Apple Pay - csob/paymentgateway GitHub Wiki
img/shared/apple-pay/apple_pay_logo.png
Apple Pay on the web and in native iOS & iPadOS applications
Apple Pay is known for contactless payments at payment terminals where you can pay by your phone or Apple Watch. Cards that users download to their iPhone, iPad and Apple Watch can also be used for online payments. ČSOB payment gateway is now ready to process Apple Pay online payments. The payment takes place directly in the e-shop (on the Net or in the native mobile iOS application) – your customer will not be redirected to the payment gateway, which further simplifies and speeds up the Apple Pay payment.
Taking the card out from the virtual wallet
If a customer has more than one card in Apple Pay, they always have the option to choose the card they want to use during the payment. Neither the merchant nor the payment gateway can affect the interaction between the customer and the cards selection on the iOS device (or Apple Watch); these are iOS and Watch OS system services. Although it is possible to restrict card brands while invoking the Apple Pay services from your e-shop or mobile app, we do not recommend using it.
Integrating with Apple Pay services is easy and secure
The implementation of Apple Pay requires integration not only with the payment gateway but also directly with Apple Pay. Then it really works like a “physical” wallet: the e-shop asks Apple Pay for a card, the customer confirms this request (biometrically using Touch ID, Face ID, or Apple Watch) and encrypted payment information is transferred from Apple to the e-shop. The background of communication with the payment gateway begins only now, all previous steps were made by the merchant without any communication with the payment gateway. The payment gateway receives payment information from the merchant (which the merchant could not read, as the card number exchange between Apple, the merchant and the payment gateway is encrypted and only the payment gateway can decrypt it). The gateway validates the payment information and uses it to authorize the transaction. So, the whole process is very similar when a merchant in a “physical” store asks a customer for payment (e-shop starts payment process by invoking Apple Pay services), the customer pulls the selected card out of the wallet (the customer uses biometric authentication on iPhone, iPad or Apple Watch to allow for the card to be used), hand it to the merchant (encrypted payment information generated by Apple Pay and sent to the merchant) and then the payment is authorized.
Payments on all Apple devices
Apple Pay works both in the browser (only Safari on Mac OS, iOS, iPadOS) and in native iOS applications. On iOS devices (both iPhone and iPad) customers can pay with the cards they have on their iPhone or iPad. When you make a payment on a computer (in Safari), the payment is confirmed on a device near your computer. This can be an iPhone or Apple Watch. Detection of nearby devices is via continuity while watches are preferred over the phone. MacBooks with Touch ID can work without confirming payments on your phone and watch, as you can add cards directly to your computer and confirm payments with your fingerprint.
Apple Pay transactions handling at the ČSOB Payment Gateway
Apple Pay payment is a common card payment in all aspects except client interaction. Payment authorizations, the ability to manually close transactions, collect partial card payments and make refunds are the same as common card transactions.
Apple Pay vs. OneClick
It is not possible to create a OneClick template from an Apple Pay transaction. The reason is the security principle of Apple Pay and so-called card tokenization. The iPhone or Apple Watch does not store the customer's card number, but the so-called token. This "looks" like a normal card number but during the transaction authorization the token is translated to the original card number and at that moment it is checked whether the transaction originates from the device for which the token was created. Therefore, it is not possible to store the token on the payment gateway and use it for OneClick transactions.
Terms of use and fees
When using Apple Pay in an e-shop or in a mobile app, you must comply with Acceptable Use Guidelines for Apple Pay on the Web. In addition to restricting the receipt of payments for illegal activities, please pay particular attention to the restrictions on the sale of cigarettes and tobacco and the recharging of electronic wallets. In terms of UX implementation, it is necessary to follow the rule of setting Apple Pay as the default payment method if you first find out that the user has an active card in Apple Pay.
Apple Pay is free for merchants. While Apple makes money via payments, they collect fees from card issuers.
Purchase (shopping cart) information for Apple Pay and the payment gateway
During transaction initiation in Apple Pay use at least the purchase description, or at best, an itemized cart. Apple Pay is the primary point of customer interaction with a payment. Here the customer gives its consent to make a payment. The customer will not see the payment gateway during Apple Pay. Therefore, unlike normal card payments, a shopping cart is not sent to the payment gateway.
