They make it sound like there is a special "Apple sauce" that they built and strongly suggest they generate a new PAN for every transaction. The suggest that a "token" instead of a PAN is used for the transaction. This is very misleading. If you read it very carefully they are not wrong, but for the uninitiated a wrong impression is crated.
They are using an industry standard protocol that is 25 years old.
You are right that the core of Apple Pay security is functionally identical to chip and contactless transactions.
However a seemingly trivial but important difference with Apple Pay is that it doesn't use your physical card number—instead it uses a different card number randomly assigned to your device. The payment networks can therefore recognise Apple Pay-assigned numbers and know to demand full Apple Pay authentication when they are used.
Insightful commentary on some of the value-adds of Apple Pay.
I do wonder if the security gain is significant enough to make Apple Pay integration a gross-positive for all parties. Apple appears to charge a ~0.1-0.2% fee per transaction made via Apple Pay [0], so it might be reasonable that the security adds enough value in its own right to make sense from a fraud/insurance perspective.
Might also be the fact that possibly being "Top of wallet" on Apple Pay (Which users might use anyway, irrespective of if their normal card is supported) provides enough value to take a small hit in fees.
I live in New Zealand and both Google Pay and my Garmin watch have unique numbers.
This doesn't seem to be Apple exclusive at all?
I have 2 Garmin watches, 2 Google Pay capable devices and a single physical card and the numbers are all different.
At least, the last four digits are.
But to be fair, after trying to do payments in various other ways, Google eventually built their Android payments platform to be an almost perfect 1:1 recreation of Apple Pay.
(And this is a recurring theme with Android. I'm not saying Google aren't within their rights to build things however they wish, but it is remarkable how often Google make loud smug noises about how they've done things differently to Apple—only for those points of differentiation to quietly disappear a few years later. Say what you will about Apple, a company that makes plenty of horrible mistakes, but it's remarkable how often they do get things exactly right the first time.)
How does one read "However a seemingly trivial but important difference with Apple Pay is that it doesn't use your physical card number" that as not suggesting it's something only Apple does?
The last four digits of your physical credit card number are stored by Apple Pay for the purposes of account identification.
There are varying reports of people seeing unfamiliar (i.e. device) numbers and their card number on receipts. I've no knowledge about exactly why there's no consistency, but my suspicion is that Apple Pay sends these four digits as metadata during the contactless transaction. Older contactless terminals would ignore it and naively print four digits of the account number, whereas newer terminals might recognise that metadata and print that on the receipt instead.
It's also possible that the physical card's last four digits are being sent back to the terminal by the network.
suggest that a "token" instead of a PAN is used for the transaction
Maybe because people know the word "token" and don't know what a "PAN" is. Apple has built a trillion-dollar company by speaking at the level of its customers, not technobabble.
They are using an industry standard protocol that is 25 years old.