{"id":1326,"date":"2015-01-03T17:07:06","date_gmt":"2015-01-03T17:07:06","guid":{"rendered":"http:\/\/www.gmarwaha.com\/blog\/?p=1326"},"modified":"2015-01-03T17:14:51","modified_gmt":"2015-01-03T17:14:51","slug":"apple-pay-an-attempt-to-demystify-take-2","status":"publish","type":"post","link":"https:\/\/www.gmarwaha.com\/blog\/2015\/01\/03\/apple-pay-an-attempt-to-demystify-take-2\/","title":{"rendered":"Apple Pay &#8211; An attempt to demystify &#8211; Take 2"},"content":{"rendered":"<p>Earlier, a couple of months ago, I attempted to demystify <a href=\"https:\/\/www.apple.com\/iphone-6\/apple-pay\/\">ApplePay<\/a> in this <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/24\/apple-pay-an-attempt-to-demystify\/\">blog post<\/a>. Those were the\u00a0early days when most of us didn&#8217;t have access to enough\u00a0information on its inner workings. Even with such limited information,\u00a0many parts of the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/24\/apple-pay-an-attempt-to-demystify\/\">post<\/a> turned out to be correct, but some turned out to be wrong too.\u00a0Today, with access to more information, I am making a second attempt\u00a0at demystifying ApplePay. This post is primarily a rehash of the original with only the relevant parts changed. Let&#8217;s get on with the article now&#8230;<\/p>\n<p>When Apple announced <a href=\"https:\/\/www.apple.com\/iphone-6\/apple-pay\/\">ApplePay<\/a> as a service on September 9th, 2014 and subsequently in their <a href=\"http:\/\/www.apple.com\/pr\/library\/2014\/09\/09Apple-Announces-Apple-Pay.html\">press release<\/a>, they mentioned a few key terms like <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">Secure Element<\/a>, Tokens, One time unique number, Device account number, dynamic security code and such. Take a look at the 4th paragraph in their <a href=\"http:\/\/www.apple.com\/pr\/library\/2014\/09\/09Apple-Announces-Apple-Pay.html\">press release<\/a> to see what I\u00a0mean. For the layman, this could mean that apple has used\u00a0some complex\u00a0security technology to make ApplePay secure; but for some people in the field of mobile payments and security, it was not very clear what Apple was trying to say. So, let\u2019s try and dissect that, shall we?<\/p>\n<p>For simplicity, we are only going to discuss about ApplePay in the context of a payment made at a physical <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Point of Sale\">POS<\/a>\u00a0and not the mCommerce version of the service. This is only an educated attempt to understand the underlying implementation while the reality could well, be different.<\/p>\n<p>Let\u2019s start with the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">Secure Element<\/a> (SE). ApplePay stores the payment credentials inside the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">SE<\/a>. It does not store them in the cloud and it does not store them within the host operating system. This means that none of the iOS apps will have access to the payment information stored within the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">SE<\/a>.<\/p>\n<h4>What exactly is stored in the SE?<\/h4>\n<p>When, you as a customer add a credit card to your Passbook (<a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/07\/16\/mobile-payments-what-is-a-mobile-wallet\/\">Mobile Wallet<\/a>), the simplest thing for the wallet to do would be to store the real payment credentials like the Primary\u00a0Account Number (PAN) into the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">SE<\/a>. But that is a naive implementation and Apple does not do that. ApplePay instead stores something called a token and some associated data inside the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">Secure Element<\/a>.<\/p>\n<h4>What is a token?<\/h4>\n<p>Token is like a fake credit card number that looks and feels like a credit card number for most intents and purposes, but it is not the real deal. During transaction authorization the token would be <code>de-tokenized<\/code> into the real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0before passing\u00a0on to the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/05\/mobile-payments-who-is-an-issuer\/\">Issuer<\/a> for authorization. The entity that places a request to <code>de-tokenize<\/code> differs depending on the tokenization standard used. In proprietary tokenization technologies, an <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/12\/mobile-payments-who-is-an-acquirer\/\">Acquirer<\/a> would be responsible for <code>tokenization<\/code> and <code>de-tokenization<\/code>. But,\u00a0ApplePay uses the latest in <a href=\"http:\/\/www.emvco.com\/specifications.aspx?id=263\">tokenization standard<\/a> created by <a href=\"http:\/\/www.emvco.com\/\">EMVCo<\/a>. In this case, the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/21\/mobile-payments-who-is-a-payment-network\/\">payment network<\/a> performs <code>de-tokenization<\/code>.<\/p>\n<h4>How is a token provisioned to the SE?<\/h4>\n<p>Now that we know that a Token is stored in the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">SE<\/a>, the next step is to find out how it gets provisioned there in the first place.