Radial Integration | 2016

Payments, Tax & Fraud > Payments Processing > Apple Pay Processing

Apple Pay Processing

Apple Pay

Apple Pay is a mobile payment and digital wallet service by Apple Inc. that lets users make payments using the iPhone 6, iPhone 6 Plus, Apple Watch-compatible devices (iPhone 5 and later models), iPad Air 2, and iPad Mini 3. Apple Pay does not require Apple-specific contactless payment terminals and will work with Visa's PayWave, MasterCard's PayPass, and American Express's ExpressPay terminals. It digitizes and replaces the credit or debit magnetic stripe card transaction at credit card terminals. The service lets Apple devices wirelessly communicate with point of sale systems using a near field communication (NFC) antenna, a dedicated chip that stores encrypted payment information (known as the Secure Element), and Apple's Touch ID and Passbook.

To check out at brick and mortar stores, users hold their authenticated Apple device to the point of sale system. iPhone users authenticate by holding their fingerprint to the phone's Touch ID sensor, and Apple Watch users authenticate by double clicking a button on the device.

To check out online in supported mobile apps, users choose Apple Pay as their payment method and authenticate with Touch ID.

How does Apple Pay work?

User's Initial Setup

In order to use Apple Pay, a user must first add a credit card to their Apple device/service. Users can add credit cards to the service in any of three ways: through their iTunes accounts, by taking a photo of the card, or by entering the card information manually.

During initial setup, the user's card information is encrypted and sent to Apple's servers, where Apple decrypts the data and determines the card network or card issuer. Apple then re-encrypts the data with a key and issues a token called a Device Account Number (DAN). The device account number is received by the device and stored for future use.

Purchasing using Apple Pay

When a customer wants to make a payment with Apple Pay, they bring the phone to an NFC-enabled terminal. The phone asks the customer to authenticate the payment with TouchID. That authentication signals to the phone that it can transmit the Device Account Number and its accompanying dynamic security code to the merchant's terminal, and the transaction then proceeds as a normal credit card transaction would.

Payment Service Support for Apple Pay Integration

Radial's Payment Service provides APIs that can be used to integrate Apple Pay for both in-app mobile purchase integration and Apple Pay for the Web integration through the Safari browser. Two Radial APIs are involved in completing the integration.

Apple Pay Integration Flow

There are several steps in the data flow to complete an Apple Pay transaction. The sequence diagram below shows the series of system interactions in Apple Pay.

  1. In the merchant's iOS application, the user (customer) clicks the Checkout with ApplePay button.
  2. The PassKit framework connects to the Apple server and receives encrypted payment data in JSON format
  3. The iOS application calls Radial's Payment Service to decrypt the encrypted Payment Data. Specifically, the iOS application calls the Decryption API.
  4. Payment Service uses the .cer file and the p12 file provided by the merchant, along with the ephemeral public key passed in the API call, to decrypt the payment data.
  5. Payment Service sends the decrypted payment data back to the iOS application.
  6. The iOS application uses the decrypted payment data to create a CreditCardAuthRequest message.
  7. The iOS application calls Payment Service for CreditCardAuth.
  8. Payment Service processes the request as a regular Card Not Present transaction and returns a success or failure response.
  9. The iOS application receives the success or failure response and prompts the user accordingly

APIs Used

Apple Pay integration uses the following API operations

  1. Decryption API
  2. Credit Card Auth API

Decryption API

When the user authorizes the payment, the iOS application connects to the Apple Server and receives an encrypted data which the iOS sends to the Payments Service using the Decryption API, which the Payment service uses to decrypt the blob request and sends it back to the iOS application.

