Payeezy.com Security in Apple PayTM In-App Development
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A First Data White Paper Payeezy.com Security in Apple Pay TM In-App Development Unlike wallets of the past that saw weak consumer engagement, demand for Apple Pay is being driven directly by consumers. Today, developers are seeing the advantages of engaging in in-app development for Apple Pay and, in particular, coding apps using the Payeezy.com platform.
Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
Introduction
Never before has the timing been so right to bring everyone together in the payments
ecosystem and open a new world of possibilities.
It’s an exciting time for consumers because convenient payment options are now built right
into Apple’s newest devices. Unlike previous attempts to introduce mobile payments/wallets,
Apple has taken a consumer-centric approach to address mobile payments that includes
participants from all over the ecosystem: card associations, banks, payments processors,
mobile carriers, and more.
What does this mean for consumers?
Ubiquity—and the expectation that merchants everywhere should start accepting
mobile payments.
It’s also an exciting time for developers. When Apple Pay™ debuted on October 20, 2014,
media hype concentrated mostly on in-store use with contactless terminals. However, in an
interview with the Wall Street Journal, Apple SVP Eddie Cue stated that they expect most
of their early transactions to be in-app.1
Apple Pay in-app payments don’t require the NFC chip that in-store Apple Pay payments
require. But in-app payments do require Apple’s TouchID. Consumers using in-app with
Apple Pay can pay for items by using a single touch on their device’s fingerprint sensor. This
alleviates the previous time-consuming processes that required users to create an account
and register a credit card.
Five companies originally partnered with Apple to provide the API and SDKs necessary to
develop in-app payment solutions for Apple Pay. First Data built an Apple Pay developer
portal on Payeezy.com and was the first of the five to launch.
Payeezy.com provides all the tools necessary to successfully incorporate payments in an
app, set up a merchant account on behalf of your client and swiftly get paid. To make that
happen, Payeezy.com provides the iOS SDK, RESTful API, sample code, a knowledge base,
developer blog, developer support and the ability to test and certify apps coded for Apple
Pay payment processing.
1
Wakabayashi, D. a. (2014, October 20). Apple Pay Rolls Out, With Limits. Wall Street Journal.
firstdata.com ©2014 First Data Corporation. All rights reserved. 2
Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
How Apple Pay In-App The Secure Element then passes it to the Apple
Pay Servers, which, in turn:
Payments Work
• decrypt the credential
For payment integrations that are created from
APIs on the Payeezy.com site, or any of the • v
erify the nonce in the credential against the
other payment providers, the process of how in- nonce sent by the Secure Element
app payment generally works is the same from •
re-encrypt the payment credential with the
Apple’s prospective: merchant key associated with the Merchant
Apple first receives encrypted transaction ID.
information and re-encrypts the information • r eturns it to the device and the app via the
with a merchant-specific key before sending it API where the app sends it to the merchant
to the merchant. Only anonymous transaction system for processing.
information is retained by Apple Pay. Even what
the user is purchasing is not retained. The merchant can then use its private key to
decrypt the payment credential for processing.
When an app requests a payment, it calls an
API to determine information such as whether
the device supports Apple Pay, if the user has
credit cards that work on a payment network
accepted by the merchant, and other pieces of
information it needs to conduct the transaction.
Next, the app requests iOS to present the Apple
Pay payment sheet. The full set of information
requested by the app isn’t provided until the
user authorizes the payment with Touch ID or
the device passcode. Once authorized, the
information presented in the Apple Pay payment
sheet will be transferred to the merchant.
The Apple Pay in-app payment process requires
a cryptographic nonce which is different from
the in-store payment process of obtaining
a value returned by the NFC terminal. The
app calls the Apple Pay Servers to obtain the
cryptographic nonce. The nonce and other
transaction data is passed to the Secure
Element that generates a payment credential
that will be encrypted with an Apple key.
firstdata.com ©2014 First Data Corporation. All rights reserved. 3Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
A New Standard in
Tokenization
Gateway-Side Tokenization payment gateways including First Data with the
However, there are some differences between TransArmor® solution. This type lets users put
how in-app solutions have traditionally credit cards on file and can be referred to as
processed payments and a new standard “gateway-side” tokenization.
in tokenization with Apple Pay that are
The defining characteristic of these tokens is
important to understand
that they’re scoped to a single merchant. They’re
Most eCommerce developers are familiar useful for a developer who wants to keep a credit
with the concept of credit card vaults, card on file to enable low-friction transactions.
which receive the PAN and replace it with But they don’t have the burden of securing
a token to use instead. Many of the most and maintaining a database of PANs and the
popular providers use these vaults in their associated compliance issues.2
Here’s the authorization flow when a gateway-side token is used:
$10 Sale $10 Sale $10 Sale
Token PAN PAN
App Site Gateway Aquirer Payment
Processer Network
Token $10 Sale PAN
PAN
Token
Issuer
Vault
Platform
Gateway-Side Tokenization
First Data has participated in gateway-side tokenization for years, not only for TransArmor, but also in how
the company processes most web- and mobile-type transactions.