\u00a0There are many ways in which this could have been implemented and we will not know for sure until Apple announces its implementation. But, here is an educated guess I would go with&#8230;<\/p>\n<p>When a customer adds a credit card to their wallet, the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0details are submitted to ApplePay servers. ApplePay sends the information over to the appropriate <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/21\/mobile-payments-who-is-a-payment-network\/\">payment network<\/a> (Visa, Master Card or AMEX) asking for a Token in return. In this scheme of things, the payment network is said to play the role of a Token Service Provider (TSP) while ApplePay plays the role of a Token Requestor (TR).<\/p>\n<p>The <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Token Service Provider\">TSP<\/a>\u00a0in turn requests the appropriate <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/05\/mobile-payments-who-is-an-issuer\/\">card Issuer<\/a> to perform Identification &amp; Verification (ID&amp;V) and\/or out of band validation\u00a0(OOB) to verify if the card is valid, if it is in good standing and if the request is originating\u00a0from an authentic customer. After receiving a successful response from the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/05\/mobile-payments-who-is-an-issuer\/\">Issuer<\/a>, the\u00a0<a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Token Service Provider\">TSP<\/a>\u00a0vaults the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>, generates and maps it to a token and returns the token and a token-key back to ApplePay&#8217;s server. This token-key will later be used to generate a dynamic <code>cryptogram<\/code> at the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">SE<\/a>. ApplePay, acting as its own Trusted Service Manager (TSM) provisions the token, token-key and maybe other data into the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">Secure Element<\/a>. It is the Token that Apple calls as &#8220;Device Account Number&#8221; in its <a href=\"http:\/\/www.apple.com\/pr\/library\/2014\/09\/09Apple-Announces-Apple-Pay.html\">press release<\/a>.<\/p>\n<h4>What happens when a\u00a0payment transaction is initiated?<\/h4>\n<p>When a customer taps or waves their iPhone in front of a point of sale terminal, a payment transaction is initiated. ApplePay uses <a href=\"http:\/\/www.emvco.com\/specifications.aspx?id=21\">EMVCo\u2019s Contactless<\/a> suite of specifications to communicate with the contactless reader terminal. When it is time for the Secure Element to send information to the terminal, it does a couple of\u00a0things. First, it identifies if the contactless terminal supports EMV Contactless or if it supports only Contactless MSD (for backwards compatibility).<\/p>\n<p>If it supports <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Europay, MasterCard, Visa\">EMV<\/a>\u00a0Contactless, the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Secure Element\">SE<\/a>\u00a0generates a <strong>dynamic cryptogram<\/strong> using a combination of\u00a0the token, token-key, transaction amount, transaction counter etc. If the terminal supports only Contactless MSD, it generates a <strong>dynamic CVV<\/strong>\u00a0instead,\u00a0using similar data elements like\u00a0token-key and other transactional data. Finally, it passes the token, the dynamic cryptogram\u00a0(or\u00a0the dynamic CVV) and other payment and chip data elements to the terminal in compliance with\u00a0EMV Contactless specification.<\/p>\n<p>Let\u2019s stop for a moment here and review what just happened and compare that to Apple\u2019s <a href=\"http:\/\/www.apple.com\/pr\/library\/2014\/09\/09Apple-Announces-Apple-Pay.html\">press release<\/a>\u00a0as quoted below.<\/p>\n<blockquote><p>&#8220;Each transaction is authorized with a <strong>one-time unique number<\/strong> using your <strong>Device Account Number<\/strong> and instead of using the security code from the back of your card, Apple Pay creates a <strong>dynamic security code<\/strong> to securely validate each transaction.\u201d- From the press release<\/p><\/blockquote>\n<p>From the quote above, the <code>Device Account Number<\/code> represents the <code>Token<\/code>, the <code>One-time Unique Number<\/code> represents the <code>dynamic cryptogram<\/code> and the <code>Dynamic Security Code<\/code> represents the <code>dynamic CVV<\/code>.<\/p>\n<h4>What happens during a payment transaction?<\/h4>\n<p>The contactless terminal receives the token, dynamic cryptogram (or dynamic CVV) and other data elements according to the <a href=\"http:\/\/www.emvco.com\/specifications.aspx?id=21\">contactless EMV<\/a> specification (or contactless MSD for backwards compatibility) and\u00a0sends\u00a0them over to the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/12\/mobile-payments-who-is-an-acquirer\/\">Acquirer<\/a>. The Acquirer doesn&#8217;t know or care if the incoming <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0is a token\u00a0<a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0or the real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>. They just identifiy the payment network based on the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Bank Identification Number\">BIN<\/a>\u00a0and send it over the corresponding payment network.