Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- Encryption and Data Protection overview
- Passcodes and passwords
-
- Data Protection overview
- Data Protection
- Data Protection classes
- Keybags for Data Protection
- Protecting keys in alternate boot modes
- Protecting user data in the face of attack
- Sealed Key Protection (SKP)
- Activating data connections securely in iOS and iPadOS
- Role of Apple File System
- Keychain data protection
- Digital signing and encryption
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Contactless passes in Apple Pay
To transmit data from supported passes to compatible NFC terminals, Apple uses the Apple Value Added Services (Apple VAS) protocol. The VAS protocol can be implemented on contactless terminals or in iPhone apps and uses NFC to communicate with supported Apple devices. The VAS protocol works over a short distance and can be used to present contactless passes independently or as part of an Apple Pay transaction.
When the device is held near the NFC terminal, the terminal initiates receiving the pass information by sending a request for a pass. If the user has a pass with the pass provider’s identifier, the user is asked to authorize its use using Face ID, Touch ID, or a passcode. The pass information, a timestamp, and a single-use random ECDH P-256 key are used with the pass provider’s public key to derive an encryption key for the pass data, which is sent to the terminal.
From iOS 12.0.1 to and including iOS 13, users may manually select a pass before presenting it to the merchant’s NFC terminal. In iOS 13.1 or later, pass providers can configure manually selected passes to either require user authentication or be used without authentication.