OEM tokenization: How Apple Pay tokenization works?

Consumers are increasingly moving away from traditional card payments towards digital options such as mobile wallets. While mobile wallets have been in existence for a few years now, the security and convenience of this payment method is now extending beyond in-store payments into ecommerce and the Internet of Things IoT.  
Underpinning the seamless user experience offered by mobile wallets is a process known as tokenization. Payment tokenization is a security technology standardized by EMVCo, based on a set of technical requirements that enable sensitive card information to be replaced with a unique digital identifier called a token. 

These tokens are only valid in a set context, unique to the device they reside in. No card details are exposed, and the tokens are useless outside of the specific circumstances in which they were intended to be used.  

So how does payment tokenization work? In this blog, we will focus specifically on the workings of Apple Pay, but you can also find out more about how Google Wallet, Samsung Pay and other mobile wallet tokenization processes work elsewhere on the MeaWallet blog.  

How Apple Pay tokenization works 

Having launched Apple Pay in 2014, Apple is now building out its embedded finance offering with its own cards, credit, savings and small business offerings. While it's mostly been doing this through partnerships, more recently it has been developing its own in-house infrastructure to reduce reliance on third parties.  

In a relatively short space of time, Apple has made itself a key player in the payment ecosystem. Let's take a closer look at how Apple Pay tokenization works and how it enables consumers to make secure, seamless payments.  

Adding a card to the Apple Wallet

• When the user adds a credit card or debit card to their Apple Wallet – either through the ever more popular method of ‘push provisioning’ i.e pushing your card from your banking application or manual entry – the card details, including the Primary Account Number (PAN), are sent to the Apple Pay server.
• Apple Pay then uses these details to identify the correct issuing bank. Once the issuing bank receives PAN details from Apple Pay, it requests a Payment Token from a Token Services Provider (TSP) ie the payment network associated with the card, either Mastercard Digital Enablement Service, Visa Token Service, or the American Express Token Service. 
• The TSP stores the Payment Token and the PAN in its Token Vault, and the Payment Token is then sent to the issuing bank. At all times, the PAN is only known by the trusted parties in the payment chain. It isn't ever shared with merchants or Payment Services Providers (PSPs), nor is it stored on the user's device or the Apple Pay server. 
• The issuing bank then can assign a Card Verification Value (CVV) number, sending both this and the Payment Token back to Apple Pay and the user's Apple Wallet. 
• The Payment Token is then securely stored as a Device Primary Account Number (DPAN) on the user's device. iPhones and Apple Watch devices have a Secure Element (SE) built into their Near Field Communication (NFC) chip. This SE is the only place where the DPAN is stored, and it can only be accessed by the customer's biometrics or passcode. 

Making payments with Apple Pay 

• Merchants that want to support Apple Pay payments do so simply by supporting contactless payments in-store. For ecommerce, merchants must register to support Apple Pay.
• When a customer wishes to make a payment, they first must authenticate themselves using biometrics or their passcode.
• The DPAN is sent to the merchant's Point of Sale (PoS) device, and the transaction information is sent to the payment processor with an encrypted Payment cryptogram. 
• The "payment token" is the DPAN. The encrypted part is the cryptogram, and this is decrypted at MDES/VTS. The DPAN/token is used for BIN routing (via the processor to the relevant payment network)
• The acquiring bank sends this information onto the card network, which validates the cryptogram, before de-tokenizing the DPAN, i.e., matches it up with the PAN stored in its Payment Vault, before sending the PAN, CVV and transaction data to the issuing bank. 
• The issuing bank then validates and approves the transaction. 

DPANs and MPANs

While DPANs ensure the transactions are secure, they have some shortcomings. As the DPAN is unique to the device, every device that a user wishes to use for payments requires a separate DPAN, even though they are all associated with the same card. If the device is lost or upgraded, a new DPAN will be required. 

And if the user loses that card, has it stolen, changes bank account or gets a new card after their old one expires, further challenges arise. Merchants that have the DPAN stored on file for a recurring payment such as a subscription, say, could experience failed transactions.  

To meet these challenges, Apple has recently introduced the MPAN or Merchant Primary Account Number. Effectively, this involves assigning a unique DPAN to each merchant. Apple plays the role of Token Service Provider, and issues these MPANs to the merchants. These tokens are restricted to that specific merchant and remain valid when a physical card expires, reducing the chances of disruption. 

For Payment Service Providers, Fintechs and other Financial Institutions that want to digitize cards and enable payments with Apple Wallet or any other OEM wallet, MeaWallet offers a secure, compliant, certified and easy-to-implement solution through a single connection.  

To learn more about Apple Pay tokenization and Token Management, Get in touch with us here! 

FAQ: How Apple Pay Tokenization Works

Q: What is payment tokenization?
A: Payment tokenization is a security technology that replaces sensitive card information with a unique digital identifier called a token. This token is only valid within a set context, making it secure for transactions.

Q: How does Apple Pay tokenization work when adding a card to the Apple Wallet?
A: When a user adds a card, the card details are sent to Apple Pay, which identifies the issuing bank and requests a Payment Token from a Token Service Provider. The token is stored securely and used for transactions, while the actual card details are never exposed.

Q: How does Apple Pay ensure secure payments?
A: During a transaction, the Device Primary Account Number (DPAN) is sent to the merchant's Point of Sale (PoS) device, and transaction information is sent to the payment processor with an encrypted cryptogram. The DPAN is validated and decrypted by the payment network before the issuing bank approves the transaction.

Q: What are DPANs and MPANs?
A: DPANs are unique tokens assigned to each device for security, but they can be inconvenient if the device is lost or upgraded. MPANs, or Merchant Primary Account Numbers, are unique tokens assigned to each merchant, reducing disruption when a physical card is replaced.

Q: How does this change impact merchants?
A: Merchants must support contactless payments for Apple Pay in-store and register to support it for ecommerce. They need to manage DPANs for recurring payments but benefit from the added security.

Q: How does MeaWallet support Apple Pay tokenization?
A: MeaWallet offers a secure, compliant, certified, and easy-to-implement solution for digitizing cards and enabling payments with Apple Wallet and other OEM wallets through a single connection.

Q: How does the transition to Apple Pay affect existing cards and data?
A: The card details and tokens are securely managed and stored by the Token Service Provider and issuing bank, ensuring that the transition to Apple Pay does not expose sensitive information.

Q: What specific steps should users take to add their card to Apple Wallet?
A: Users can add their card by using the push provisioning method through their banking app or by manually entering card details into the Apple Wallet app. The details are securely processed and tokenized.

Q: How does Apple Pay handle lost or stolen devices?
A: If a device is lost or stolen, users can remove the DPAN from the Apple Wallet remotely. A new DPAN must be issued for a new or replacement device to continue making payments securely.