Big Nerd Ranch have a good article up about how ApplePay works, and why it's the most secure method of payment available.
The cryptogram is a layer of security in which part of it is dynamically created per transaction; it links the token to the device and that particular transaction. Tokens can never be used without an accompanying cryptogram and the cryptogram ensures that the token can only be used from the device in which it was originally linked.
The important fact here is that the retailer never has possession of your actual credit card number in any part of the transaction. That is a distinct difference from the credit card magnetic swipe we have today, where the exact credit card number is unmasked and sent directly to the retailer’s point-of-sale system. This is the weak point where hackers have intercepted credit card numbers at Target, Home Depot and others.
Important things to note here:
- Apple doesn't store your credit card number anywhere. It's ONLY stored in the secure element of your phone. This is not the case with Google Wallet.
- The merchant doesn't get a copy of your card number, expiry etc. This makes it both more secure, and gives you better privacy as the merchant can't track your spending habits by card.
The last one is also the case for normal NFC payments, too, but it's good to reiterate it. The article is a bit "OMG security" from an American point of view, but as they are maybe 20 years behind the rest of the world, I think thats fair enough.