Beatty, J. (2014, September 9). How Apple Pay works and why it matters for developers. Clover Developers Blog.
2
Retrieved from http://clover-developers.blogspot.com/2014/09/apple-pay.html
firstdata.com ©2014 First Data Corporation. All rights reserved. 4Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
Network-Level Tokenization
With the onset of Apple Pay, a new form of tokenization emerged; one that is closely associated
with EMV TM, and that payment networks such as Visa®, MasterCard®, American Express®, etc. built.
This new form is referred to as “network-level” tokenization.
More on EMVCo specifications can be downloaded here: EMV Payment Tokenisation Specification
– Technical Framework.3
Here’s the authorization flow when a network-side token is used:
$10 Sale $10 Sale $10 Sale
Token Token Token
App Site Gateway Aquirer Payment
Processer Network
$10 Sale PAN
Token
PAN
Token Token Issuer
Vault Service Provider Platform
Network-Side Tokenization
First Data, through its partnership with Apple in the launch of Apple Pay, is intricately involved with
network-level tokenization. Payeezy.com and, as a result, any developer coding in-app solutions on
the Payeezy.com platform uses network-level tokenization.
Network-level tokens are very different. They are essentially aliases for PANs that are exchanged
during an authorization by the network. These tokens are provisioned (see below) into the secure
element on the iPhone 6 and used in authorization flows (further protected with 3-D Secure —
see above).4
3 EMVCo. (2014). EMV® Payment Tokenisation Specification - Technical Framework. EMVCo.
4 B eatty, J. (2014, September 9). How Apple Pay works and why it matters for developers. Clover Developers Blog. Retrieved from http://clover-
developers.blogspot.com/2014/09/apple-pay.html
firstdata.com ©2014 First Data Corporation. All rights reserved. 5Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
This is the typical way that a developer would provision a token:
PAN, Exp, CVV, AVS PAN
Token
Token
Site or Payment Token
App Gateway Vault
Validate
Card
Payment
Network
Token Provisioning
As network-level tokenization evolves to other development outside the
Apple Pay ecosystem, First Data will continue to be a leader.
Key Key
Takeaways for Network-Side
Takeaways Tokenization
for Network-Side Tokenization
They look like standard PANs -- e.g. they’re 16 digits. They’re mostly compatible with the
existing payment processing infrastructure.
The tokens are issued within a special BIN in the network’s routing tables that flag it as a
token rather than standard PAN.
They are exchanged via the network by Token Service Providers, a new role in the ecosystem.
They are provisioned via a Token into a secure element of a mobile device or some other
“secure enough” storage (perhaps Android HCE), facilitated by the issuing bank.
For more on tokenization, refer to: A Primer on Payment Security Technologies: Encryption
and Tokenization5
5 McMillon, T. H. (2011). A Primer on Payment Security Technologies: Encryption and Tokenization. First Data.
firstdata.com ©2014 First Data Corporation. All rights reserved. 6Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
3-D Secure On Payeezy.com, 3-D Secure provides
3-D Secure™ is the way network-level and EMV authentication from the issuing bank to use the
tokenization is supported on Payeezy.com. token that has been provisioned onto the iPhone.
To explain, the JSON Dictionary holds encrypted
3-D Secure is an XML-based protocol developed payment information including:
by Visa and marketed as Verified by Visa. A version
was adopted by MasterCard under MasterCard
® • Type A which specifies an Apple Pay transaction
SecureCode™, by JCB International as J/Secure™, • The public key certificate corresponding
Diners Club as ProtectBuySM and American Express to the merchantIdentifier set on the original
®
as AMEX SafeKey . It is the on-line counterpart to PKPaymentRequest Refer to Apple Pay™
in-store EMV solutions to prevent fraud. documentation.
• The cryptographic algorithms used to sign
and encrypt the payload. Refer to Apple Pay™
documentation
• Additional information needed to decrypt and
verify the payment.
