Tap to Pay on iPhone security
Tap to Pay on iPhone allows merchants to accept Apple Pay and other contactless payments by using iPhone and a partner-enabled iPhone app. With this service, users with supported iPhone devices can securely accept contactless payments and Apple Pay NFC-enabled passes. With Tap to Pay on iPhone, merchants don’t need additional hardware to accept contactless payments.
Tap to Pay on iPhone is designed to protect the payer’s personal information. This service doesn’t collect transaction information that can be tied back to the payer. Payment card information such as Credit/Debit Card Number (PAN) is secured by the Secure Element and isn’t visible to the merchant’s device. The payment card information stays between the merchant’s Payment Service Provider and the payer and the card issuer. In addition, the Tap to Pay service doesn’t collect payer’s names, addresses or phone numbers.
Tap to Pay on iPhone has been assessed externally by an accredited security laboratory and approved for use by all accepted payment networks in the territories it is available.
Contactless payment component security
Secure Element: The Secure Element hosts the payment kernels which read and secure the contactless payment card data.
NFC Controller: The NFC controller handles near field communication protocols and routes communication between the Application Processor and the Secure Element, and between the Secure Element and the contactless payment card.
Tap to Pay on iPhone servers: The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.
How Tap to Pay reads credit, debit, and prepaid cards
How Tap to Pay provisions securely
Upon first use of Tap to Pay on iPhone using a sufficiently entitled app, the Tap to Pay on iPhone server determines whether the device meets the eligibility criteria such as Device Model, iOS version, and whether a passcode has been set. After this verification is complete, the payment acceptance applet is downloaded from the Tap to Pay on iPhone server and installed on the Secure Element, along with the associated payment kernel configuration. This operation is performed securely between the Tap to Pay on iPhone servers and the Secure Element. The Secure Element validates the integrity and authenticity of this data prior to installation.
How Tap to Pay reads cards securely
When a Tap to Pay on iPhone app requests a card read from ProximityReader framework, a sheet—controlled by iOS—is displayed and prompts the user to tap a payment card. No apps can read any sensors that could give away any part of the sensitive card data during the time the tap screen is active. iOS initializes the Payment Card Reader and then requests the payment kernels in the Secure Element to initiate a card read.
At this point, the Secure Element assumes control of the NFC controller in Reader Mode. This mode allows card data to be exchanged only between the payment card and the Secure Element through the NFC controller. Payment cards can be read only while in this mode.
After the payment acceptance applet on the Secure Element has completed the payment card read, it encrypts and signs the card data. The payment card data remains encrypted and authenticated until it reaches the Payment Service Provider. Only the Payment Service Provider used by the app to request the card read can decrypt the payment card data. The Payment Service Provider must request the payment card data decryption key from the Tap to Pay on iPhone server. The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was performed within 60 seconds of the request for the payment card data decryption key.
This model helps ensure that the payment card data can’t be decrypted by anyone other than the PSP, which processes this transaction for the merchant.
Using PIN entry to authorize transactions
PIN entry allows the payer to enter their PIN on the merchant’s device to authorize the transaction. The PIN entry screen may be triggered immediately after the tap based on the information exchanged with the payment card. Alternatively, the Payment Service Provider can trigger the PIN screen by providing a signed token, which is valid for one specific transaction only.
The PIN entry mechanism has been assessed externally by an accredited security laboratory and is approved for use by all accepted payment networks in the territories where it is available. Tap to Pay on iPhone is designed to prevent all screenshot and screen-recording features from capturing PIN information.
The PIN digits entered are securely captured by the Secure Element. Using these PIN digits, the Secure Element creates a payment industry standard–compliant encrypted PIN block. Apple securely provides the encrypted PIN block from its PCI PIN–compliant back end to the PSP for further processing.
The PIN value is:
Never available to the merchant on their device
Never decrypted by Apple at any time
Never stored by Apple
Securing the merchant device during PIN entry
During the PIN entry process, the device is facing the payer and may be held away from the merchant. To help ensure the protection of the merchant device and data, the merchant has the option to enable the “Tap to Pay on iPhone Screen Lock” setting. This option is found in the settings for each app that supports Tap to Pay on iPhone. Enabling this option locks the merchant’s device while showing the PIN entry screen. After the payer enters their card PIN, the merchant must unlock their device with Face ID, Touch ID, or the passcode to continue using the device, ensuring that the payer can’t access the merchant’s device.