Tap to Pay on iPhone security
With Tap to Pay on iPhone and a supported payment app, merchants can accept all types of in-person, contactless payments right on their iPhone—from physical debit and credit cards to Apple Pay and other digital wallets. No extra payment terminals, readers, or hardware needed.
Tap to Pay on iPhone uses the built-in security and privacy features of iPhone to help protect the business and customer data. Apple doesn’t store card numbers on Apple servers. Tap to Pay on iPhone doesn’t collect transaction information that can be tied back to the payer. Payment card data such as Credit/Debit Card Number (PAN) is secured by the Secure Element and isn’t visible to the acceptance device. Apple only gives access to the payment card data to the merchant’s Payment Service Provider. In addition, the Tap to Pay on iPhone doesn’t collect payer’s names, addresses or phone numbers.
Note: Encrypted card numbers are temporarily stored on iPhone only for transactions made in Store and Forward mode.
Tap to Pay on iPhone has been evaluated by an accredited security laboratory and approved for use by all accepted payment networks in the territories it’s available. On an iPhone with iOS 18.4 or later, Tap to Pay on iPhone is a PCI MPoC validated solution, and listed on the PCI website.
Contactless payment component security
Secure Element: The Secure Element hosts the payment acceptance applets and kernel configurations which read and secure the contactless payment card data.
NFC Controller: The NFC controller handles Near Field Communication protocols and routes communication between the Application Processor and the Secure Element, and between the Secure Element and the contactless payment card.
Tap to Pay on iPhone servers: The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with the Mobile Payments on COTS (MPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.
How Tap to Pay on iPhone reads credit, debit, and prepaid cards
Provisioning security overview
Upon first use of Tap to Pay on iPhone using a sufficiently entitled app, the Tap to Pay on iPhone server determines whether the device meets the eligibility criteria such as Device Model, iOS version, and whether a passcode has been set. After this verification is complete, the payment acceptance applets are downloaded from the Tap to Pay on iPhone server and installed on the Secure Element, along with the associated kernel configurations. This operation is performed securely between the Tap to Pay on iPhone servers and the Secure Element. The Secure Element validates the integrity and authenticity of this data prior to installation.
Card read security overview
When a Tap to Pay on iPhone app requests a card read from the ProximityReader framework, a sheet—controlled by iOS—is displayed and prompts the user to tap a payment card. iOS initializes the Payment Card Reader and then requests the payment kernels in the Secure Element to initiate a card read.
At this point, the Secure Element assumes control of the NFC controller in Reader Mode. This mode allows card data to be exchanged only between the payment card and the Secure Element through the NFC controller.
After the payment acceptance applet on the Secure Element has completed the payment card read, it encrypts and signs the payment card data. The payment card data remains encrypted and authenticated until it reaches the Payment Service Provider. Only the Payment Service Provider used by the app to request the card read can decrypt the payment card data. The Payment Service Provider must request the payment card data decryption key from the Tap to Pay on iPhone server. The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was performed within 60 seconds of the request for the payment card data decryption key.
This model helps ensure that the payment card data cannot be decrypted by anyone other than the Payment Service Provider, which processes this transaction for the merchant.
Store and Forward Mode
To support use cases with limited connectivity, Tap to Pay on iPhone can be configured to run in Store and Forward mode. This allows Tap to Pay on iPhone to read and encrypt payment card data while not connected to the internet. For Store and Forward transactions the Payment Service Provider may request the payment card data decryption key for up to 14 days after the card was read. With encryption on the Secure Element, Tap to Pay on iPhone is designed to protect the integrity and confidentiality of the payment card data while it is temporarily stored on iPhone. PIN entry isn’t supported for Store and Forward transactions.
Card PIN entry security overview
PIN entry allows the payer to enter their PIN on the acceptance device to authorize the transaction. The PIN entry screen may be initiated immediately after the tap based on the information exchanged with the payment card. Alternatively, the Payment Service Provider can initiate the PIN screen by providing a signed token, which is valid for one specific transaction only.
The PIN entry mechanism has been evaluated by an accredited security laboratory and is approved for use by all accepted payment networks in the territories where it’s available. Tap to Pay on iPhone is designed to prevent all photo, video, screenshot and screen-recording features from capturing PIN information.
The PIN digits entered are securely captured by the Secure Element. Using these PIN digits, the Secure Element creates a payment industry standard compliant encrypted PIN block. To decrypt the PIN block, the Payment Service Provider must request the PIN block decryption key from the Tap to Pay on iPhone server.
The PIN value is:
Never available to the merchant on their acceptance device.
Never decrypted by Apple.
Never stored by Apple.
Securing the merchant device during PIN entry
During the PIN entry process, the device will be facing the payer, and may be held away from the merchant. To ensure the protection of the merchant device and data, the merchant has the option to enable the Tap to Pay on iPhone Screen Lock setting. This option is found in the settings for each App that supports Tap to Pay on iPhone. Enabling this option will lock the merchant’s device while showing the PIN entry screen. After the payer enters their card PIN, the merchant will need to perform a Face ID, Touch ID or Passcode unlock to further operate the device, ensuring the payer cannot access the merchant’s device.