Title

Apple iOS must not store any payment data in Apple Pay. (Cat II impact)

Discussion

Apple Pay is a mobile payment technology that enables users to make purchases with their iOS devices, provided that the vendor supports the required Near Field Communications (NFC) interface to Apple Pay. If the payment system is vulnerable to breach, a user's charge cards may be used for unauthorized payments, including charges to government-issued cards. Disabling or avoiding use of Apple Pay mitigates this risk. SFR ID: FMT_SMF.1.1 #42

Check Content

Review configuration settings to confirm that Apple Pay is disabled or not in use. Note: This check procedure is not applicable on iOS devices that do not support Apple Pay. As of the publication of this ISCG, iPhone 6 and iPhone 6 Plus are the only iOS devices that support Apple Pay. If there is a mechanism for disabling Apple Pay, verify Apple Pay is disabled. Potential mechanisms to disable Apple Pay include disabling the NFC radio or disabling the Apple Pay service. The settings for these features are expected to be found in the Settings app. If there is not a mechanism to disable Apple Pay, verify that no payment information (e.g., a charge card) is associated with Apple Pay. The configuration of Apple Pay is expected to be found either in a App associated with Apple Pay or in the Settings app. If there is any payment information configured for Apple pay, this is a finding.

Fix Text

The user must remove payment information from Apple Pay or disable the feature.

Additional Identifiers

Rule ID:

Vulnerability ID: V-54313

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.