Apple Pay – In a Nutshell.

Apple announced the Apple pay – the new generation mobile payment system on 9th September, 2014. As per Apple , this revolutionises mobile payments  made from new generation iPhone (iPhone 6 and 6 plus ) and iPhone 5,5c & 5c  (Apple Watch). The NFC capability of these phones and Watch enable the contactless communication between mobile and payment terminal.  In order for  iPhone 5 generations to work with apple pay , you need to have an Apple Watch (not expected until 2015) .  The placing of finger on touch ID or double click on button next to crown of the watch acts as trigger which confirm the payment from customer either at payment terminal or while buying from an app. One another infrastructure element is a dedicated chip  called Secure Element which stores the account Information(A device specific account info is generated when a card is entered into Passbook).

It’s believed that the apple pay doesn’t change the In-App purchases currently performed through ITunes stores, but it may also allow Apple Pay for in-app purchases on latest iPhones. You may still have the  card information stored in the iTunes perform purchase of contents , apps and subscription through iTunes (to be used in older iPhones, iPad & desktop) .

The Apple Pay eliminate the storage of Card Number (PAN- Primary Account Number) in either device or apple servers. It’s replaced with a device specific account number (which corresponds to specific card as well) generated through a payment tokenization standard.  The tokenization process replaces card number with unique digital token. The token can be restricted with a mobile device or merchant. In apple pay, the token is created combining primary card account number (PAN) and device id (iPhone). The tokenization standard used here was established by Visa, MasterCard and American Express in 2013. The specification can be found here – EMV Payment Tokenisation Specification – Technical Framework . The payment network  tokenization interface maps back the primary account details of the card holder with this payment token when payment is processed ( at the processor end). In theory, the only place a mapping between tokenized account  and PAN (Primary Account Number) exists is at the Payment processor.  The iPhone is expected to discard the PAN  as soon a tokenized account number is crated and stored in the Secure Element.

In order to understand Apple pay better, let us  have a look at the conventional payment from apps. An app running on the device capture all necessary card information (either captured afresh or use the stored details at the Merchant) , encrypt it(or using SSL) and send it to Merchant’s payment gateway directly or through the Merchant’s back office system. The gateway then forward the information to the payment processor of Merchant’s bank.     

The payment processor then forward the information to the card association (shown below – top half) and then the information is further passed to the issuing bank for approval.   The point to be noted is that the card and customer information are passed across through multiple systems (encrypted and/or through SSL) which make it prone to security breaches (remember Heart bleed !)  . Once the payment is approved or rejected , the outcome flows back to the app through the same route.


The Apple pay works quite similar to the conventional payment beyond the payment processor/merchant side  (the main difference is that it sends the tokenized payment information instead of primary account information).

The PassKit framework provide the API framework for Apple pay – which allow your app to interact with Secure Element and Apple Passbook. For an app to work with Apple Pay , it is also required to include an Apple pay entitlement in the App also your payment processor should support network tokenization. It’s also required to create  certificates request to obtain cryptographic keys that will be used to encrypt and decrypt payment  tokens. So let us start …

How Setup your phone for Apple Pay

The apple use the passbook to store the payment information. You can add a new card either using iSight camera or you can just manually enter into the passbook.The Passbook’s ‘Capture Card Info’ can be used using iSight camera.  You can also import existing card information stored in iTunes to the passbook by entering card security code. Once a card  is entered and confirmed, a unique tokenized device account number is generated  and then it’s encrypted and stored in a dedicated chip(Secure Element) in iPhone  . The PAN is not stored anywhere. In case you loose the device, you can suspend all payments from the device through Find My iPhone(setting it to lost mode automatically suspend all transactions from the device).

The payment process

Once  your app has apple pay entitlement enabled (all other pre-requisites including complaints to App Review Guidelines) , the user can select Apple Pay as the payment mechanism

1. The PassKit has API which can tell the app whether the device is setup with Apple Pay (including the presence of secure element and device account number). My current understanding is that if there are multiple accounts (cards), the last entered card will be default and a default card is used for Apple pay.

2. The next step is to invoke PassKit API to create the payment sheet. Although the contents of the payment sheet (such as delivery address and amount) are passed from the app, the payment sheet itself is not controlled by the App.

3. The user authorises the payment using the touch id.

iPhone6-PF-SpGry_iPhone6-PF-SpGry _NFC-PRINT

(Image copyright Apple – Downloaded)

4. Once the touch id is successfully validated , a cryptogram is created by the PassKit 

5. The encrypted payment info is then transferred to the merchant application.

The encrypted payment information can be decrypted using the private key stored in the server . It’s also possible(preferred) to use a third party payment provider(discussed below) to do the rest of the payment handling.  It’s important that the payment processor support tokenization interface so that tokenized customer info can be mapped against the specific customer .

Paying at the terminal

The paying at the terminal is not much different than paying from app other than sending encrypted payment information is through NFC (Near Field Communication).

1. Once you are at the terminal and agreed to pay with apple pay , the information is automatically send across to your phone when you bring your Apple Pay capable mobile to the terminal (when it’s in the hot zone of NFC).

2. You can confirm the payment either using touch id or double click on the button (beside the crown) on the apple watch

3. This causes the tokenised payment  to be transmitted to the merchant system.

Although NFC technology as such doesn’t come up with any secure built in hardware elements , the technology itself  more secure due to to its nearness to the paired device(terminal –when data exchange is performed) and very short cycle of data exchange.

Third-party enablers/Payment providers

Apple recommends to use one of the third party providers and their SDKs instead of having own server side solutions (figure below). This will avoid having server side decryption of payment tokens and the management of payment processors and their network token interfaces. This can be especially useful in case there is an opportunity to establish a fresh payment system. Apple has already partnered with a few payment platforms such as Authorize.Net, Chase Paymentech, Stripe etc.,. for this. These providers support most common tokenization interfaces of payment processors. The SDKs and API provided by these payment providers can take away the pain in integrating with processor and their tokenization interfaces. The payment providers decrypt the payment data and run the transaction with acquirers’ bank.


Security of Apple Pay

1. The smart tag vulnerability and man in the middle attack (spoofed terminals) may be exploited by the hackers ( Some reports indicate that the NFC chip will be available only to ApplePay. The lock down of NFC chip  eliminate the tag rewriting. It’s not clear whether the Secure Element will also be locked down)

2. The apple pay doesn’t seem to provide any extra level of security for the merchants.

3. The one-time unique number with Device Account Number (reusable – but stored in Secure Element of mobile ) provide additional layer of security.

4. You can make the phone into the lost mode (which is quite handy) can immediately suspend all transactions from the device.


The apple pay is an evolutionary concept tailored from emerging standards such payment tokenization from EMVCO and it’s implementation by card associations(Visa, MasterCard and Amex) . Although it’s just currently supported by Apple (through IPhone5 and above and Apple Watch) and it can well be adopted by other payment systems making use of the contactless terminal ecosystem and other emerging payment standards.  Apple has promised that “Apple Pay is also able to make purchases through apps in the App Store℠” . The Apple pay provide the best compromise between speed of transaction and security. Although the underlying technology is not owned by Apple (one time code, storing security information in a dedicated chip, contactless payment with NFC and tokenization), the apple has established a system which works well with these underlying technologies . The apple pay currently doesn’t support payment using mobile websites (largely due to the security restriction preventing  native PassKit interface with browser) . This could be major issue as other wallet providers such as PayPal, Google support similar wallet payments over the web. 

Posted in Payments and Security