Attention! The same or lower amount must be sent to Apple Pay and then to the payment gateway. The reason for this is the rules of strong client authentication according to PSD2 which requires authorization (performed by the payment gateway) for the same (or lower) amount than the authenticated amount (authentication is performed by Apple Pay).
Apple Pay payments verification
Apple Pay payments are verified by Face ID, Touch ID or Apple Watch, regardless of the device from which the payment is made (iPhone, iPad, Mac). However, to increase the success of Apple Pay payments, the payment gateway collects additional payment data in the same way as for Google Pay and OneClick payments.
Verification in iOS / Android mobile applications and use of SDK
For Apple Pay payments in native mobile applications, it is possible to use the mobile SDK which is globally technically standardised on the EMV platform. This SDK collects technical data about the user's device (for card issuer risk analysis). The SDK is not tied to a payment gateway, so you can use any EMC-certified SDK. You can find a list of their providers in a list. ČSOB works with NetCetera's mobile SDK - if you are interested in it, please contact [email protected]. For the transmission of SDK outputs and the acquisition of SDK parameters from the payment gateway, see technical specification of methods for Apple Pay.
Implementation - Merchant registration for Apple Pay
In addition to the integration with the payment gateway, it is necessary to register with Apple as a merchant in https://developer.apple.com. The registration is subject to purchase a membership (annual subscription). The enrollment process is described here.
Then it is necessary to create two certificates. You create the first certificate yourself, while for the second, you generate a certificate request in the ČSOB POS Merchant system, hand it over to Apple to create the certificate and upload the result back to the ČSOB POS Merchant system. This certificate will secure payment information between Apple Pay and the payment gateway.
Merchant ID initiation
- Log in to https://developer.apple.com
- Go to "Certificates, Identifiers & Profiles"
- Register a new Merchant ID in the "Identifiers / Merchant IDs" section
"Apple Pay Payment Processing Certificate" request initiation in ČSOB POS Merchant
- Log in to ČSOB POS Merchant and go to the "Payment Gateways" section.
- Search for the appropriate payment gateway to be registered with Apple Pay.
- At the selected payment gateway click on the "Apple Pay Certificates" icon and then on the "New" button.
- Complete the following information in the certificate request form:
- Common Name (the name of the certificate) - the name that will appear in the resulting certificate, we recommend that you enter a value containing the Merchant ID
- Email Address - may correspond to the employed Apple ID under which the merchant is logged into https://developer.apple.com/
- Country Name (the country) - in "2 letter code" format, e.g.
CZ
- Locality Name (main office) - enter the registered office (city) of the merchant
- Organization Name - the name of the merchant
- Org. Unit Name - the name of the department/sales point /e-shop name
- After sending the form, the payment gateway generates a key and a request for the issue of a certificate, a new record is displayed in the certificate list, a request file (with the extension
.CSR
) can be downloaded
"Apple Pay Payment Processing Certificate" generation
- Log in to https://developer.apple.com/
- Go to "Certificates, Identifiers & Profiles"
- Select "Create Certificate" under "Apple Pay Payment Processing Certificate"
- Upload the
.CSR
file created by the merchant in the previous section in ČSOB POS Merchant - Download the generated certificate - it is a file with the
.CER
extension
"Apple Pay Payment Processing Certificate" download and activation in ČSOB POS Merchant
- Log in to ČSOB POS Merchant and go to the "Payment Gateways" section.
- Find the appropriate payment gateway for which the "Apple Pay Payment Processing Certificate" should be uploaded to Apple Pay.
- At the selected payment gateway click on the "Apple Pay Certificates" icon, search for the appropriate certificate in the certificate list and upload the file with the
.CER
extension from the previous section. - Activate the selected certificate in ČSOB POS Merchant (only one certificate can be active at a time, the active certificate must correspond to a valid "active" certificate registered within https://developer.apple.com/).
The above procedure ensures the secure generation of the key that will be used by the payment gateway to decrypt payload containing data for Apple Pay transaction authorization. Only the payment gateway as the key owner will be able to decrypt the payload and authorize it.
