For one thing, a substitute account number is assigned when you set up Apple Pay. Merchants get that instead of your real card number. In addition, a verification code is created for each transaction, based in part on unique keys on the phone. Even if hackers get that substitute number, they wouldn't be able to generate the verification code without having possession of your phone, so fraudulent transactions would be declined.