Apple Cash security
On devices with iOS 11.2, iPadOS 13.1, watchOS 4.2, visionOS 1.0, or later, Apple Cash can be used on an iPhone, iPad, or Apple Watch to send, receive, and request money from other users. When a user receives money, it’s added to an Apple Cash account that can be accessed in Apple Wallet or within Settings > Wallet & Apple Pay across any of the eligible devices the user has signed in with their Apple Account.
Note: Apple Cash is currently available only to users in the United States.
On devices with iOS 14, iPadOS 14, watchOS 7, visionOS 1.0, or later, the organizer of an iCloud family who has verified their identity with Apple Cash can enable Apple Cash for their family members under the age of 18. Optionally, the organizer can restrict the money sending capabilities of these users to family members only or contacts only. If the family member under the age of 18 goes through an Apple Account recovery, the organizer of the family must manually reenable the Apple Cash card for that user. If the family member under the age of 18 is no longer part of the iCloud family, their Apple Cash balance is automatically transferred to the organizer’s account.
When the user sets up Apple Cash, the same information as when the user adds a credit or debit card may be shared with Apple’s partner bank in the United States, Green Dot Bank, and with Apple Payments Inc., a wholly owned subsidiary created to protect the user’s privacy by storing and processing information separately from the rest of Apple, and in a way that the rest of Apple doesn’t know. This information is used only for troubleshooting, fraud prevention, and regulatory purposes.
Using Apple Cash in iMessage
To use person-to-person payments and Apple Cash, a user must be signed in to their iCloud account on an Apple Cash–compatible device and have two-factor authentication set up on the iCloud account. Money requests and transfers between users are initiated from within the Messages app or by asking Siri. When a user attempts to send money, iMessage displays the Apple Pay sheet. The Apple Cash balance is always used first. If necessary, additional funds are drawn from a second credit or debit card the user has added to Apple Wallet.
Using Tap to Cash
When using Tap to Cash, a user must be signed in to their iCloud account on iPhone or Apple Watch and have two-factor authentication set up on the account. To send money, customers must enter the amount to send, hold their device near another device, and authenticate using the following methods:
Biometric authentication
Device passcode
Double-clicking the side button of an unlocked Apple Watch
After authentication, devices must be held together for several seconds to establish a connection that results in the money being sent.
Using Apple Cash in stores, apps, and on the web
The Apple Cash card in Apple Wallet can be used with Apple Pay to make payments in stores, in apps, and on the web. Money in the Apple Cash account can also be transferred to a bank account. In addition to money being received from another user, money can be added to the Apple Cash account from a debit or prepaid card in Apple Wallet.
Apple Payments Inc. stores, and may use, the user’s transaction data for troubleshooting, fraud prevention, and regulatory purposes once a transaction is completed. The rest of Apple doesn’t know who the user sent money to, received money from, or where the user made a purchase with their Apple Cash card.
When the user sends money with Apple Pay, adds money to an Apple Cash account, or transfers money to a bank account, a call is made to the Apple Pay servers to obtain a cryptographic anti-replay value, which is similar to the value returned for Apple Pay within apps. The anti-replay value, along with other transaction data, is passed to the Secure Element to compute a payment signature. The signature is returned to the Apple Pay servers. The authentication, integrity, and correctness of the transaction is verified through the payment signature and the anti-replay value by Apple Pay servers. Money transfer is then initiated, and the user is notified of a completed transaction.
If the transaction involves:
A debit card for adding money to Apple Cash
Providing supplemental money if the Apple Cash balance is insufficient
An encrypted payment credential is also produced and sent to Apple Pay servers, similar to how Apple Pay works within apps and websites.
After the balance of the Apple Cash account exceeds a certain amount or if unusual activity is detected, the user is prompted to verify their identity. Information provided to verify the user’s identity—such as social security number or answers to questions (for example, to confirm a street name the user lived on previously)—is securely transmitted to the Apple partner and encrypted using their key. Apple can’t decrypt this data. The user is prompted to verify their identity again if they perform an Apple Account recovery, before regaining access to their Apple Cash balance.