When Apple announced Apple Pay as a service on September 9th, they mentioned a few key terms like secure element, tokens, one time unique number, device account number and dynamic security code. For the layman, this could mean that Apple has used the most advanced security technology in Apple Pay; but for the folks in the field of mobile payments and security, it was not very clear what Apple was trying to say.
To keep this simple, I am going to discuss Apple Pay in the context of a payment made at a physical point of sale (POS). This is just an attempt to understand the underlying implementation while the reality may be different.
Let’s start with the Secure Element (SE). Apple Pay stores your payment credentials inside the SE. It does not store them in the cloud and it does not store them within the host operating system. This means that none of the iOS apps will have access to the payment information stored within the SE.
What exactly is stored in the SE?
When, you as a customer add a credit card to your Passbook (Mobile Wallet), the simplest thing for the wallet to do would be to store the real payment credentials like the Primary Account Number (PAN) into the SE. But that is a naive implementation and Apple does not do that. Apple Pay, on the other hand, stores something called a token and associated data inside the Secure Element.
What is Token?
Token is a fake credit card number that looks and feels like a real credit card number for most purposes, but it is not the real deal. During transaction authorization the token is de-tokenized into the real PAN before being passed on to the issuer for authorization. The entity that places a request to de-tokenize differs depending on the tokenization standard used. In proprietary tokenization technologies, an acquirer is responsible for tokenization and de-tokenization. But, Apple Pay uses the latest in tokenization standard created by EMVCo. In this case, the payment network performs de-tokenization.
How is a token provisioned to the SE?
Now that we know that a Token is stored in the SE, the next step is to find out how it gets provisioned there in the first place. There are many ways in which this could have been implemented and we will not know for sure until Apple announces its implementation. But, here is an educated guess that I would go with.
When a customer adds a credit card to their wallet, the PAN details are submitted to Apple Pay servers. Apple Pay sends the information over to the corresponding Issuer bank asking for a Token in return. The Issuer bank calls a Token Service Provider (TSP) and requests for a token. As far as I know, the payment network themselves play the role of TSP at present.
The TSP vaults the PAN, maps it to a token and returns the token and a token-key. This token-key will later be used to generate a dynamic cryptogram at the SE. The Issuer receives a token and token-key, and adds a cvv-key to the mix. The cvv-key will be later used to generate a dynamic security code at the SE. The Issuer returns the token, token-key and cvv-key back to Apple Pay. Apple Pay, acting as its own Trusted Service Manager (TSM) provisions the token, token-key, cvv-key and maybe other data into the Secure Element. It is this Token that Apple could be referring as “Device Account Number” in its press release.
What happens when a payment transaction is initiated?
When a customer taps or waves their iPhone in front of a point of sale terminal, a payment transaction is initiated. Apple Pay uses EMVCo’s Contactless suite of specifications to communicate with the contactless reader terminal. When it is time for the Secure Element to send information to the terminal, it does two things. First, it generates a dynamic cryptogram using a combination of the token, token-key, transaction amount, transaction counter etc. Second, it generates a dynamic CVV value using the CVV-key. Finally, it passes the token, the dynamic cryptogram, the dynamic CVV and other payment and chip data elements to the terminal using the EMV specification.
Let’s stop for a moment here and review what just happened and compare that to Apple’s press release as quoted below.
“Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.”- From the press release.
From the quote above, the “Device Account Number” represents the Token, the “One-time Unique Number” represents the dynamic cryptogram and the “Dynamic Security Code” represents the dynamic CVV.
What happens during a payment transaction?
The contactless terminal receives the Token, dynamic cryptogram, dynamic CVV and other data elements according to the contactless EMV specification (or contactless MSD for backwards compatibility) and sends them over to the Acquirer. The Acquirer doesn’t know or care if the incoming PAN is a token PAN or the real PAN. They just identify the payment network based on the BIN and send it over the corresponding payment network.
The payment network identifies that it is a tokenized PAN and not a real PAN based on BIN tables. Consequently, they send a request out to the TSP to de-tokenize passing in the Token and the dynamic cryptogram. The TSP, among other things, validates the cryptogram using the token-key that it shared earlier during the provisioning process. If the cryptogram is valid, the TSP de-tokenizes and returns the real PAN back to the payment network. The payment network attaches the real PAN to the authorization request and sends it over to the Issuer for authorization.
The Issuer validates the dynamic CVV based on the CVV-key it shared earlier during the provisioning process. Then it authorizes the transaction depending on the customer’s account status. The authorization status flows back from the Issuer to the Payment network, back to the Acquirer and back to the Merchant where your receipt gets printed.
In conclusion, we saw how Apple Pay does provisioning and how a payment transaction is processed. For some of us this is good enough information to understand the security strategy used by Apple Pay. But others may have more questions. What happens when the Card is lost? What happens when the phone is lost? What happens when the merchant is compromised? How does Apple Pay handle these challenges? These are all very good questions, but this post has already become too big. I will address those follow-up questions in my next post. Stay tuned!