We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

Updated: 9 Oct 2020

Why Apple Pay and Google Pay are the safest ways to spend

Despite the myths, mobile payments give you more protection than cards

It's been possible to pay with a swipe of your card for 13 years, and with your phone since 2015. Yet, despite their convenience, contactless payments have been dogged by concerns over security.

For years, it was rumoured that criminals could 'skim' your card and steal your money, simply by standing next to you with a card reader.

There has, however, never been a verified report of this actually happening - while some apps can reveal card numbers and expiry dates, the crucial security code (CVV) remains hidden.

Now mobile payments using Apple Pay, Google Pay and Samsung Pay are becoming the subject of similar security fears - some founded on reality, but many not.

In February, a single mention of mobile wallets in a report by the Financial Conduct Authority, referring to 'uncertainties around our regulatory parameter' led to newspapers reporting that mobile payments would not be covered by consumer protections, despite mobile payments receiving the same protection as the cards connected to them.

In fact, mobile payments could be even safer than card payments - here's why:

Be more money savvy

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Mobile payments: a brief history

Apple Pay was launched in 2015, and Google Pay in 2016 for Android smartphones.

Samsung Pay followed in 2017, although as Samsung owners can also use Google Pay, it's not covered by this article (you can read more about it here). Barclays also has its own app for Android users, which customers have to use instead of Google Pay.

Initially, confusion reigned over exactly where you could use the new services, with shops advertising their willingness to take the payments.

Yet these services can be used anywhere a contactless card can, because both services use similar near-field technology to 'talk' to the card reader (although there are some technical differences).

Another point of confusion was whether you earn cashback or rewards for a card used on Apple or Google Pay, or benefit from credit card protections. The answer to all questions is yes - for more on Section 75 protection, see below.

And, contrary to popular belief, and unlike contactless cards, you can spend more than £30 at a time using mobile payments. In fact, Apple and Google don't impose any limits, although some retailers and banks apply a £30 cap.

  • Find out more: everything you wanted to know about contactless cards

The true risks of contactless payments

It's difficult to know how many people use contactless payments, let alone how many are scammed, because little data is publicly available. But the figures we do have suggest that rates are very low.

The latest figures from banking association UK Finance say that 8.5 million people, 16% of the adult population, were registered for mobile payments in 2018. Nearly half (46%) of those who had signed up made payments weekly or more often.

At present, specific statistics for mobile payment fraud aren't available; instead they are classed as contactless payments.

In the first six months of 2019, contactless fraud losses - which includes mobile payments - represented just 2.7p in every £100 spent in this way, or 3% of all card fraud losses.

And that's despite the use of contactless payments increasing. As of July last year, half of debit card payments were made this way.

Why mobile security has the edge

Mobile payments have an advantage over contactless cards: most transactions need to be authenticated.

Typically, you do this in the same way you unlock your phone, whether that's with a Pin, key pattern, fingerprint or face scan.

There are some exceptions. Both Google and Apple Pay allow an undisclosed number of unauthenticated transactions for certain situations. For example, Apple Pay's new 'Express' mode allows you to use it on London's public transport without you being asked for a fingerprint.

Google Pay allows unauthenticated transactions with a value of less than £30. However, after a couple of transactions, Google Pay would require you to unlock the phone. Unlocking is also required if the phone is restarted, to continue using the feature.

In most cases, mobile payments won't work if your phone is out of battery. The exception is Apple Pay's 'Express' mode, where iPhone models from the XR onwards can make payments for over five hours after it has run out.

Does Section 75 protection apply to Apple and Google Pay?

Yes, provided the card in your virtual wallet is a credit card.

That means that if you pay for goods between £100 and £30,000, and they're faulty, or you don't receive them, you can claim the cost back from the card company.

Chargeback also covers mobile payments if the payment is less than £100, or a debit card is used.

Where Apple and Google Pay aren't covered is when you've used an intermediary card, such as Curve, to make your payment.

Behind the scenes

Although card details are needed to set up Apple Pay or Google Pay, they're not shared with the companies themselves, or the retailers you pay. Instead, a virtual account number is created, encrypted and securely stored, hidden even to you.

To safely store your card information, Apple Pay uses the 'Secure Element', which is a specialised computer chip on your iPhone. It stores your virtual account information and, when you pay, sends a 'token' - a code authorising the payment - to the card readers.

Google Pay uses an equivalent called 'Host Card Emulation', where tokens are generated online, rather than on your phone. If you're concerned about privacy, you can change these in your settingswithout losing the ability to use Google Pay.

With Google Pay, a limited number of tokens are kept on your device, so you can still pay if you are unable to connect to the internet. As Apple Pay is based on your iPhone, it doesn't require internet access to make payments. Each token's code is unique and encrypted, meaning that a payment can't be maliciously redirected.

What happens if I lose my phone?

Losing your phone is expensive enough, without it also doubling as your credit card. Luckily, it's relatively simple to freeze payments.

If your phone is lost or stolen, you can use online tools, such as Apple's Find My iPhone and Google's Find My Device to remotely wipe your device and stop others using it.

Also consider contacting your bank to report the incident and get your card frozen and, if necessary, replaced.

If any fraudulent payments are made via your mobile, you'll be protected as you would be for unauthorised transactions made with your card. Your provider must refund the loss unless it can prove that you authorised the payments.

How to get started

To use mobile payments, your smartphone must be NFC-enabled, which is the case for the majority sold in the last five years. You can easily check your mobile's settings to confirm this.

Many devices will have Apple or Google Pay pre-installed but, if not, these apps can be downloaded free of charge from the Apple App Store and Google Play store.

When you connect your card you'll be required to go through your bank or credit card provider's verification process.

  • Based on an article that first appeared in the March issue of Which? Money Magazine. You can try Which? Money today for just £1 to have our impartial, jargon-free insight delivered to your door every month.