The code below shows you what a transaction message to a gateway looks like before 3-D Secure and
after 3-D Secure:
Without 3-D Secure With 3-D Secure
{ {
“merchant_ref”: “Astonishing-Sale”, “merchant_ref”:”merchant-specific-info (This is optional)”,
“transaction_type”: “purchase”, “transaction_type”: “purchase”,
“method”: “credit_card”, “method”: “3DS”,
“amount”: “1299”, “3DS”: {
“currency_code”: “USD”, “type”: “A”,
“credit_card”: { “version”: “EC_v1”,
“type”: “visa”, “merchantIdentifier”: “mock-1”,
“cardholder_name”: “John Smith”, “applicationData”: “VGhpcyBpcyBzb21lIHRlc3QgZGF0YS4gIDAxMjM0NTY3ODk=”,
“card_number”: “4788250000028291”, “data”: “v6cqGDrjcJUCLdpRkSQIt...”,
“exp_date”: “1014”, “signature”: “AKCAMIIBoTCCAUgCAQEwCQYHTBFMQswCQYDVQQGEwJVUzE...”,
“cvv”: “123” “header”: {
} “applicationDataHash”: “4b5745dd55d72886c06a2c65bb05...”,
} “ephemeralPublicKey”: “MFkwEwYHKoZIzj0CAQYIKoZIzj0D...”,
“publicKeyHash”: “YmSWN7lj4+A6fVJVPicP8TgS7gI7oug...”,
“transactionId”: “34303833303938”
}
firstdata.com ©2014 First Data Corporation. All rights reserved. 7Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
Certifying an App On Payeezy.com
There are three levels of developer engagement on the developer portion of Payeezy.com:
1. Anonymous
2. Registered
3. Certified
At each level, developers gain increasingly more access and capability.
Anonymous
Anonymous is just like it sounds. Developers at this level have an un-registered, anonymous account
with the following resources:
The Apple Pay SDK Starter Kit:
Downloadable files and code needed to start creating an app
Sample Project
Access a sample project (named SampleCharge) in XCode to get hands-on familiarity with the code that
drives Apple Pay and Payeezy.
Frameworks
First Data provides two frameworks that you can drop into your project to start accepting
Apple Pay transactions:
• InAppSDK.framework — Enables your app to communicate with the iOS
device. Masks the complexity of dealing with Apple APIs.
• PayeezyClient.framework — iOS client for the API. Enables the handshake
with First Data through HTTP calls to the Payeezy API
Developers at the anonymous level also have full access to Payeezy.com support, forums, FAQ area and the
Payeeyz.com blog. This includes the ability to ask questions, get answers, get tips, see what’s new with
Payeezy and Apple Pay and learn about upcoming events.
firstdata.com ©2014 First Data Corporation. All rights reserved. 8Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
Registered
For more functionality including the ability to test accounts, a developer has to move to the registered
level. This is provided through the “Register Now” link on the developer.payeezy.com site. This level
requires developers to provide a name and email address.
Once the account is set up, three of the four credentials needed to get started developing an Apple
Pay-enabled app are provided: an API Key, an API Secret and a Merchant Token. These credentials
allow the developer to set-up a test account by clicking on “My APIs”.
Payeezy.com Sandbox
*Registered Payeezy.com developers can access the sandbox, which mimics a live
Apple Pay production environment
Create a set of test accounts
Format your Payeezy API requests using your API Key, API Secret, Merchant
Token and Apple Pay Merchant ID
Run tests against the Payeezy API
Review the responses and modify your code as necessary
The fourth credential, an Apple Merchant ID, allows the ability to generate the Certificate Signing Request
that Apple requires. This step can be complete only after registering on developer.payeezy.com.
To obtain an Apple Merchant ID:
1. Go to developer.apple.com and log into your developer account.
2. From the Member Center, navigate to Certificates, Identifiers & Profiles.
3. Go to the Register Merchant IDs section. Your Merchant ID is located in the Identifier field.
4. Click Done
At this point, the developer has full ability to code, create and test an Apple Pay-enabled app.
firstdata.com ©2014 First Data Corporation. All rights reserved. 9Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
Certified
Developers should fully test their app to determine that it is working and bug-free before moving
to the self-certification step. Then it is time to certify the app and start boarding merchants.
To Certify an App on Payeezy.com
1. Log in to developer.payeezy.com
2. Navigate to “Get Certified”
3. Complete the form
4. First Data will validate the app’s transactions and identify any issues
5. If everything is performing properly, certification is issued
After a developer certifies an app, there are three steps that need to be taken before payments can start
being accepted on the Apple Pay payment platform.
