Overview#Apple Pay is a Mobile-Digital Wallet system.
Apple Pay does not store the real card data inside the Secure Element. This is in direct contrast to Google Wallet and Softcard. Apple Pay stores a token that conforms to EMVCo Tokenization specification. This token (along with a cryptogram) that gets sent to the contactless terminal. Apple refers to the "Device Account Number" (PAN) as the EMVCo token in their documentation.
During the authorization flow, the card network identifies the token, de-tokenizes them into real PAN with the help of a Token Service Provider (TSP) and sends the real PAN over to Issuer for authorization.
Secure Enclave and Touch ID #Each Apple Pay transaction is authenticated using Touch ID or the user’s passcode. The Secure Enclave manages the Authentication process and enables a payment transaction to proceed.
Could there be some Cryptography Functions involved?
How it Works#
Adding a Card to Apple Pay#When a customer adds a Payment Card to their wallet, the PAN details are submitted to Apple Pay servers.
Apple Pay, acting as its own Trusted Service Manager (TSM) provisions the Payment Token, Payment Token-Key and CVV-Key and maybe other data into the Secure Element. This combination is the "Token" that Apple calls as "Device Account Number" DAN in its press releases.
Making a POS Payment#When a customer taps or waves their iPhone in front of a point of sale terminal, a payment transaction is initiated.
Apple Pay uses EMVCo’s Contactless Suite of Specifications to communicate with the contactless reader terminal.
When it is time for the Secure Element to send information to the terminal:
- First, the Secure Element generates a Dynamic Cryptogram using a combination of the Payment Token, Payment Token-Key, transaction amount, transaction counter etc.
- Second, the Secure Element generates a Dynamic CVV Value using the CVV-Key.
- Second, the Secure Element passes the Payment Token the Dynamic Cryptogram, the Dynamic CVV Value and other payment and chip data elements to the terminal using the EMVCo’s Contactless Suite of Specifications.
To put this in Apples terms, The Device Account Number or DAN represents the Payment Token, the One-time Unique Number represents the Dynamic Cryptogram and the Dynamic Security Code represents the Dynamic CVV Value.
The Payment Network identifies that it is a Payment Token and not a real PAN based on BIN tables. Consequently, they send a request out to the TSP to de-tokenize passing in the Payment Token and the Dynamic Cryptogram.
The TSP, among other things, validates the Dynamic Cryptogram using the Payment Token-Key that it shared earlier during the provisioning process. If the Dynamic Cryptogram is valid, the TSP de-tokenizes and returns the real PAN back to the Payment Network.
The Issuer Bank validates the Dynamic CVV Value based on the CVV-Key it shared earlier during the provisioning process. Then it authorizes the transaction depending on the customer’s account status. The authorization status flows back from the Issuer Bank to the Payment Network, back to the Payment Card Acquirer and back to the Merchant where your receipt gets printed.
About the Apple Pay Payment Token#The Merchant is sent the Payment Token, which is a Virtual Credit Card Number, from the Card-Emulation process. With Apple Pay this will appear as a Credit Card Number issued from the bank that issued the Credit Card that is stored in Apple Pay that was selected to make the payment.
You may see the last four digits of this Payment Token on the receipt of your purchase. If the cashier asks for the last four digits used in the transaction, (Generally, they should not), you should give the last four of your Payment Token. (TBD Where to find this value.)
As far as we know this Payment Token will be the same every time you select the same Credit Card for payment within Apple Pay.
Patent Filing #The U.S. Patent and Trademark Office published Apple's application for a "Method to send payment data through various air interfaces without compromising user data," which details a readily deployable digital system based on existing mobile hardware technology. Prior to today's filing, most of Apple's payment-minded patents have focused on use case scenarios, not backend infrastructure. Uses the term Secure Element.
More Information#There might be more information for this subject on one of the following:
- Four-Party Credit Card System
- Google Wallet vs Apple Pay
- Mobile-Digital Wallets
- Payment Token
- Web Blog_blogentry_060716_1
- Web Blog_blogentry_250215_1