Adding credit or debit cards to Apple Pay
Credit cards can be manually added to Apple Pay in Apple devices.
Adding credit or debit cards manually
To add a card manually, the name, card number, expiration date, and CVV are used to facilitate the provisioning process. From within Settings, Apple Wallet, or the Apple Watch app, users can enter that information either by typing or by using the device’s camera. When the camera captures the card information, Apple attempts to populate the name, card number, and expiration date. The photo is never saved to the device or stored in the photo library. After all the fields are filled in, the Check Card process verifies the fields other than the CVV. They are then encrypted and sent to the Apple Pay server.
If a terms and conditions ID is returned with the Check Card process, Apple downloads and displays the terms and conditions of the card issuer to the user. If the user accepts the terms and conditions, Apple sends the ID of the terms that were accepted as well as the CVV to the Link and Provision process. Additionally, as part of the Link and Provision process, Apple shares information from the device with the card issuer or network. This includes information about (a) the user’s iTunes and App Store account activity (for example, whether the user has a long history of transactions within iTunes), (b) the user’s device (for example, the phone number, name, and model of the user’s device plus any companion Apple device necessary to set up Apple Pay), and (c) the user’s approximate location at the time the user adds their card (if the user has Location Services enabled). Using this information, the card issuer determines whether to approve adding the card to Apple Pay.
As the result of the Link and Provision process, two things occur:
The device begins to download the Apple Wallet pass file representing the credit or debit card.
The device begins to bind the card to the Secure Element.
The pass file contains URLs to download card art, metadata about the card such as contact information, the related issuer’s app, and supported features. It also contains the pass state, which includes information such as whether the personalizing of the Secure Element has completed, whether the card is currently suspended by the card issuer, or whether additional verification is required before the card can make payments with Apple Pay.
Adding credit or debit cards from an iTunes Store account
For a credit or debit card on file with iTunes, the user may be required to reenter their Apple ID password. The card number is retrieved from iTunes, and the Check Card process is initiated. If the card is eligible for Apple Pay, the device downloads and displays terms and conditions, then send along the term’s ID and the card security code to the Link and Provision process. Additional verification may occur for iTunes account cards on file.
Adding credit or debit cards from a card issuer’s app
When an app is registered for use with Apple Pay, keys are established for the app and for the card issuer’s server. These keys are used to encrypt the card information that’s sent to the card issuer. This is designed to prevent the information from being read by the Apple device. The provisioning flow is similar to that used for manually added cards, described previously, except one-time passwords are used in lieu of the CVV.
Adding credit or debit cards from a card issuer’s website
Some card issuers provide the ability to initiate the card provisioning process for Apple Wallet directly from their websites. In this case, the user initiates the task by selecting a card to provision on the card issuer’s website. The user is then directed to a self-contained Apple sign-in experience (contained within Apple’s domain) and is asked to sign in with their Apple ID. Upon successfully signing in, the user then chooses one or more devices to provision the card to and is required to confirm the provisioning result on each respective target device.
Adding additional verification
A card issuer can decide whether a credit or debit card requires additional verification. Depending on what’s offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification. For text messages or email, the user selects from contact information the issuer has on file. A code is sent, which must be entered into Apple Wallet, Settings, or the Apple Watch app. For customer service or verification using an app, the issuer performs their own communication process.