On September 9, Apple announced Apple Pay as their mobile payment solution. In this paper, we will describe what we know about Apple Pay in both technical and organizational context, as well as what questions still remain to be answered. As independent experts, our goal is to provide insight and knowledge that UL has gathered, in order to best inform all stakeholders involved
Apple Pay is based on NFC technology for proximity payments and an embedded Secure Element in the iPhone and Apple Watch. Apple Pay uses industry-standard EMV contactless protocols over NFC (and MSD – Magnetic Stripe Data – contactless for backward compatibility for the US market). This makes it compatible with a wide range of contactless payment terminals in deployment today.
Apple Pay is compliant to the EMVCo tokenization framework and works with a tokenized PAN (Device Account Number) and Cryptogram (transaction specific dynamic security code). Apple only uses the token services from payment schemes (currently only Visa Token Service, MasterCard Digital Enablement Services and American Express Tokenization Service).
The iPhone 6 and Apple Watch use an embedded Secure Element to store information for payment. On the iPhone the Secure Element contains the fingerprint information for TouchID authentication. It is unclear if the Secure Enclave used in the iPhone 5S, is also available in the iPhone 6. We assume that the fingerprint data is stored in the Secure Element on the iPhone 6.
Apple does not store card holder information and account numbers (PAN) on the iPhone. Instead of actual debit and credit card information, a unique Device Account Number (tokenized PAN) for each card is assigned, encrypted and stored in the Secure Element. These Device Account Numbers are only stored in the Secure Element of the iPhone and the token service. Not on Apple servers.
When making a purchase, the Device Account Number alongside a transaction- specific dynamic security code is used to securely process the payment. So the actual credit or debit card numbers are never shared with merchants or transmitted with payment. The focus of Apple is on the security aspects of payment.
Apple is putting the focus on privacy. Because the iPhone (and Apple Watch) does not contain actual debit and credit card information, the merchant only receives a tokenized PAN. As part of the transaction, the Secure Element receives payment confirmation. This information is used to store recent purchases in Passbook.
There are no indications that the Device Account Number (tokenized PAN) is used to generate a dynamic PAN for each transaction.
If the iPhone sends the Device Account Number with each transaction, the device could be recognized because the same tokenized PAN is used for each transaction and allows merchants to link a device to multiple transactions.
The Apple Watch was also announced on 9 September and is expected to be available early 2015. Specifications of the watch are limited but Apple announced that Apple Pay can be used through the watch. The Apple Watch will have NFC and an embedded Secure Element to store payment information. Current information is that payment with the Apple Watch will be authorized with a PIN code and as long as you wear the watch (skin contact monitored by sensors), you can make payments. Once you take off the watch, the PIN code has to be entered again.
The Apple Watch makes Apple Pay for remote payments available on the iPhone 5 series (5, 5C and 5S). As the iPhone 5 series do not have a Secure Element, the Secure Element of the Apple Watch is used via a Bluetooth connection to make remote payments.
To add payment cards to Apple Pay (Passbook), the card holder can link the card information from the iTunes account or take a picture of the card with the camera of the iPhone. The information on the card is verified by Apple with the relevant scheme and the card issuer. After verification, the token service of the scheme will send the Device Account Number (tokenized PAN) to wallet server of Apple which will store the tokenized PAN on the Secure Element in the iPhone.
It is yet unknown what role the issuers will play in the enrolment of payment cards. Will an activation code be needed; or is a $0 transaction be sufficient; or is there a need for a CVC2 validation? Also indications are that in the future 3D SecureCode could be used by Apple to support enrolment.
Proximity Payment iPhone
To make an NFC payment, the card holder taps the iPhone against the terminal and authorizes payment with a fingerprint (TouchID). The Secure Element contains the payment application and is triggered to send, among others, the Device Account Number (tokenized PAN) and a generated transaction specific dynamic security code (cryptogram) to the merchant (terminal).
The tokenized PAN and cryptogram are sent into the acquiring network for processing. The Token Service of the scheme will de-tokenize the PAN to convert to the original PAN. The scheme will validate the cryptogram and send the transaction with original PAN to the issuer (e.g. bank) for approval.
Other questions that are not (yet) answered are:
- Does Apple Pay allow offline transactions and how are offline counters implemented?
- Does Apple Pay make a difference between low value payments and high value payments?
- Are the payment applications from the scheme preloaded into the Secure Element?
Remote Payments iPhone
Apple Pay also supports remote payments. Merchants can develop apps that use Apple Pay to pay for online transactions. The app must use the Apple Pay API to allow the use of this payment method.
The card holder collects items in a shopping cart in the merchant app on the iPhone. When the customer is ready to pay, checkout will be with the Apple Pay option. The card holder authorizes the payment with TouchID and the Device Account Number and dynamic security code are sent to the acquirer/payment gateway. The acquirer/payment gateway forwards the tokens to the Token Service for de-tokenization and validating the cryptogram. The de-tokenized PAN and the cryptogram are sent to the issuer for payment approval. The issuer
Source: Apple Pay – What do we know? UL’s Independent Assessment