Note: The certificate has a validity period of 25 months. So, you will need to replace it with a newer one before its expiration.
Domain verification (Apple Pay integration at merchant‘s e-shop)
- For the Merchant ID created under https://developer.apple.com/, select "Add domain" under "Apple Pay Payment Processing on the Web"
- Enter the domain corresponding to the merchant's e-shop
- Download the
apple-developer-merchantid-domain-association.txt
file and place it in the corresponding.well-known
directory in the webserver root - Verify https://developer.apple.com/ (Apple verifies that the specified domain has an
apple-developer-merchantid-domain-association.txt
file and verifies its consistency)
Note: Validation of the Apple Pay domain described above will have to be periodically renewed as it has limited validity.
Generating the "Apple Pay Merchant Identity Certificate"
The procedure below will ensure secure key generation and issuance of the Apple Pay Merchant Identity Certificate. This certificate will be used by the merchant to establish HTTPS connections to Apple servers to obtain Apple Pay Session.
- The merchant generates a certificate request, e.g. using an order
openssl req -new -newkey rsa:2048 -nodes -keyout merchant_identity.key -out merchant_identity.csr
- For the Merchant ID created in the previous section, select "Create Certificate" under "Apple Pay Merchant Identity Certificate"
- Upload the
merchant_identity.csr
file created in the first step - Download the generated "Apple Pay Merchant Identity Certificate" (
.CER
file,merchant_identity.cer
is used in the following description) - The
merchant_identity.key
andmerchant_identity.cer
files will be set up by the merchant in the e-shop configuration so that they can be used to make HTTPS connections using a client certificate to Apple servers to get Apple Pay Session, (see below).
Note: The certificate has a validity period of 25 months. So it will need to be changed before the validity period expires. "Apple Pay Merchant Identity Certificate" is used only on the merchant side. The payment gateway does not need it for applepay@shop and does not work with it.
Apple Pay integration into a merchant‘s e-shop
Apple allows integrating Apple Pay into the merchant's e-shop either by using Payment Request API (for iOS 11.3 and higher) or Apple Pay JS (for iOS 10 and higher). The choice of a specific framework is up to the merchant. In case of Payment Request API we recommend implementing Apple Pay JS as a fallback scenario. See detailed information.
An example of Apple Pay JS integration is available at https://applepaydemo.apple.com/ - a detailed description of the Apple Payments service javascript integration is provided. The merchant must set up payment parameters (price, cart, accepted cards, etc.) on the side of the e-shop and must implement two endpoints to set up Apple Pay Session and to authorize the transaction.
Endpoint implementation for Apple Pay Session initiation
The merchant implements an endpoint on the e-shop side for Apple Pay Session initiation. The merchant executes HTTPS request for validationUrl obtained from a request (a call to Apple server which validates the request and initiates Apple Pay Session). Moreover, the client connection is required to establish a connection (see Apple Pay Merchant Identity Certificate). See also Apple Documentation.
An endpoint to send an authorization request implementation
The merchant implements an endpoint on the e-shop side through which he/she processes the authorization request. Received data in JSON format have the following structure (values of individual attributes are shortened for clarity):
{
"paymentData": {
"version": "EC_v1"
"data": "zDwclQ1 ...."
"signature": "MIAGCSqGSI ...",
"header": {
"ephemeralPublicKey": "MFkwEwY ...",
"publicKeyHash": "bHAaZK2k0SM ...",
"transactionId": "5324b499fab7 ..."
}
},
"paymentMethod": {
"displayName": "MasterCard 1234"
"network": "MasterCard"
"type": "debit"
},
"transactionIdentifier": "5324B499F ..."
}
The merchant takes the contents of paymentData
parameter ...
{"version": "EC_v1", "data": "zDwclQ1 ...", "signature": "MIAGCSqGSI ...", "header": {"ephemeralPublicKey": "MFkwEwY ...", "publicKeyHash" ":" bHAaZK2k0SM ... "," transactionId ":" 5324b499fab7 ... "}
… encodes it into Base64 and forwards it to the ČSOB payment gateway. It calls first the applepay/init
method (a transaction initiation), where the merchant sends paymentData
encoded into Base64 in the payload
parameter), see Apple Pay eAPI methods specification.