Apple is employing various layers of security, some more obvious than others.
For starters, the financial information is stored locally on the device, in its secure element, and does not reach Apple’s servers. Furthermore, during transactions, instead of the device transmitting card numbers to the receiving terminal, it’ll only send over a Device Account Number for each card and a “transaction-specific dynamic security code.” Moreover, Apple will not store purchases history on any devices or in the cloud, and only provide the user with a recent transactions list for convenience purposes.
On top of NFC, there’s a second security measure in place, and that’s biometric identification. On Touch ID-enabled devices such as the new iPhone 6 models, users will have to approve purchases by placing their finger on the scanner. On the Apple Watch, a PIN number has to be entered every time the device is removed from the user’s hand – continuous skin contact means the device doesn’t have to be authorized a second time by the user via a PIN security code.
Thirdly, because card data is stored on the device, the user isn’t actually sharing the physical card with store employees, which means they won’t have access to the data on the card.
Finally, Find My iPhone will help users disable Apple Pay functionality on lost or stolen iPhones – and hopefully the same thing goes for Apple Watch.