Apple Card security
Apple Card application in the Wallet app
In iOS 12.4 or later, macOS 10.14.6 or later, and watchOS 5.3 or later, Apple Card can be used with Apple Pay to make payments in stores, in apps, and on the web.
To apply for Apple Card, the user must be signed into their iCloud account on an Apple Pay–compatible iOS or iPadOS device and have two-factor authentication set up on the iCloud account. When the application is approved, Apple Card is available in the Wallet app or within Settings > Wallet & Apple Pay across any of the eligible devices the user has signed in with their Apple ID.
When a user applies for Apple Card, user identity information is securely verified by Apple’s identity provider partners and then shared with Goldman Sachs Bank USA for the purposes of identity and credit evaluation.
Information such as the social security number or ID document image provided during the application is securely transmitted to Apple’s identity provider partners and/or Goldman Sachs Bank USA encrypted with their respective keys. Apple can’t decrypt this data.
The income information provided during the application, and the bank account information used for bill payments, are securely transmitted to Goldman Sachs Bank USA encrypted with their key. The bank account information is saved in the keychain. Apple can’t decrypt this data.
When adding Apple Card to the Wallet app, the same information as when a user adds a credit or debit card may be shared with the Apple partner bank Goldman Sachs Bank USA and with Apple Payments Inc. This information is used only for troubleshooting, fraud prevention, and regulatory purposes.
A physical card can be ordered from Apple Card in the Wallet app. After the user receives the physical card, it’s activated using the NFC tag present in the bifold envelope of the physical card. The tag is unique per card and can’t be used to activate another user’s card. Alternatively, the card can be manually activated in the Wallet settings. Additionally, the user can also choose to lock or unlock the physical card at any time from the Wallet app.
Apple Card payments and Apple Wallet pass details
Payments due on the Apple Card account can be made from the Wallet app in iOS with Apple Cash and a bank account. Bill payments can be scheduled as recurring or as a one-time payment at a specific date with Apple Cash and a bank account. When a user makes a payment, a call is made to the Apple Pay servers to obtain a cryptographic nonce similar to Apple Cash. The nonce, along with the payment setup details, is passed to the Secure Element to generate a signature. When the payment signature comes out of the Secure Element, it’s passed to the Apple Pay servers. The authentication, integrity, and correctness of the payment are verified through the signature and the nonce by Apple Pay servers, and the order is passed on to Goldman Sachs Bank USA for processing.
Displaying the Apple Card number details in the pass using the Wallet app requires user authentication with Face ID, Touch ID, or a passcode. It can be replaced by the user in the card information section and disables the previous one.