How Apple Pay works under the hood?

What happens behind the scenes when you add your credit card to Apple Pay, and when you pay using Apple Pay through your iPhone device.

In this post we will understand step-by-step what happens behind the scenes when you add your credit card to Apple Pay, and when you pay using Apple Pay through your iPhone device.

We will describe the following,

• The behind the scenes processing, when a payment card is added to Apple Pay.
• The behind the scenes processing, when you Pay using Apple Pay with your iPhone.

Along the way we will also answer,

• How do Visa, Mastercard, Amex, Discover make money?
• How does Apple Pay make money?

When a Payment Card is added to Apple Pay

When you add a new payment card (i.e. a credit or a debit card) to Apple Pay, here are the steps that happen behind the scenes.

1. The payment card’s PAN (Primary Account Number), along with other card related personal details i.e. Your Name, Card Expiration Date, is sent by the Apple Wallet App to the Apple Pay servers.
2. From your PAN, the Apple Pay server identifies the credit card Issuer Bank, and then pass the PAN and your personal details to the Issuer Bank requesting a Payment Token from the Issuer Bank.
   Note that the Issuer Bank must have partnered with Apple Pay, and be part of the Apple Pay network in order for Apple to add that payment card onto the iPhone. If the Issuer Bank has not partnered with Apple Pay, you cannot add that card to Apple Pay.
3. The Issuer Bank then calls a Token Service Provider (TSP), and requests for a Payment Token.
   Token Service Providers are entities that must be registered with EMVCo as Token Service Providers (TSP) — see Appendix below for a list of Token Service Providers.
   EMVCo is an organization that manages the EMVCo format, a data transmission format — see Appendix below for more information on EMVCo.
4. The Token Service Provider (TSP), vaults the PAN, generates a Payment Token, and associates the newly generated Payment Token with the PAN.
   The Token Service Provider (TSP), then returns the newly generated Payment Token, along with a Payment-Token-Key (i.e. public key), to the Issuer Bank.
5. The Issuer Bank receives the Payment Token and Payment-Token-Key from the Token Service Provider (TSP), and adds a CVV-Key (i.e. public key) to the mix.
6. The Issuer Bank then returns the Payment Token, Payment-Token-Key and the CVV-Key back to the Apple Pay Servers.
7. Apple Pay, uses its own Trusted Service Manager (TSM) and provisions the Payment Token, Payment Token-Key and CVV-Key and maybe other data onto the “Secure Element” i.e. the secure hardware chip on the physical iPhone device.

This then is the “Payment Token” that Apple saves on its Secure Element (SE) and calls the DAN (Device Account Number).

When a Payment Card is Added to the Apple Pay Wallet

You can see this DAN for the card you added in, by going to your Apple Wallet App, selecting the credit card that you added, and then clicking on the “info” button. Only the last 4 digits of the DAN will be displayed.

• Note that the DAN is unique to that particular iPhone device. The same card added to a different device will have a different DAN.
• The DAN is a permanent unique number and does not change. The DAN acts as a proxy for the real credit card number (PAN) and the personal details.
• Any transaction records for purchases made using Apply Pay will not show the last 4 digits of your credit card. Rather the transaction records will show the last 4 digits of the DAN.
• Apple Pay does not store the real card numbers on the device or Apple servers, and payment token data never stored in their cloud servers
  (Payment Token i.e. DAN, only resides on the Secure Element (SE) on the iPhone device). Also, Apple Pay does not store real card data inside the Secure Element (SE).

When you Pay using Apple Pay with your iPhone

Apple Pay uses NFC to send payment data to the contactless POS terminal when you Tap & Pay .
Apple Pay uses the EMVCo’s contactless suite of specifications to pass the data from your iPhone to the contactless reader terminal.

