Let’s understand how Apple Pay works under the hood in detail.

Setting Up Your Card

A payment card can be added to the Apple Pay application by simply adding the card information (Primary Account Number (PAN) or Card Number) or by scanning it on an Apple device.

This information is sent to the Apple servers.

Apple routes this information to the relevant payment networks (VISA/ Mastercard etc.).

This information is validated by the payment network with the issuing bank.

Once the verification is successfully performed, a Token called a DAN/ Device Account Number (a process called Tokenization):

• a Token called a DAN/ Device Account Number

• a Token Key

The mapping between the Device Account Number (DAN) and the Primary Account Number (PAN) is created and managed by the payment network in coordination with the issuing bank.

Note that a Token/ DAN has no extrinsic or exploitable value. If stolen, a malicious actor cannot rederive the PAN from the DAN.

This information is sent back to Apple servers.

These servers route this information back to the Apple device.

This information is stored securely on the device’s Secure Element (SE).

What Is A Secure Element?

Secure Element is an industry-standard, certified chip designed to store payment information securely.

This is completely isolated from the main device processor, ensuring that the payment information cannot be accessed through other apps.

Note that Apple never stores any payment information on its servers.

Making A Payment

A payment is made on a merchant’s POS (point of sale) terminal using NFC (Near Field Communication).

This needs to be authenticated with Face ID, Touch ID, or your passcode.

Once authenticated, a dynamic cryptogram for each transaction is created using the DAN token, token key, amount, and other transaction information.

This along with other transaction information is sent to the POS terminal, which further routes it to the merchant’s bank.

The bank routes this information to the payment network.

The payment network de-tokenizes the DAN and obtains the original PAN (primary account number) using their copy of the token key.

This transaction request is sent to the issuing bank.

The issuing bank authorizes the transaction and sends back the response to the merchant’s POS terminal.

And that’s how a transaction is completed in Apple Pay.