1. Add Merchants
2. Generate a Certificate Signing Request
3. Submit the Certificate Signing Request to Apple
firstdata.com ©2014 First Data Corporation. All rights reserved. 10Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
These steps are outlined below:
To Add Merchants on Payeezy.com
1. Log in to developer.payeezy.com.
2. Navigate to “Add Merchants”
3. Answer the question “Are you the Merchant?”
If you are acting as a merchant select “Yes”. If you will be adding merchants
who will use your app, select “No, I’m adding other Merchants”
4. If you plan to use Apple Pay in your app, check the “Enable this Merchant
for Apple Pay” checkbox
5. Select “Submit” and you will be taken to the Notify Merchant screen
6. Enter the contact information about your Merchant and the captcha and
select “Notify Merchant”. This will invite your Merchant to create a
Merchant Account. You will be notified when your Merchant has
completed the process. Log in to developer.payeezy.com.
Generate a Certificate Signing Request (CSR)
1. Log in to developer.payeezy.com.
2. Click on “My Merchants” from the top menu
3. If you have only completed the ‘lite’ registration, you will see the CSR as part of your test
merchant account on the sandbox tab. If you have completed full registration/certification
and are looking for the CSR for your specific merchant(s), select the “Live” tab. You will need
the CSR to transact in either case (in sandbox or live)
4. Once you have identified the CSR you want to download, right click on it and select
“Save As” and save the .pem file to your desktop where you can easily get to it later
in the process
Submitting your Merchant Certificate Signing Request (CSR) to Apple
1. Login to your apple developer account
2. Go to “Certificates, Identifiers & Profiles” from the Member Center
3. Click “Edit” on the Merchant ID page and select “Create Certificate”
4. Follow the instructions on screen to upload and submit your CSR
firstdata.com ©2014 First Data Corporation. All rights reserved. 11Payeezy.com Security in Apple PayTM In-App Development A First Data White Paper
CONCLUSION
In the context of the US market’s development, Apple Pay has arrived at a better time than Google
Wallet and has a much better chance of wide-spread adoption.
New tokenization standards and the adoption of 3-D Secure technology are making the advantages of
using Apple Pay clear in terms of security. With Apple Pay, the retailer only sees a token, but not which
card or bank has been used. The retailer can’t store bank card details, email addresses or passwords
because it simply does not get them in the first place. Companies like First Data, through their developer
portal on Payeezy.com, are paving the way in creating cutting edge environments that utilize new
security standards such as network-level tokenization and more.
Unlike wallets of the past that saw weak consumer engagement, demand for Apple Pay is being driven
directly from the consumer level. Increased privacy and better fraud control have great appeal to a
market shell-shocked by repeated news of data security breaches at major retailers.
Uncertainties do exist, with disadvantages voiced by some of the larger retailers as well as from
companies like Google. Concerns about the inability to track purchases or the use of loyalty card
solutions top the list. They point to Apple Pay’s lack of global availability. Though alternative contactless
systems have long since been adopted in other parts of the world, Apple Pay isn’t scheduled to work
outside the United States until 2015. As a result, some experts and research firms, such as Juniper,
predict that Apple Pay will only have a small share of the market by 2019.
However, developers are seeing the advantages of engaging in in-app development for Apple Pay and,
in particular, coding apps using the Payeezy.com platform. Driven by an exploding app market - app
analytics firm Distimo states in-app purchases represents 92% of the $10 billion consumers spent in the
Apple App Store in 2013 - developers are rushing to engage with companies such as First Data who are
seen as leading the way in enabling the creation of in-app solutions on Apple Pay.
For more information, contact your First Data Representative or visit firstdata.com
6 Agten, T. v. (2013). Games: King of the mobile eco-system. Distimo.
This White Paper is for informational purposes only. FIRST DATA MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS WHITE PAPER. First Data cannot
be responsible for errors in typography or photography.
First Data, Payeezy, and Payeezy.com are trademarks of First Data Corporation. All trademarks, service marks and trade names reference in this material are
the property of their respective owners EMV TM is owned by EMVCO LLC. Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other
countries. Apple Pay is a trademark of Apple Inc. EMV TM is a trademark owned by EMVCo LLC.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products.
15200 1214
First Data disclaims proprietary interest in the marks and names of others.
Information in this document is subject to change without notice.
firstdata.com ©2014 First Data Corporation. All rights reserved. 12You can also read
