Apple Pay Express Transit Mode, When Used With a Visa Card, Is Vulnerable to Scam Tap-to-Pay Readers

Juli Clover, MacRumors:

The process requires the victim to have Express Transit Mode enabled for payments, and a Visa card linked for those payments, among other steps. As it turns out, it’s a Visa-related security loophole rather than an iPhone issue, and it doesn’t work with a Mastercard or an American Express card because other cards use different security methods. It also doesn’t work with Samsung Pay on Samsung devices, and it requires the specific combination of a Visa card and an iPhone. Apple told Veritasium that it’s an issue with the Visa system, but something unlikely to occur in the real world.

The video, hosted by the Veritasium YouTube channel, but starring Marques Brownlee as the victim, takes over 15 minutes before clarifying that the exploit only works with Visa cards, and only when a Visa card is set as your card for Express Transit Mode. Until then, the video implies that the exploit can work against any iPhone that has Apple Pay configured, with any sort of credit card. The technical explanation of how the hack works is pretty good though.

As I wrote a year ago (when Apple was looking for a new partner to replace Goldman Sachs as the bank for Apple Card), Visa is the most popular credit and debit card in the U.S., by a significant margin. If you don’t use Express Transit Mode, you’re safe. If you do use Express Transit Mode, I suggest any card other than a Visa.

Thursday, 16 April 2026