Tap to Pay on iPhone security
Tap to Pay on iPhone, available in iOS 15.4, allows US merchants to accept Apple Pay and other contactless payments by using iPhone and a partner-enabled iOS app. With this service, users with supported iPhone devices can securely accept contactless payments and Apple Pay NFC-enabled passes. With Tap to Pay on iPhone, merchants don’t need additional hardware to accept contactless payments.
Tap to Pay on iPhone is designed to protect the payer’s personal information. This service doesn’t collect transaction information that can be tied back to the payer. Payment card information such as Credit/Debit Card Number (PAN) is secured by the Secure Element and isn’t available to the merchant. The payment card information stays between the merchant’s Payment Service Provider, the payer and the card issuer. In addition, the Tap to Pay service doesn’t collect payer’s names, addresses or phone numbers.
Tap to Pay on iPhone has been assessed externally by an accredited security laboratory and approved by American Express, Discover, Mastercard and Visa.
Contactless payment component security
Secure Element: The Secure Element [Link to Apple Pay Secure Element section] hosts the payment kernels, which read and secure the contactless payment card data.
NFC Controller: The NFC controller handles Near Field Communication protocols and routes communication between the Application Processor and the Secure Element, and between the Secure Element and the contactless payment card.
Tap to Pay on iPhone servers: The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC), and are PCI DSS compliant.
How Tap to Pay reads credit, debit and pre-paid cards
Provisioning security overview
Upon first use of Tap to Pay on iPhone using a sufficiently entitled app, the Tap to Pay on iPhone server determines whether the device meets the eligibility criteria such as Device Model, iOS version and whether a passcode has been set. After this verification is complete, the payment acceptance applet is downloaded from the Tap to Pay on iPhone server and installed on the Secure Element, along with the associated payment kernel configuration. This operation is performed securely between the Tap to Pay on iPhone servers and the Secure Element. The Secure Element validates the integrity and authenticity of this data prior to installation.
Card read security overview
When a Tap to Pay on iPhone app requests a card read from ProximityReader framework, a sheet — controlled by iOS — is displayed and prompts the user to tap a payment card. iOS initialises the Payment Card Reader and then requests the payment kernels in the Secure Element to initiate a card read.
At this point, the Secure Element assumes control of the NFC controller in Reader Mode. This mode allows only card data to be exchanged between the payment card and the Secure Element through the NFC controller. Payment cards can be read only while in this mode.
After the payment acceptance applet on the Secure Element has completed the card read, it encrypts and signs the card data. The card data remains encrypted and authenticated until it reaches the Payment Service Provider. Only the Payment Service Provider used by the app to request the card read can decrypt the card data. The Payment Service Provider must request the card data decryption key from the Tap to Pay on iPhone server. The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.
This model helps ensure that the card data can’t be decrypted by anyone other than the Payment Service Provider, which processes this transaction for the merchant.