Request Example

The request is a DecryptionBlobRequest message.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <DecryptBlobRequest xmlns="http://schema.gsicommerce.com/payments/services/1.0/" 
        xmlns:payment="http://schema.gsicommerce.com/payments/types/1.0/">
    <MessageHeader>
        <payment:RequestId>1</payment:RequestId>
        <payment:CreateTimestamp>2016-07-29T15:42:03.25Z</payment:CreateTimestamp>
        <payment:MockPayment>false</payment:MockPayment>
        <payment:extension/>
        <payment:ClientTimeoutInMilliseconds>3000</payment:ClientTimeoutInMilliseconds>
    </MessageHeader>
    <SourceId type="STORE">TMSUS</SourceId>
        <AlgorithmVersion>apd</AlgorithmVersion>
        <EncryptionHeader
            <payment:EphemeralPublicKey>MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAtpj8+ZI9S3g
                Q7QHCM/dLYTjdSgKdXlDDI/ezdwmHc4HosSYFdYYE/v8t2CcFwJHmceet/GNE1VRO57W3VxeAg==
            </payment:EphemeralPublicKey>
            <payment:TransactionId>
               84a7e17570c940f6a268d9121a4c090f1d2e22bab4da0f2054c7ba53035dc79a
            </payment:TransactionId>
            <payment:PublicKeyHash>i3F+FlIbyhjfYqMqm3M/dpeWRO9tnD+U9BJng3tkkig=
            </payment:PublicKeyHash>
        </EncryptionHeader>
        <Version>EC_v1</Version>
    <Data>GcUsL3ZgQVf9Raf7fBY+0AXsoO/5REeQWE6mROAJM4QvxJgOO6mxW1CuM1P7Ox9hQo1Qt1dg/VIS5fs
        zNq7YhB0oQNgoEwAh7bTXEUBtmx0lzvN5EWxah0ScMbv/v+7CuakmRG6c6hO4xQlayCNGV6diFK1Ng6zN
        phSW53b1Di6vhqJcDnGs2tvu6wHyGfqIH6AeUmCNsiBvkHsaiiHbiWcL6BPpWuoW7y5bZK3mMxgygYgzZ
        ec/XnlV5lcJocpPDcL8ouuVU/oBMZn9ox/Ql3r9E8f3g7+uTdKZ+TEoyKIH52VQUb1/YXU3SZ2Fr2J/oi
        dUPz9+fTvGZkFPQvSX4G+jzYWlCQmrx6qZ0cfTY/ZcGmITSSbzKcgy35kTTNJdqmL8wqmOzfr202R3sXe
        GBjS1BqAm5DNzbgWHGrOoc/I=
    </Data>
    <Signature>MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMI
        ID4jCCA4igAwIBAgIIJEPyqAad9XcwCgYIKoZIzj0EAwIwejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXR
        pb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
        dHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDkyNTIyMDYxMVoXDTE5MDkyN
        DIyMDYxMVowXzElMCMGA1UEAwwcZWNjLXNtcC1icm9rZXItc2lnbl9VQzQtUFJPRDEUMBIGA1UECwwLaU
        9TIFN5c3RlbXMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZ
        Izj0DAQcDQgAEwhV37evWx7Ihj2jdcJChIY3HsL1vLCg9hGCV2Ur0pUEbg0IO2BHzQH6DMx8cVMP36zIg
        1rrV1O/0komJPnwPE6OCAhEwggINMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAYYpaHR0cDovL29jc
        3AuYXBwbGUuY29tL29jc3AwNC1hcHBsZWFpY2EzMDEwHQYDVR0OBBYEFJRX22/VdIGGiYl2L35XhQfnm1
        gkMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUI/JJxE+T5O8n5sT2KGw/orv9LkswggEdBgNVHSAEggE
        UMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNl
        cnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljY
        WJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeS
        BhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d
        3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
        cmwuYXBwbGUuY29tL2FwcGxlYWljYTMuY3JsMA4GA1UdDwEB/wQEAwIHgDAPBgkqhkiG92NkBh0EAgUAM
        AoGCCqGSM49BAMCA0gAMEUCIHKKnw+Soyq5mXQr1V62c0BXKpaHodYu9TWXEPUWPpbpAiEAkTecfW6+W5
        l0r0ADfzTCPq2YtbS39w01XIayqBNy8bEwggLuMIICdaADAgECAghJbS+/OpjalzAKBggqhkjOPQQDAjB
        nMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24g
        QXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xNDA1MDYyMzQ2MzBaF
        w0yOTA1MDYyMzQ2MzBaMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC
        0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSB
        JbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPAXEYQZ12SF1RpeJYEHduiA
        ou/ee65N4I38S5PhM1bVZls1riLQl3YNIk57ugj9dhfOiMt2u2ZwvsjoKYT/VEWjgfcwgfQwRgYIKwYBB
        QUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDA0LWFwcGxlcm9vdG
        NhZzMwHQYDVR0OBBYEFCPyScRPk+TvJ+bE9ihsP6K7/S5LMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBg
        wFoAUu7DeoVgziJqkipnevr3rr9rLJKswNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5j
        b20vYXBwbGVyb290Y2FnMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAg4EAgUAMAoGCCqGS
        M49BAMCA2cAMGQCMDrPcoNRFpmxhvs1w1bKYr/0F+3ZD3VNoo6+8ZyBXkK3ifiY95tZn5jVQQ2PnenC/g
        IwMi3VRCGwowV3bF3zODuQZ/0XfCwhbZZPxnJpghJvVPh6fRuZy5sJiSFhBpkPCZIdAAAxggFeMIIBWgI
        BATCBhjB6MS4wLAYDVQQDDCVBcHBsZSBBcHBsaWNhdGlvbiBJbnRlZ3JhdGlvbiBDQSAtIEczMSYwJAYD
        VQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA
        1UEBhMCVVMCCCRD8qgGnfV3MA0GCWCGSAFlAwQCAQUAoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHAT
        AcBgkqhkiG9w0BCQUxDxcNMTUxMjEwMTc0NDEwWjAvBgkqhkiG9w0BCQQxIgQgUiRZSvu2i+zIK3pRHZs
        uhRIVtn71HWaUfewTPrqSm8MwCgYIKoZIzj0EAwIERjBEAiBIumc6vmek/PlaZBYgiIsNNV99jmbRFnwn
        mhLMQ3REXQIgNpC4d79eJmnCLnkQS1g/WgL3g+7RXszwNXQvK+Quzx0AAAAAAAA=
    </Signature>
  </DecryptBlobRequest>