1. When you pay using the iPhone with Apple Pay, you authenticate yourself to the iPhone device Secure Element (SE) using your biometric (i.e. fingerprint, face id or PIN).
   The authentication process only authenticates you to the Secure Element (SE), and allows Apple Pay to access the information stored on the Secure Element (SE). Other than this initial Authentication process, neither the Secure Element (SE) nor the biometrics (i.e. Touch ID etc), are involved in the rest of the Apple Pay process.
2. Once you authenticate yourself to the iPhone the Secure Element on the iPhone takes the following steps,
   (a) generates a Dynamic Cryptogram,
   - which is a combination of the Payment Token, transaction amount, transaction counter etc. along with the Payment-Token-Key (i.e. the public key provided by the TSP).
   (b) generates a Dynamic CVV,
   - using the CVV-key (i.e. the public key provided by the Issuing Bank).
   The Secure Element then passes the Payment Token (DAN), the Dynamic Cryptogram (also called, the One-time Unique Number), the Dynamic CVV Value (also called, the Dynamic Security Code), and other payment and chip data elements to the POS terminal via NFC, using the EMVCo’s contactless suite of specifications.
3. The POS sends this request to the Acquirer Bank (Merchant Bank), which in turn forwards it to the Payment Network eg. Visa, Mastercard etc.
4. The Payment Network then identifies that the request is a Payment Token and not a real PAN, based on the BIN tables. The Payment Network accordingly passes the Payment Token and the Dynamic Cryptogram to the Token Service Provider (TSP) to obtain the associated PAN.
5. The Token Service Provider receives the Payment Token (DAN) and the Dynamic Cryptogram.
   It validates the request by deciphering the Dynamic Cryptogram (which contains the public Payment-Token-Key), using the private Payment-Token-Key. Once the request is validated, the TSP looks up the PAN associated with the Payment Token, within the Token Vault, and returns the customers real PAN to the Payment Network.
6. The Payment Network receives the real PAN. It now passes the PAN along with the transaction details and the Dynamic CVV to the Issuer Bank, for transaction authorization.
7. The Issuer Bank validates the request by deciphering the Dynamic CVV, using its private key. Once the Dynamic CVV is validated, the Issuer Bank checks the customers credit balance against the transaction amount, and “authorizes” the request.
8. The Issuer bank passes back the “authorization” response to the Payment Network, which in turn passes it back to the Acquirer Bank (Merchant Bank), which in turn passes it back to the POS terminal, and your transaction is approved on the POS (The POS further transmits this to the iPhone through NFC, and you get a green check on your phone that the transaction was approved).

This entire process from Step 1–8, takes place in less than a couple of seconds. So you can see that the credit card networks are lightening fast!

When you Pay using Apple Pay with your iPhone

Also, you will notice that in the above process, the actual PAN and customer information remains on the private credit card networks only, and is never transmitted to or from the POS. Thus the transactions are extremely secure.

How does Apple Pay make money?

To answer this question, we must first look at how a plain vanilla payment card eg. a credit card, transaction is processed (i.e. without Apple Pay).

When you swipe a credit card at a POS terminal,

1. Your credit card number (PAN) along with the transaction amount and details, are sent to the Acquirer Bank (Merchant Bank).
2. The Acquirer Bank then identifies which payment network the card is using (i.e. is it a Visa, Mastercard, Amex etc.), and then passes the PAN and transaction details to the appropriate Payment Network i.e. Visa, Mastercard, Amex, Discover, JCB, Union Pay etc.
3. The Payment Network then identifies who is the Issuer Bank for that card i.e. your Visa credit card could have been issued by Chase Bank, and then passes the authorization request to that Issuer Bank along with the PAN, transaction amount etc.
4. The Issuer Bank validates the PAN, and checks to see if the transaction amount has not exceeded the credit limit for that customer.
   If everything looks good the Issuer Bank “authorizes” the transaction and sends this “authorization” back to the Payment Network i.e. Visa, Mastercard etc.
5. The Payment Network then sends this authorization back to the Acquirer Bank (Merchant) bank, which sends this authorization back to the POS terminal, and you get a transaction approved message on the POS and the POS prints you out a receipt.

This entire process from step 1–5 takes less than 3 seconds, and you walk away from the POS with your receipt in hand.

How do Visa, Mastercard, Amex make money?

For the services that they provide, each of the above parties take a small cut of the transaction amount.
So if you purchase something from a merchant for $100, typically the Merchant gets paid only $98. The remaining 2% i.e. $2, is called the Discount Rate, and this $2 is split between all the participating parties that provide the credit card processing service.

