9

Apple Pay says they store a Token on the phone and use it for transactions. Who issues this token? Who then converts this token to a real credit-card. Where is the mapping from token to real card stored?

Ulkoma
  • 8,773
  • 17
  • 68
  • 96
pslk
  • 113
  • 6
  • The token acts as a digital signature. The public key is stored by the transaction processor (Visa, Mastercard, etc), but the token itself is "issued" by Apple. Actually, by the phone. The private key lives in the device hardware – usr-local-ΕΨΗΕΛΩΝ Nov 05 '19 at 18:16

2 Answers2

4

With Apple Pay, no credit card data -- even in encrypted form -- is ever stored on the iPhone or on Apple's servers. Similarly, no credit card data is ever transmitted to or stored on a merchant's servers.

When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it's safely stored within the iPhone's Secure Element.

The token is used in place of an actual credit card number and is what Apple, in its marketing materials, refers to as a unique Device Account Number.

So it's the creditcard that gets converted into a token. You can read the rest of the story here.

Community
  • 1
BadSkillz
  • 4,452
  • 26
  • 29
  • '>> sends it to the credit card network where it is mapped back to the corresponding credit card account that created it'.

    Thanks for the Link. It looks like the Credit Card network generated the token and keeps the mapping. I am sure there are more keys involved in verifying the cryptogram.

    Thanks

     – pslk Oct 28 '14 at 15:52
1

The mapping between token(s) and PAN is maintained and token-to-PAN conversion is performed by the Token Service Provider. You can read more about it in the relevant EMV specification.

In the case of Apple Pay, the Token Service Providers are the various credit card networks: Visa Token Service, Mastercard Digital Enablement Service, American Express Token Service.

I don't know if these card networks permit other TSPs than their own, but I could also imagine card issuers implementing their own tokenization services together with custom mobile payment applications or devices.

lxgr
  • 4,243
  • 3
  • 30
  • 37