How does Apple Pay Work?

Here are the actions that take place in the background when you add a new payment card (either a credit or a debit card) to Apple Pay.

• The Apple Wallet App sends the payment card’s PAN (Primary Account Number), as well as other card-related personal information such as Your Name and Card Expiration Date, to the Apple Pay servers.
• The Apple Pay server detects the credit card Issuer Bank based on your PAN and then sends the PAN and your personal information to the Issuer Bank, seeking a Payment Token.
• The Issuer Bank then contacts a Token Service Provider (TSP) to get a Payment Token.
• Token Service Providers are entities that must be licensed with EMVCo which formats a data transfer guideline.
• The PAN is vaulted by the Token Service Provider (TSP), a Payment Token is produced, and the newly generated Payment Token is associated with the PAN.
• The Token Service Provider (TSP) then provides the newly produced Payment Token to the Issuer Bank, as well as the Payment-Token-Key (Public Key)
• The Payment Token and Payment-Token-Key are received by the Issuer Bank from the Token Service Provider (TSP), and a CVV-Key is added to it.
• The Payment Token, Payment-Token-Key, and CVV-Key are subsequently returned to the Apple Pay Servers by the Issuer Bank.
• Apple Pay deploys its own Trusted Service Manager (TSM) to supply the Payment Token, Payment Token-Key, and CVV-Key, as well as potentially additional data, onto the “Secure Element,” which is the secure hardware chip on the iPhone device.

• This is the “Payment Token” that Apple stores on its Secure Element (SE) and refers to as the DAN (Device Account Number)
• When you add a credit or debit card to your Apple Pay Wallet you can view this DAN for the card you added by opening your Apple Wallet App and choosing the card you added by tapping the “info” option. Only the last 4 digits of the DAN will be shown. It’s worth noting that the DAN is specific to that iPhone model. The DAN of the same card put to a different device will be different.
  

The DAN is a permanent, one-of-a-kind number that does not change. The DAN serves as a stand-in for the actual card number (PAN) and personal information. Any transaction records for transactions made using Apply Pay will not include your credit card’s last four numbers. Rather, the last four digits of the DAN will be shown in the transaction records. Apple Pay does not save actual credit card details on the device or Apple servers, and payment token data is never retained on their cloud servers(The Payment Token, i.e. DAN, is exclusively stored on the iPhone’s Secure Element (SE). Furthermore, Apple Pay does not retain actual card data within the Secure Element (SE).

When you use Apple Pay on your iPhone, it sends payment data to the contactless POS terminal through NFC. Apple Pay transmits data from your iPhone to the contactless reader terminal using EMVCo’s contactless suite of requirements.

When you pay with Apple Pay, you use your biometric to verify yourself to the iPhone’s Secure Element (SE) (i.e. fingerprint, face id or PIN). The authentication method simply authenticates you to the Secure Element (SE) and grants Apple Pay access to the Secure Element’s data (SE).

When you authenticate yourself to the iPhone, the Secure Element performs the following actions:

(a) produces a Dynamic Cryptogram

• which is made up of the Payment Token, transaction amount, and transaction counter, as well as the Payment-Token-Key (provided by the TSP)

(b) produces a Dynamic CVV

• using the CVV key (provided by the Issuing Bank)

The Payment Token is then passed by the Secure Element. The Secure Element then uses NFC to send the Payment Token (DAN), the Dynamic Cryptogram (also known as the One-time Unique Number), the Dynamic CVV Value (also known as the Dynamic Security Code), and other payment and chip data components to the POS terminal. This request is sent by the POS to the Merchant Bank, which then passes it to the Payment Network.

Based on the BIN tables, the Payment Network determines that the request is a Payment Token and not a genuine PAN. As a result, the Payment Network sends the Payment Token and the Dynamic Cryptogram to the Token Service Provider (TSP) to receive the associated PAN.

The Payment Token (DAN) and Dynamic Cryptogram are delivered to the Token Service Provider. The request is validated by decoding the Dynamic Cryptogram using the secret Payment-Token-Key. Once the request has been confirmed, the TSP searches the Token Vault for the PAN associated with the Payment Token and returns the customer’s true PAN to the Payment Network. It now sends the PAN, transaction information, and Dynamic CVV to the Issuer Bank for transaction authorization.

The request is validated by the Issuer Bank using its private key to interpret the Dynamic CVV. After validating the Dynamic CVV, the Issuer Bank compares the customer’s credit balance to the transaction amount and “authorizes” the request.

The Issuer bank sends the “authorization” answer to the Payment Network, which sends it back to the Merchant Bank and then to the POS terminal, and your transaction is accepted at the POS. The POS further sends this to the iPhone through NFC, and you get a confirmation that the transaction was successful.

The entire procedure takes less than a handful of seconds. You’ll also observe that the real PAN and customer information are never transferred to or from the POS during the foregoing procedure. As a result, the transactions are incredibly secure.