Title

Apple iOS must not include applications with the following characteristics: payment processing (Apple Pay). (Cat III impact)

Discussion

Apple Pay is a mobile payment technology that enables users to make purchases with their Apple iOS devices, provided that the vendor supports the required Near Field Communications (NFC) interface to Apple Pay. If the payment system is vulnerable to breach, a user's charge cards may be used for unauthorized payments, including charges to government-issued cards. Disabling or avoiding use of Apple Pay mitigates this risk. The use of a GFE mobile device as a personal payment system is not authorized. SFR ID: FMT_SMF_EXT.1.1 #45

Check Content

Review configuration settings to confirm that Apple Pay is not in use. It is not possible to disable Apple Pay. Note: This check procedure is only applicable on Apple iOS devices that support Apple Pay (iPhone 6 and 6 Plus) and can only be verified on the mobile device. Verify that no payment information (e.g., a charge card) is associated with Apple Pay: 1. Open the Settings app. 2. Tap on "Wallet & Apple Pay". 3. Verify there is no payment information listed. If there is any payment information configured for Apple pay, this is a finding.

Fix Text

The user must remove payment information from Apple Pay.

Additional Identifiers

Rule ID:

Vulnerability ID: V-61949

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.