<\/p>\n<p>The <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/21\/mobile-payments-who-is-a-payment-network\/\">payment network<\/a> identifies that it is a tokenized <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0and not a real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0based on <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Bank Identification Number\">BIN<\/a>\u00a0tables. Consequently, they send a request out to the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Token Service Provider\">TSP<\/a>\u00a0to de-tokenize passing in the Token, the dynamic cryptogram (or dynamic CVV) and other transaction data elements. The <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Token Service Provider\">TSP<\/a>\u00a0validates the cryptogram using the token-key that it shared earlier during the provisioning process. It also performs token channel validations and other configured domain control validations. If all the validations came out\u00a0positive, the <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Token Service Provider\">TSP<\/a>\u00a0de-tokenizes and returns the real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0back to the payment network. The payment network attaches the real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0to the authorization request and sends it over to Issuer for authorization.<\/p>\n<p>The <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/05\/mobile-payments-who-is-an-issuer\/\">Issuer<\/a> authorizes the transaction depending on the customer&#8217;s account status. The authorization response\u00a0flows back from Issuer to the Payment network. The payment network removes the real <a href=\"javascript:void(0)\" class=\"tips\" data-trigger=\"hover\" title=\"Primary Account Number\">PAN<\/a>\u00a0from the response and attaches token in its place before responding\u00a0back to the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/12\/mobile-payments-who-is-an-acquirer\/\">Acquirer<\/a> and back to the <a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/07\/mobile-payments-who-is-a-merchant\/\">Merchant<\/a> where your receipt gets printed.<\/p>\n<p>In conclusion, we saw how ApplePay\u00a0does provisioning and how a payment transaction is processed.\u00a0For some of us this is good enough information to\u00a0understand the security strategy used by ApplePay. But some others may have more questions.\u00a0What happens when the\u00a0Card is lost?\u00a0What\u00a0happens when the phone is lost?\u00a0What happens when the merchant is compromised? How does ApplePay handle these challenges? These are all very good questions, but this post has\u00a0already become too big. So, I will address those follow-up questions in my next post. Stay tuned!<\/p>\n<h4>Related Reading:<\/h4>\n<ul>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/24\/apple-pay-an-attempt-to-demystify\/\">Apple Pay &#8211; An Attempt to demystify<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/mobile-payments-faq\/\">Mobile Payments FAQ and not so FAQ<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/apple-pay-vs-google-wallet\/\">Apple Pay vs Google Wallet<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/05\/11\/mobile-payments-what-is-a-contactless-chip-card\/\">What is a Contactless Chip Card?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/08\/03\/mobile-payments-what-is-nfc\/\">What is NFC?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/08\/07\/mobile-payments-what-is-nfc-card-emulation-mode\/\">What is NFC Card Emulation Mode?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/09\/01\/mobile-payments-what-is-a-secure-element\/\">What is a Secure Element?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/05\/mobile-payments-who-is-an-issuer\/\">Who is an Issuer?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/07\/mobile-payments-who-is-a-merchant\/\">Who is a Merchant?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/02\/12\/mobile-payments-who-is-an-acquirer\/\">Who is an Acquirer?<\/a><\/li>\n<li><a href=\"http:\/\/www.gmarwaha.com\/blog\/2014\/03\/21\/mobile-payments-who-is-a-payment-network\/\">Who is a Payment Network?<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier, a couple of months ago, I attempted to demystify ApplePay in this blog post. Those were the\u00a0early days when most of us didn&#8217;t have access to enough\u00a0information on its inner workings. Even with such limited information,\u00a0many parts of the post turned out to be correct, but some turned out to be wrong too.\u00a0Today, with access to more information, I am making a second attempt\u00a0at demystifying ApplePay. This post is primarily a rehash of the original with only the relevant parts changed. Let&#8217;s get on with the article now&#8230; When Apple announced ApplePay as a service on September 9th, 2014... <br \/><a class=\"moretag\" href=\"https:\/\/www.gmarwaha.com\/blog\/2015\/01\/03\/apple-pay-an-attempt-to-demystify-take-2\/\">Continue reading...<\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,48,50,49,53],"tags":[],"class_list":["post-1326","post","type-post","status-publish","format-standard","hentry","category-apple-pay","category-mobile-payments","category-mobile-wallet","category-nfc","category-secure-element"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/posts\/1326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/comments?post=1326"}],"version-history":[{"count":6,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/posts\/1326\/revisions"}],"predecessor-version":[{"id":1332,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/posts\/1326\/revisions\/1332"}],"wp:attachment":[{"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/media?parent=1326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/categories?post=1326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gmarwaha.com\/blog\/wp-json\/wp\/v2\/tags?post=1326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}