Response Example

The response is a DecryptionBlobReply message, which contains the decrypted payment information.

<?xml version="1.0" encoding="UTF-8"?>
  <DecryptBlobReply xmlns="http://api.gsicommerce.com/schema/checkout/1.0">
  <DecryptBlobReply xmlns="http://schema.gsicommerce.com/payments/services/1.0/" 
       xmlns:payment="http://schema.gsicommerce.com/payments/types/1.0/">
     <DeviceAccountNumber isToken="false">4054132100566965</DeviceAccountNumber>
     <TenderType>VC</TenderType>
     <ExpirationDate>2021-07</ExpirationDate>
     <TransactionAmount currencyCode="USD">14.99</TransactionAmount>
     <DeviceManufacturerIdentifier>040010030273</DeviceManufacturerIdentifier>
     <OnlinePaymentCryptogram>AeeR44AAA+H0IlZw+qrxMAACAAA=</OnlinePaymentCryptogram>
     <EciIndicator>5</EciIndicator>
  </DecryptBlobReply>

Credit Card Auth API

After the iOS application receives the decrypted blob reply, it uses the information to create a CreditCardAuthRequest message and makes a CreditCardAuth API call for the transaction.

Request Example

The request is a CreditCardAuthRequest message. One attribute, POSMethod, was added to CreditCardAuthRequest to support Apple Pay. POSMethod is highlighted in the sample code below

