Monday, March 25, 2024

Digital Wallets and the “Only Apple Pay Does This” Mythology

Matt Birchler:

The FPAN is the “funding primary account number” and it’s the 15-18 digit number printed on your physical card. The DPAN is your “device primary account number”.

[…]

It’s notable that it’s called a DPAN and not “the Apple Pay number” – it’s a generic term, and that’s because this is a standard feature of digital wallets everywhere, not just Apple Pay. Google Pay and Samsung Pay are the biggest other digital wallets in the U.S. and they both do exactly the same thing. While it’s not technically using a DPAN since the payment runs through different companies, Amazon Pay and Shop Pay buttons also obscure the actual FPAN (full card number) from merchants.

[…]

The DPAN is always the same for subsequent transactions at the same merchant. So yes, while this can hinder data brokers from easily buying transaction data from a bunch of different merchants and figuring out shopping trends across those merchants, it does nothing to stop a single merchant from seeing your transaction history with just the DPAN provided by Apple Pay.

[…]

There’s also an idea I see sometimes […] that Apple Pay obscures your personal information. That’s simply not true.

Previously:

Update (2024-03-28): See also: Hacker News.

3 Comments RSS · Twitter · Mastodon


From my limited experience as a merchant, if you pay with card # on my hosted payment page I get less details about you compared to Apple Pay,

Apple Pay shares email/phone number/billing address you want it or not.


The post by Matt Birchler has been amended with the paragraph "A previous version of this post suggested the DPAN changes between merchants, but that was a mistake. Serves me right for cranking this post out too quickly. Seriously, my bad.". However, the rest of the post still suggests that there is a unique DPAN per merchant, but I can't find any basis for that.

Even Apple's own documentation at https://support.apple.com/en-us/HT203027 says that the DPAN (called Device Account Number here) is only unique per device. When a card is added to Apple Pay a DPAN is created for that device, and it never gets changed afterwards unless the card is removed and re-added.

So whereas you can't be tracked by using the same card on two devices (e.g. iPhone and Apple Watch) because they will have two different DPANs, I'm pretty sure data brokers can track you when using the same card on the same device across different merchants.


A great reminder that the Dunning-Kruger effect is real and that I shouldn't criticise things I don't know, or have no way of verifying.

Like how some well known bloggers keep insisting that Google no longer links to Google flights, I'm literally just now looking at a Google flights result that showed up when I Googled CPH to PEK, or that third party price comparisons sites should somehow be worse than the sponsored crap google keep shoving in my face.

Leave a Comment