With the upcoming launch of Apple Pay, we’ve started taking a look at how it works behind the scenes and how we can integrate it with Kill Bill.
By way of background, Apple Pay integrates two technologies, the EMV Payment Tokenization Specification and the EMV Contactless Specification.
When storing a credit card in Passbook, the credit card information is sent to a Token Service Provider (it seems it will be the credit card networks, e.g. Visa, in the case of Apple Pay), which will contact the issuer bank to generate a token as well as a token expiration date. These aliases will be stored in the secure area of the iPhone and will be used for all transactions associated with this credit card (all merchants will see the same token and token expiration date).
When making a transaction, the iPhone sends the tokenized information to the merchant payment software (in our case, Kill Bill). Via a payment gateway, the transaction request is forwarded to the acquiring bank, which will contact the issuer bank via the Payment Network. The interaction between the two banks is where the token and dates are transparently swapped out with the actual number (PAN) and dates. In the end, only the Payment Network and the Issuer see the real credit card, all other parties deal with the Payment Token.
Additionally, a unique cryptogram is generated and sent with every transaction. This is to make sure that the Payment Token and its expiration date cannot be used in other types of transactions.
Payment Gateways are slowly starting to update their APIs to support these new fields, and we’ve successfully tested the integration with CyberSource. We’ve submitted our changes in ActiveMerchant in this pull request. We’ll be closely monitoring other vendors.
The story of Apple Pay is still evolving, and it can be hard to decipher how it actually works behind the scenes with the very limited amount of technical information available out there. Have you started integrating it? Do you have any tips to share?