Apple Platform Security
-
Welcome
-
Introduction
-
-
Services security overview
-
-
Apple Pay overview
-
Apple Pay components
-
Secure Element and NFC controller
-
Payment authorization
-
Transaction-specific dynamic security code
-
Pay with credit and debit cards in stores
-
Pay with credit and debit cards within apps
-
Paying with credit and debit cards on the web
-
Contactless passes
-
Render cards unusable
-
Suspending, removing, and erasing cards
-
Apple Cash
-
Transit cards
-
Credit and debit cards for transit
-
Student ID cards
-
-
Business Chat
-
FaceTime
-
-
-
Developer Kits overview
-
-
HomeKit identity
-
Communication with HomeKit accessories
-
Local data storage
-
Data synchronization between devices and users
-
Home data and apps
-
HomeKit and Siri
-
HomeKit IP cameras
-
HomeKit routers
-
iCloud remote access for HomeKit accessories
-
HomeKit TV Remote accessories
-
Apple TV profiles for HomeKit homes
-
-
CloudKit
-
SiriKit
-
DriverKit
-
Camera and ARKit
-
-
-
Secure device management overview
-
Pairing model
-
Passcode and password settings management
-
Configuration enforcement
-
Mobile device management (MDM)
-
Automated Device Enrollment
-
Apple Configurator 2
-
Device supervision
-
Device restrictions
-
Activation Lock
-
Lost Mode, remote wipe, and remote lock
-
Screen Time
-
-
Glossary
-
Document Revision History
-
Copyright

Contactless passes in Apple Pay
To transmit data from supported passes to compatible NFC terminals, Apple uses the Apple Wallet Value Added Services protocol (Apple VAS). The VAS protocol can be implemented on contactless terminals and uses NFC to communicate with supported Apple devices. The VAS protocol works over a short distance and can be used to present contactless passes independently or as part of an Apple Pay transaction.
When the device is held near the NFC terminal, the terminal initiates receiving the pass information by sending a request for a pass. If the user has a pass with the pass provider’s identifier, the user is asked to authorize its use using Touch ID, Face ID, or a passcode. The pass information, a timestamp, and a single-use random ECDH P-256 key are used with the pass provider’s public key to derive an encryption key for the pass data, which is sent to the terminal.
In iOS 12 to iOS 13, users may manually select a pass before presenting it to the merchant’s NFC terminal. In iOS 13.1 or later, pass providers can configure manually selected passes to either require user authentication or to be used without authentication.