See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/333546983

PAYPAL AND APPLE PAY. A COMPARATIVE STUDY ON THE SECURITY AND

AVAILABILITY A PREPRINT

Preprint · May 2019

CITATIONS READS

0 5,408

2 authors, including:

Emil Simion
Polytechnic University of Bucharest
97 PUBLICATIONS   196 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Improving the decision of statistical tests used in cryptographic applications View project

CyberSecurity View project

All content following this page was uploaded by Emil Simion on 29 July 2020.

The user has requested enhancement of the downloaded file.

 PAY PAL AND A PPLE PAY. A COMPARATIVE STUDY ON THE
SECURITY AND AVAILABILITY

A P REPRINT

Mihai-Lucian Rusu Emil Simion

Security Information at Computer Science University Politehnica of Bucharest, Romania
University Alexandru Ioan Cuza Iasi, Romania [email protected]
[email protected]

May 30, 2019

A BSTRACT
This paper makes a comparison between PayPal and Apple in regards to their payments systems,
such as PayPal Here, PayPal Payments Pro, Venmo, and Apple Pay, a product made by Apple.
This paper help visualizes the differences between these products in regard to features, fees & payment
methods, availability, customer experience, security and privacy.

Keywords PayPal · Apple · Apple Pay · Triple DES

1 Introduction

PayPal is an online payment service that allows individuals and businesses to transfer money electronically. PayPal
acts as a middleman between merchants and banks or credit card companies. PayPal is buyer and seller at the same
time: both sides that participate in a transaction have provided their bank account or credit card information to PayPal.
PayPal handles the transactions with various banks and credit card companies and pays the interchange.
PayPal Here is a mobile payment by PayPal. PayPal Here is a secure solution that lets you accept payments wherever
you go. With the PayPal Here App, you can securely process credit card payments, create invoices, and track your sales
easily from a smartphone.
PayPal Payments Pro is a service by PayPal. PayPal Payments Pro is a business solution for payment processing from
e-commerce sites. Because it is a service from PayPal, the exposure of the businesses that use PayPal Payments Pro is
over 184 million active customers around the globe.
Venmo is a combination of mobile payment, a digital wallet, and a social media platform. Venmo is a subsidiary of
PayPal. Venmo allows users to send money to each other almost instantly.
Apple Pay is a mobile payment and digital wallet service by Apple Inc. Apple Pay allows users, via Apple Pay Cash, to
make payments in shops, in iOS apps(ex: Messenger, Apple Store, iTunes), and on the web. Apple Pay is integrated on
iOS starting with 11.2 version. Its intent is to replace a card at a contactless-capable point-of-sale terminal.

2 Comparison based on the most important features

Finances Online made comparisons between the PayPal Here and Venmo[1], PayPal Here and Apple Pay[2], PayPal
Payments Pro and Apple Pay[3]. Here are some features, and some new ones:
 A PREPRINT - M AY 30, 2019

Table 1: Most important features from PayPal Here and Apple Pay

PayPal Here Apple Pay

Magstripe Card Swiping Send & Receive Money
EMV Chip Card Reader Siri Send & Receive Assist
Contactless Payment Processing Bank Account Transfer
Apple Pay and Android Pay Processing Face ID, Touch ID, and Passcode Authentication
Tax Web Store and In-App Transactions
Tips In-Store Payments
Discounts Returns Processing
Signature Input Rewards Program Integration
Invoicing Automatically available in iOS
Inventory Management
Customizable Sales and Reports
Multiple Users
Password Setting & Access Controls

Table 2: Most important features from PayPal Payments Pro and Venmo

PayPal Payments Pro Venmo

Accept PayPal payments Expense Splitting & Sharing
Accept Visa, Mastercard, and American Express Web & In-App Purchases
Virtual Terminal Credit, Debit Card, and Bank
Accept payments in 25 currencies from 202 countries Payment Data Encryption
Payment Gateway Add friends for fast transfer
Make a transaction public to your Venmo friends
Post a comment on a transaction

3 Comparison based on compatibility, fees and payment methods

In an article published on Digital Trends[4], Christian de Looper made a comparison between most popular payment
services and the results look like this:

Table 3: Comparison based on compatibility, fees and payment methods

PayPal Venmo Apple Pay Cash

Compatibility Android, iOS, Web Android, iOS, Web iOS
Payment Methods Credit, Debit, Bank transfer Credit, Debit, Bank transfer Credit, Debit card
Credit fee 2.9% + $0.30 3% 3%
Debit fee 2.9% + $0.30 Free or (1% for instant transfers) Free
Bank transfer fee Free Free Free
Withdrawal speed Up to 1-2 business days Up to 1 business day Up to 1-3 business days
Transfer limits $10,000 $2,999.99 $10,000

PayPal made sending money easier with PayPal.me feature. You can send somebody money via PayPal.me link directly,
PayPal is the best-known from these services. Using PayPal, the money will not be transferred directly into your bank
account unless you manually do it. Until then, the money will stay in the PayPal account. With PayPal Credit, the
money is sent directly to your bank account. The fee per transaction is $0.30.
Venmo is becoming the preferred way to transfer cash to friends. Using Venmo, alike PayPal, the money will not be
transferred directly into your bank account unless you manually do it, and it cost 3% to use a credit card.

