results from websites in the tech or financial industries.
Some wallets and apps have been renamed, so you may come across outdated names in your research. For example, Google Wallet and Android Pay were merged into Google Pay. Also, some people use nicknames; for example, GPay to refer to Google Pay.
Most-Used Digital Wallets and Mobile Payment Apps
As you research, you may wonder, “What are the top-used mobile wallets?” Here are those with the most users, using data from Auriemma Consulting Group in October 2018:
- Apple Pay: 77% of mobile wallet transactions
- Samsung Pay: 17%
- Google Pay: 6%
A survey from 451 Research in mid-2018 found that consumers use these digital wallets:
- PayPal: 66.9% of consumers had used
- Apple Pay: 30.5%
- Samsung Pay: 10.4%
- Google Pay: 12.9%
The first set of data focuses on transactions processed, and the second set focuses on which apps consumers use. I don’t know if the first set considered PayPal a digital wallet.
Secure Your Wallet/App and Account
Make sure that your device (phone, tablet, computer) is secure, to protect the digital wallets or payment apps on your device. That includes locking the screen with a strong password or PIN or biometric authentication (fingerprint, facial recognition, etc.).
Protect the wallet/app itself with a password or PIN or biometric authentication (fingerprint, facial recognition, etc.).
If there’s an online account associated with your wallet/app (such as with PayPal), set a long, complex password that you don’t use for anything else. Store the password in a password manager (I like LastPass). Enable two-factor authentication if it’s an option (if it’s not, consider choosing a different wallet/app).
Link to Credit Card, Not Debit Card, Checking Account, Savings Account
You shouldn’t link your digital wallet or mobile payment app to a debit card, checking account, or savings account. Why? If someone were to gain access to your account, they’d be able to do more damage by having access to those accounts than to your credit card. Another benefit of linking to a credit card is that credit cards generally have strong fraud protection and remediation.
Don’t Buy Over Public Wi-Fi
If you’re buying online, don’t do it over public Wi-Fi (the Wi-Fi offered at many coffee shops, restaurants, public libraries, etc.). Someone else on that network could see what you’re doing, and possibly capture financial data. It’s much safer to use your device’s mobile/cellular data connection. If you must use public Wi-Fi, use a VPN (Virtual Private Network) to protect your traffic as it travels over the public Wi-Fi network. I like ProtonVPN.
Don’t Keep Much Money in an Uninsured Account
If you’re using an account where you can store money, such as PayPal, keep the amount you store there to a minimum. Unlike traditional bank accounts, these digital payment accounts usually aren’t FDIC-insured.
- Secure Online Shopping With PayPal: 7 Tips To Protect Your Money (financesonline.com)
- Apple Pay Is Faster, Easier, More Secure, and More Private Than Using Credit Cards (forgetcomputers.com)
What You Should Do
- Do your research and choose a digital wallet or mobile payment app with good security and a good overall reputation. You may use more than one wallet or app depending on your needs.
- Secure your wallet or app and its associated account.
- Link your wallet or app to a credit card rather than other types of accounts.
- Use your digital wallet or mobile payment app instead of other forms of payment whenever possible, online and in-person.
- Don’t buy over public Wi-Fi unless you’re using a VPN (Virtual Private Network). It’s better to use your own network or your device’s mobile/cellular data connection. I like ProtonVPN.
- Don’t keep much money in your digital payment account, unless it’s FDIC-insured.