The split between the parties may be as follows,

• Issuer Bank — $1.70
  (Called the Interchange Fee i.e. typically 1.7%)
• Payment Networks i.e. Visa, Mastercard, Amex etc. — $0.10
  (Flat fee based on transaction volume i.e. $0.10)
• Acquirer or Merchant Bank — $0.20
  (Flat Fee or Percentage Fee based on the Merchant-Acquirer bank under-writing contract i.e. typically 0.2%)

Note that in our example the Discount Rate is 2%, however in reality this Discount Rate depends upon the type and nature of the transaction.

In general the more secure a transaction, the lesser is the Discount Rate.

So an “in-person” transaction will have a slightly lesser discount rate eg. 1.99%, that an “on the phone” transaction eg. 2%. Also a chip-based credit card transaction will have a lesser discount rate eg. 1.97% than a non-chip based credit card. This is because it is assumed that the more secure a transaction the lesser the risk for that transaction i.e. the actual credit card holder is making an authorized transaction.

Also, it is interesting to note that the Discount Rate is set by the Payment Networks i.e. Visa, Mastercard, Amex etc. (even though the Payment Networks get only a small slice of the full Discount Rate).

So it is Visa, Mastercard, Amex etc. that decide what the Discount Rate will be for using them as the Payment Network, and not the Issuer Bank or the Acquirer Bank (Merchant Bank).

i.e. In our example above, it is Visa, Mastercard etc. that dictate and set the Discount Rate to say 2% , even though Visa, Mastercard may get only $0.10 per transaction from that Discount Rate, and the balance of the Discount Rate is shared between the Issuer Bank (Interchange Fee) and the Acquirer Bank (Merchant Bank).

Visa, Mastercard, Amex, Discover, etc. are called credit card processing networks.

• Out of these Visa and Mastercard purely provide and charge for the use of their network infrastructure, almost like a toll booth. They do not issue credit cards (that is done by the Issuing Bank).
  They simply provide the branding to the card to indicate that the card is compatible and will be processed with their particular credit card payment network eg. Visa network or Mastercard network.
• Amex and Discover on the other hand have a more vertically integrated business model and issue their own credit cards. They also provide a similar branding model, where they may issue cards for specific retailer eg. Macy’s, Sears etc. and may act as the card issuing bank.

Now to answer our original question.

How does Apple Pay make money?

• Apple Pay is free to use for Merchants and Consumers, and Apple does NOT charge either for the use of Apple Pay.
• It is the Issuer Bank that pays Apple 0.15%, for any transactions that are done using Apple Pay.

In our example above, the Issuer bank pays Apple 0.15% from the 1.7% Interchange Fee, that it charges. The Issuer Banks are ok to pay this nominal 0.15% fee, since they are guaranteed a secure transaction for any transaction that has been done using Apple Pay.

That’s all for this post!! Hope this post helps you understand the “behind the scenes” on how Apple Pay and the Payment Networks actually work!

Happy Innovating in FinTech!!

Found this post helpful? Hit the 👏 👏 👏 button a few times to show how much you liked it! 🙂

Follow me on Medium for the latest updates and posts!

Appendix

List of EMVCo Registered Token Service Providers

• https://www.emvco.com/approved-registered/registered-ids/?action=search_registered_ids&emvco_renewal_date=&px_search=&emvco_registration_type%5B%5D=Token+Service+Provider+Code&faceted-search_length=100

What is EMVCo?

EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV® Specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues.

EMVCo’s work is overseen by EMVCo’s six member organizations — American Express, Discover, JCB, Mastercard, UnionPay, and Visa — and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

EMVCo is managed by the Board of Managers, which is comprised of two representatives from each of the member payment systems. The EMVCo Executive Committee, also managed by payment system representatives, provides guidance on EMVCo’s long-term strategy.

References:

• Overview of EMVCo
  https://www.emvco.com/about/overview/
• EMV® Payment Tokenization Specification — Technical Framework https://www.emvco.com/emv-technologies/payment-tokenisation/
• EMVCo Token Service Provider Registration Programme https://www.emvco.com/processes-forms/registration-services/tsp-code/

Found this post helpful? Hit the 👏 👏 👏 button a few times to show how much you liked it! 🙂

Follow me on Medium for the latest updates and posts!