2
 A PREPRINT - M AY 30, 2019

Apple Pay Cash is integrated into iOS, starting from 11.2 version, and is using the Apple Pay service, which can be
linked with a credit card or a debit card. You can use any device that has iOS 11.2 or more (iPhone, iPad, Apple Watch,
Mac). You can easily use the app in Messages app, with the Apple Pay icon, selecting the amount of money, and then
selecting Request or Pay. The main downside is that the app is only on iOS, meaning you will not be able to transfer or
receive money from Android users.

4 Comparison based on availability

Figure 1: Countries and regions that support Apple Pay[5]

Figure 2: PayPal Availability[6]

3
 A PREPRINT - M AY 30, 2019

The availability for Venmo is restricted to the U.S. In Venmo user agreement, it says: “you must be in the United States
and have a U.S. bank account to use the Venmo services.”[7]

5 Comparison based on customer experience

On the official PayPal site[8], it says that the number of online stores that accept PayPal is around 19.000.000.
Comparisons from Finances Online[1][2][3] regarding user satisfaction and SmartScoreTM :

Table 4: User satisfaction and SmartScoreTM

PayPal Here PayPal Payments Pro Venmo Apple Pay

TM
SmartScore 9.8 9.5 9.1 9.9
User satisfaction 98% 99% 87% 97%

SmartScoreTM system is used by Finances Online to evaluate the products based on the following elements:

• Main Functionality 20%

• Collaboration Features 20%
• Customization 15%
• Integration 15%
• Ease to use 10%
• General Impression 5%
• Help and support 5%
• Security 5%
• Mobility 5%

6 Comparison based on security and privacy

Each transaction made using PayPal has a Transaction ID, a 12 character string that you can use to track the status or
search a transaction. As listed on PayPal official site [9], the PayPal services also provide: Email confirmations: you
will receive an email every time you send or receive a PayPal payment and PayPal Security Key: TLS 1.0 or higher,
HTTPS, Key Pinning and Data encryption
PayPal Security Key is a second authentication factor in addition to the password. It is unique for each log in (One Time
Pin - OTP). Each time you want to log in, you will receive a security code by SMS.
Methods used for data encryption:

1. You will establish a TLS Connection every time you want to access a PayPal service. Paypal makes sure that
you are using TLS 1.0 or higher and a secure connection (HTTPS).
2. Key Pinning: Because you can launch a PayPal app on your mobile phone and an impostor pretends to be the
real PayPal server, intercepting the request, PayPal ensures that you are connecting to a real PayPal server
when the TLS connection is established.

PayPal complies with PCI-DSS [10]. Payment Card Industry (PCI) Data Security Standard (DSS), PCI-DSS is a
standard that all organizations, including online retailers to follow a number of requirements as best practices. As
mentioned by [11], a company must use a firewall between a wireless network and their cardholder data environment,
use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys,
and use a network intrusion detection system to be PCI compliant.
As mentioned by [12], the Data Security Standard recommend Triple Data Encryption (Triple DES) for PIN Encryption.
Triple DES is a block cipher algorithm, with each block as 64 bits of data and 56 bits for each key. In Triple DES, the
keys are identical. Triple DES is a better solution, replacing DES as a standard for PIN Encryption. As mentioned by
[13], the advantages that TDES provides are the following:

4
 A PREPRINT - M AY 30, 2019

• Better security in electronic payments because of the added security layers and triple running of the encryption
algorithm. This is harder to crack and/or corrupt.
• A simple system with one algorithm
• Compliance of Triple Data Encryption by merchants who want to facilitate PIN debit transactions is mandatory
because of the enhanced security it provides.
• Better service and smooth operations, sans attacks and intrusions

The security of a block cipher is often reduced to its block size. Because of its short block size of 64 bits, Triple DES is
vulnerable to block collision attacks.
The Sweet32 attack, in [14], demonstrates how Triple DES is vulnerable to birthday attacks. To attack Triple DES in
TLS it is required 785 GB of blocks(around 236 ), but in the article, the researchers got a collision after 230 blocks.
PCI Security Standards also recommends being used a Derived Unique Key Per Transaction. This is a key management
method that uses a unique key for each transaction and prevents the disclosure of any past key used. The unique
transaction keys are derived from a base derivation key using only non-secret data transmitted as part of each transaction.
On PayPal official website is listed all the information that PayPal collects:

• Registration and use information

• Transaction and experience information: transaction info, amount sent or requested, amount paid for products
or services, merchant information, including information about any funding instruments used to complete the
transaction, Device Information, Technical Usage Data, and Geolocation Information
• Participant information
• Information about friends and contacts
• Information that it is chosen to be provided to obtain additional Services or specific online Services
• Information about you if you transact as a guest
• Information about you from third-party sources

