Yoni Heisler for TUAW, "Apple Pay: An In-Depth Look at What's Behind the Secure Payment System":
With Apple Pay, no credit card data -- even in encrypted form -- is ever stored on the iPhone or on Apple's servers. Similarly, no credit card data is ever transmitted to or stored on a merchant's servers. When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it's safely stored within the iPhone's Secure Element. The token is used in place of an actual credit card number and is what Apple, in its marketing materials, refers to as a unique Device Account Number. Great piece on the intricacies of Pay, presumably launching soon.