<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0" requestId="1234567890ABCD">
   <PaymentContext>
      <OrderId>OrderId0</OrderId>
      <PaymentAccountUniqueId isToken="false">PaymentAccountUniqueId</PaymentAccountUniqueId>
   </PaymentContext>
   <ExpirationDate>2013-09</ExpirationDate>
   <CardSecurityCode>123</CardSecurityCode>
   <Amount currencyCode="USD">50.00</Amount>
   <BillingFirstName>John</BillingFirstName>
   <BillingLastName>Smith</BillingLastName>
   <BillingPhoneNo>6101234567</BillingPhoneNo>
   <BillingAddress>
      <Line1>123 Main St</Line1>
      <Line2>Building 123</Line2>
      <Line3>4th Floor</Line3>
      <Line4>Apt 12</Line4>
      <City>Philadelphia</City>
      <MainDivision>PA</MainDivision>
      <CountryCode>US</CountryCode>
      <PostalCode>19019</PostalCode>
   </BillingAddress>
   <CustomerEmail>customer@sample.com</CustomerEmail>
   <CustomerIPAddress>208.247.73.130</CustomerIPAddress>
   <ShipToFirstName>John</ShipToFirstName>
   <ShipToLastName>Smith</ShipToLastName>
   <ShipToPhoneNo>6101234567</ShipToPhoneNo>
   <ShippingAddress>
      <Line1>123 Main St</Line1>
      <Line2>Building 123</Line2>
      <Line3>4th Floor</Line3>
      <Line4>Apt 12</Line4>
      <City>Philadelphia</City>
      <MainDivision>PA</MainDivision>
      <CountryCode>US</CountryCode>
      <PostalCode>19019</PostalCode>
   </ShippingAddress>
    <POSMethod>ApplePay</POSMethod>
   <!-- only set below to true if you got an auth + CVV/AVS error and are looking to
         get a clean CVV/AVS before taking the order -->
   <isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
   <!-- section below is to capture Verified By Visa/Mastercard SecureCode data -->
   <SecureVerificationData>
      <AuthenticationAvailable>Y</AuthenticationAvailable>
      <AuthenticationStatus>A</AuthenticationStatus>
      <CavvUcaf>gsdsXXggggg</CavvUcaf>
      <TransactionId>AAAxxx6667dsfsdfd</TransactionId>
      <ECI>05</ECI>
      <PayerAuthenticationResponse>eJydVNtu4jAQ/RVE37oCJ+HSggZLKbQSqrpLuSy8mmSSWAsOjR2g+/
        U7DhAi1IfdnYdkfDznzLHjGOZJhjiaYZBnyOENtRYx1mQ4qIt1ELpeq13nMPGnqG/BPWZapoq7TafpAbsMSSMLE
        qEMBxF8PI2/804RwM5D2GI2HvFeNYCdQGBX9iS3mSZXRxnSTPEMhUHuOa7rdD2n5j70272+R/QCh52l+Ns0J/5j
        u2ubViGgRWaogk+adICVI8DjLlVIFbSOMgd2dbATijtF3BdhM9ImFOYrDkZuq64eratWF1iBgzbC5Jr7wM4ZBGK
        /58mvxSx6eniXs9l66Ps/li/fPvzVs08xIHO2BDCQ3HHJFL0Llr+J00yaZMtbp5orAMxaYcW34jCTsaJmGdaO24
        3Sg3pizK7P2OFwaB5azTSLmUeLYE6PUUGoZXxXP7EwHKso/SfaUKhUyUBs5G9h6BC8oUnSsFZ6+0pmPrVKLps+D
        xsk1QjctmpYxGm5HdJkX4tWVvY3XW7NZlo0dCJc2+BGiMMUI7QnAmuL6XhQvyu2UvXyaCmj9dqPwsXoJTq8TpbE
        HskYtfkfC5f2VYWL3k+xybGcu4xKX2fTpy9U2YlL4S3wip+nylXH6Y2EEVRTScvpK7H4A4s7wJ6n6t3wB1RLYIQ
        =</PayerAuthenticationResponse>
   </SecureVerificationData>
</CreditCardAuthRequest>

Reply Example

The response is a CreditCardAuthReply message.

<?xml version="1.0" encoding="UTF-8"?>
    <CreditCardAuthReply xmlns="http://api.gsicommerce.com/schema/checkout/1.0">
       <PaymentContext>
          <OrderId>12345</OrderId>
          <!-- You will receive a token in the response, which is a scrambled version of the Credit Card number.
             This token gets passed to the Order Service, not the original credit card number -->
          <PaymentAccountUniqueId isToken="true">411111adgh2y1111</PaymentAccountUniqueId>
       </PaymentContext>
       <AuthorizationResponseCode>APPROVED</AuthorizationResponseCode>
       <BankAuthorizationCode>ABC123</BankAuthorizationCode>
       <CVV2ResponseCode>M</CVV2ResponseCode>
       <AVSResponseCode>Y</AVSResponseCode>
       <PhoneResponseCode></PhoneResponseCode> <!-- AmEX only -->
       <NameResponseCode></NameResponseCode>  <!-- AmEX only -->
       <EmailResponseCode></EmailResponseCode>  <!-- AmEX only -->
       <AmountAuthorized currencyCode="USD">50.00</AmountAuthorized>
    </CreditCardAuthReply>

Configuration Setup

To set up Apple Pay as the payment method for an iOS application, you must complete the following procedures:

  1. Create a certificate signing request (CSR) from your Mac system.
  2. Log in to Apple's portal. Upload the CSR, generate a certificate, and download the certificate (cer) file.
  3. Export the private key generated on the Mac system to a .p12 file and note down the password used for protection.

The .cer file and the private key (p12 file) are needed to decrypt the encrypted Apple Pay token that the iOS application receives from the device.

When the user clicks to authorize the payment, the following sequence is initiated:

  1. iOS makes a Decrypt Request API call to decrypt the encrypted blob that Apple Server sends.
  2. Payment Service decrypts the encrypted blob using this .cer file, private key and the ephemeral public key and sends it back to the iOS.
  3. iOS application uses the decrypted payment data to create a CreditCardAuthRequest.
  4. iOS application calls payment service for CreditCardAuth.
  5. Payment Service processes the request as a regular NCP transaction and returns a response.
  6. iOS application receives a success/failure and prompts the user accordingly.

 

Copyright © 2017 Radial. All rights reserved.