Hacker News new | past | comments | ask | show | jobs | submit login

The post by Matt Birchler has been amended with the paragraph "A previous version of this post suggested the DPAN changes between merchants, but that was a mistake. Serves me right for cranking this post out too quickly. Seriously, my bad.". However, the rest of the post still suggests that there is a unique DPAN per merchant, but I can't find any basis for that.

Even Apple's own documentation at https://support.apple.com/en-us/HT203027 says that the DPAN (called Device Account Number here) is only unique per device. When a card is added to Apple Pay a DPAN is created for that device, and it never gets changed afterwards unless the card is removed and re-added.

So whereas you can't be tracked by using the same card on two devices (e.g. iPhone and Apple Watch) because they will have two different DPANs, I'm pretty sure data brokers can track you when using the same card on the same device across different merchants.




> hen a card is added to Apple Pay a DPAN is created for that device, and it never gets changed afterwards unless the card is removed and re-added.

They're not generally considered stable in the payments world. They can get rolled periodically, even outside of card addition and removal.


In Apple Pay they are sort of static. Not per merchant, but they don’t cycle by default for any reason. I believe there is a button you can press to have the number changed. I think I’ve seen it before but I’ve never used it.

And of course you could always just remove your card and then re-add it. That would give you a new DPAN.


> I believe there is a button you can press to have the number changed.

That's for the Apple Card's virtual card number, which is just a regular old PAN. There is no such button for the DPAN, to my knowledge.


Ah you’re right, I got those confused.

Thanks.


Different PANS doesn’t make a difference when your bank is selling your credit card data anyway.


It makes a difference for credit card thieves. Not for transaction list privacy.

As long as your bank is involved you’re just going to have to put up with them and trust them.


Credit theft affects the banks and merchants. They are out of the money not me. Its for their benefit. I just suffer the inconvenience of getting a new card.


I noticed that the last 4 digits of the card used with Apple Pay is different every time I pay (I use my Apple Watch mostly). Not use between merchants but also with the same merchant.


Are you sure you're not mixing up phone and watch payments? And is this with a Mastercard or Visa card, or something region-specific?

The DPAN has always been constant in many years of using Apple Pay for me, which is useful to e.g. check which card I've actually used on by comparing the last four digits printed on a receipt to those I can see on my phone or watch (the card details show both the funding and the DPAN last four digits).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: