By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Why Apple Pay and Google Pay are the safest ways to spend

Despite the myths, mobile payments give you more protection than cards
Hamse Yusuf

It's been possible to pay with a swipe of your card for 13 years, and with your phone since 2015. Yet, despite their convenience, contactless payments have been dogged by concerns over security.

For years, it was rumoured that criminals could 'skim' your card and steal your money, simply by standing next to you with a card reader.

There has, however, never been a verified report of this actually happening - while some apps can reveal card numbers and expiry dates, the crucial security code (CVV) remains hidden.

Now mobile payments using Apple Pay, Google Pay and Samsung Pay are becoming the subject of similar security fears - some founded on reality, but many not.

In February, a single mention of mobile wallets in a report by the Financial Conduct Authority, referring to 'uncertainties around our regulatory parameter' led to newspapers reporting that mobile payments would not be covered by consumer protections, despite mobile payments receiving the same protection as the cards connected to them.

In fact, mobile payments could be even safer than card payments - here's why:

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Mobile payments: a brief history

Apple Pay was launched in 2015, and Google Pay in 2016 for Android smartphones.

Samsung Pay followed in 2017, although as Samsung owners can also use Google Pay, it's not covered by this article (you can read more about it here). Barclays also has its own app for Android users, which customers have to use instead of Google Pay.

Initially, confusion reigned over exactly where you could use the new services, with shops advertising their willingness to take the payments.

Yet these services can be used anywhere a contactless card can, because both services use similar near-field technology to 'talk' to the card reader (although there are some technical differences).

Another point of confusion was whether you earn cashback or rewards for a card used on Apple or Google Pay, or benefit from credit card protections. The answer to all questions is yes - for more on Section 75 protection, see below.

And, contrary to popular belief, and unlike contactless cards, you can spend more than £30 at a time using mobile payments. In fact, Apple and Google don't impose any limits, although some retailers and banks apply a £30 cap.

  • Find out more: everything you wanted to know about contactless cards

The true risks of contactless payments

It's difficult to know how many people use contactless payments, let alone how many are scammed, because little data is publicly available. But the figures we do have suggest that rates are very low.

The latest figures from banking association UK Finance say that 8.5 million people, 16% of the adult population, were registered for mobile payments in 2018. Nearly half (46%) of those who had signed up made payments weekly or more often.

At present, specific statistics for mobile payment fraud aren't available; instead they are classed as contactless payments.

In the first six months of 2019, contactless fraud losses - which includes mobile payments - represented just 2.7p in every £100 spent in this way, or 3% of all card fraud losses.

And that's despite the use of contactless payments increasing. As of July last year, half of debit card payments were made this way.

Why mobile security has the edge

Mobile payments have an advantage over contactless cards: most transactions need to be authenticated.

Typically, you do this in the same way you unlock your phone, whether that's with a Pin, key pattern, fingerprint or face scan.

There are some exceptions. Both Google and Apple Pay allow an undisclosed number of unauthenticated transactions for certain situations. For example, Apple Pay's new 'Express' mode allows you to use it on London's public transport without you being asked for a fingerprint.

Google Pay allows unauthenticated transactions with a value of less than £30. However, after a couple of transactions, Google Pay would require you to unlock the phone. Unlocking is also required if the phone is restarted, to continue using the feature.

In most cases, mobile payments won't work if your phone is out of battery. The exception is Apple Pay's 'Express' mode, where iPhone models from the XR onwards can make payments for over five hours after it has run out.

Does Section 75 protection apply to Apple and Google Pay?

Yes, provided the card in your virtual wallet is a credit card.

That means that if you pay for goods between £100 and £30,000, and they're faulty, or you don't receive them, you can claim the cost back from the card company.

Chargeback also covers mobile payments if the payment is less than £100, or a debit card is used.

Where Apple and Google Pay aren't covered is when you've used an intermediary card, such as Curve, to make your payment.

Behind the scenes

Although card details are needed to set up Apple Pay or Google Pay, they're not shared with the companies themselves, or the retailers you pay. Instead, a virtual account number is created, encrypted and securely stored, hidden even to you.

To safely store your card information, Apple Pay uses the 'Secure Element', which is a specialised computer chip on your iPhone. It stores your virtual account information and, when you pay, sends a 'token' - a code authorising the payment - to the card readers.

Google Pay uses an equivalent called 'Host Card Emulation', where tokens are generated online, rather than on your phone. If you're concerned about privacy, you can change these in your settingswithout losing the ability to use Google Pay.

With Google Pay, a limited number of tokens are kept on your device, so you can still pay if you are unable to connect to the internet. As Apple Pay is based on your iPhone, it doesn't require internet access to make payments. Each token's code is unique and encrypted, meaning that a payment can't be maliciously redirected.

What happens if I lose my phone?

Losing your phone is expensive enough, without it also doubling as your credit card. Luckily, it's relatively simple to freeze payments.

If your phone is lost or stolen, you can use online tools, such as Apple's Find My iPhone and Google's Find My Device to remotely wipe your device and stop others using it.

Also consider contacting your bank to report the incident and get your card frozen and, if necessary, replaced.

If any fraudulent payments are made via your mobile, you'll be protected as you would be for unauthorised transactions made with your card. Your provider must refund the loss unless it can prove that you authorised the payments.

How to get started

To use mobile payments, your smartphone must be NFC-enabled, which is the case for the majority sold in the last five years. You can easily check your mobile's settings to confirm this.

Many devices will have Apple or Google Pay pre-installed but, if not, these apps can be downloaded free of charge from the Apple App Store and Google Play store.

When you connect your card you'll be required to go through your bank or credit card provider's verification process.

  • Based on an article that first appeared in the March issue of Which? Money Magazine. You can try Which? Money today for just £1 to have our impartial, jargon-free insight delivered to your door every month.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.