Apple Pay Overview
Securely integrate Apple Pay with Basis Theory for compliant and processor-agnostic operational efficiency.Apple Pay is a mobile payment and digital wallet service that offers a convenient and secure way for users to make payments using Apple devices. Merchants can benefit from the enhanced security features of Apple Pay, such as tokenization, which protects sensitive card data during transactions. For European users, Apple Pay is PSD2 SCA-compliant.
By integrating with Basis Theory, merchants can leverage advanced Reactors to decrypt and securely store Apple Pay tokens, ensuring compliance with PCI Level 1 standards without the burden of maintaining complex infrastructure. This model optimizes operational efficiency by enabling merchants to use native Apple Pay integration in the client side, while getting secured access to the authorized payment credentials.
Start with a Guide
In this page, we will explore Apple Pay concepts and take a deep dive on how it works. If you are looking for hands-on guides, check out the links below:
Merchant Setup
Accept Payments
Glossary
- FPAN: Funding Primary Account Number. This is the physical or virtual card number, or just "PAN".
- DPAN: Device Primary Account Number. Apple's equivalent to a Network Token. Also known as "DAN" or "Application PAN".
- BIN: Bank Identifier Number. The first 8 digits of a card number. These are usually preserved when generating DPANs from FPANs.
- Apple Pay Token: payment token object issued by the device upon user approval via biometric authentication (Face ID or Touch ID). It carries transaction information, including an encrypted form of the DPAN and transaction cryptogram.
- Issuer: bank or bank-sponsored financial institution that issues the payment card to the cardholder and is responsible for approving transactions
- Acquirer: bank or bank-sponsored entity that is responsible for processing credit or debit card transactions on behalf of merchants, facilitating the transfer of funds from the customer's account to the merchant's account.
- TSP: Token Service Provider are entities registered with EMVCo to generate unique replacement values for PANs, aka "tokens". In many cases, these are the Card Networks.
- Secure Element: Industry-standard certified chip present in Apple hardware, such as iPhones, iPads, Apple Watch, etc.
Adding Card to Apple Wallet
Adding a card to Apple Wallet can either be done by manually adding card details using Apple Wallet UI or using apps that can automatically add cards to the user's wallet - also known as push-provisioning.
Regardless of the method, when a user adds a card to Apple Pay, many systems are involved in ensuring that the sensitive cardholder data is protected and ready to use when it is time to process transactions.
- Apple Wallet sends the FPAN and the user's personal info to Apple Servers which, after verifying support for the card by looking up BIN tables, sends it to the matching Issuer Bank.
- The Issuer Bank validates the FPAN and sends it to the TSP, requesting a new token.
- The TSP generates a new DPAN for the received FPAN and stores it next to the FPAN in their token vault. The DPAN and its key are returned to the Issuer Bank.
- The Issuer Bank generates a CVV-Key which is later used for authorization, and returns all values to Apple Servers
- Apple Servers securely "returns" the information to Apple Wallet ¹, which stores it in the device's Secure Element.
¹ The actual mechanism of this step is proprietary and was outlined as a return for the sake of comprehension only.
Using Apple Pay in Transactions
When a user chooses Apple Pay to pay for a good or service, the Apple Pay experience kicks in, allowing them to select the card for payment, customize delivery and billing address, contact information, etc. Then, the user is required to authenticate the payment by providing biometrics (Touch ID, Face ID or fallback to PIN). Internally, this will authenticate against the Secure Element to authorize access to the sensitive payment information.
-
Once the user authorizes the payment:
-
Apple Pay uses NFC to communicate with contactless POS terminals and enable in-person payments. By implementing EMVCo's contactless specifications, Apple Pay passes the payment data (DPAN, Dynamic CVV, etc.) from the device's Secure Element to the reader, which forwards it along with transaction details to the Acquirer.
-
In e-commerce payments, the device generates a payload that contains payment data (DPAN) but tweaked for online transactions (cryptogram), that is made available for the merchant to route to their Acquirer, along with other transaction details.
-
-
The Acquirer, currently holding the DPAN along with specific authentication data, sends them to the relevant Card Network (such as Visa, Mastercard, American Express, etc.). The Card Network identifies, based on its BIN (Bank Identification Number), that the DPAN needs to be detokenized into the FPAN.
-
Now the Card Network is able to request the Issuer for transaction authorization with the FPAN, Authentication Data and Transaction details.
-
The Payment Authorization Decision is returned from the Issuer, based on many factors such as available funds, transaction amount, velocity and frequency, etc. This decision is returned all the way back to the Merchant, in whatever channel the transaction was initiated.