In contrast, Apple Pay, on its official website [15], says that Apple Pay uses security features built-in to the hardware and
software of your device to help protect your transactions. In addition, to use Apple Pay, you must have a passcode set
on your device and, optionally, Face ID or Touch ID. Apple Pay is also designed to protect your personal information.
Apple doesn’t store or have access to the original credit, debit, or prepaid card numbers that you use with Apple Pay.
And when you use Apple Pay with credit, debit, or prepaid cards, Apple doesn’t retain any transaction information that
can be tied back to you—your transactions stay between you, the merchant or developer, and your bank or card issuer.
When you add a card to Apple Pay, information that you enter on your device is encrypted and sent to Apple servers. If
you use the camera to enter the card information, the information is never saved on your device or photo library.uj
Apple decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your
payment network (or any providers authorized by your card issuer for provisioning and token services) can unlock.
When Apple Pay is used in stores that accept contactless payments, Apple Pay uses Near Field Communication(NFC)
technology between your device and the payment terminal. NFC is an industry standard, it is a contactless technology
that is designed to work only across short distances. To send your payment information, you must authenticate using
Face ID, Touch ID, or your passcode.
When Apple Pay it is used on the web, Apple Pay receives your encrypted transaction and re-encrypts it with a
developer-specific key before the transaction information is sent to the developer or payment processor.
When you add contactless rewards cards to Wallet, all the information is stored on your device and encrypted with
your phone passcode. Person to person payments(P2P) and the Apple Pay Cash card are services provided by Apple’s
partner bank, Green Dot Bank.On their official website[16], the types of personal information Green Dot Bank collects
and shares depend on the product or service you have with us. This information can include:

• social security number and account balances

• account transactions and purchase history
• transaction history and payment history

Also, when you are no longer our customer, Green Dot Bank will continue to share your information.

5
 A PREPRINT - M AY 30, 2019

7 Feature work
In future work, investigating privacy and security in details might prove important. Starting from here, the next step
should be analyzing the security of Triple DES used by PayPal and see if an attack is feasable. Regarding privacy, the
Terms and conditions from partner banks should be analyzed in detail to see if the bank can track your transactions.

8 Conclusion
It is difficult to arrive at any conclusions with regard to privacy and security, but this paper gives a starting point in
a comparison between several services from two big companies, PayPal and Apple. Each service has advantages
and disadvantages, and as always, it depends on what a user considers more important: privacy, security, availability,
compatibilities, fees, features or just personal preference.

References
[1] FinancesOnline. Compare PayPal Here vs Venmo. https://comparisons.financesonline.com/
paypal-here-vs-venmo/, 2019.
[2] FinancesOnline. Compare Apple Pay vs PayPal Here. https://comparisons.financesonline.com/
apple-pay-vs-paypal-here, 2019.
[3] FinancesOnline. Compare Apple Pay vs PayPal Payments Pro. https://comparisons.financesonline.
com/apple-pay-vs-paypal-payments-pro, 2019.
[4] Christian de Looper. PayPal vs. Google Pay vs. Venmo vs. Square Cash vs. Apple Pay Cash . https://www.
digitaltrends.com/mobile/paypal-vs-google-wallet-vs-venmo-vs-square-cash/, 2019.
[5] Apple Pay Availability. https://upload.wikimedia.org/wikipedia/commons/d/d4/Apple_Pay_
Availability.svg.
[6] InfoUna. Paypal integrated website design: Mode for secure payment gateway . http://infouna.com/blog/
paypal-integrated-website-design-mode-for-secure-payment-gateway/, 2017.
[7] Venmo. https://venmo.com/legal/us-user-agreement/.
[8] PayPal. https://www.paypal.com/.
[9] Email, encryption, and other protections. https://www.paypal.com/us/webapps/mpp/security/
security-protections.
[10] Payment Card Industry. Requirements and security assessment procedures. 2016.
[11] Vangie Beal. PCI-DSS. https://www.webopedia.com/TERM/P/PCI_DSS.html.
[12] PCI Security Standards Council. PCI Security Standards Overview . https://www.pcisecuritystandards.
org/pci_security/standards_overview.
[13] Credit Card Processing. What is Triple Data Encryption? https://www.creditcardprocessing.com/2013/
12/triple-data-encryption/.
[14] Karthikeyan Bhargavan and Gaëtan Leurent. On the practical (in-)security of 64-bit block ciphers. collision
attacks on http over tls and openvpn. 2016.
[15] Apple Inc. Apple Pay security and privacy overview. https://support.apple.com/en-us/HT203027.
[16] WHAT DOES GREEN DOT BANK DO WITH YOUR PERSONAL INFORMATION? https://applecash.
greendot.com/privacy/.

View publication stats