Decrypting Apple Pay tokens

Learn about Apple Pay network-based tokenisation and the available decryption methods.


Apple Pay enhances transaction security through network-based tokenisation. By replacing sensitive payment information with unique tokens, generated by the payment network or scheme, Apple Pay offers a secure and convenient payment experience for customers using their Apple devices.

To ensure a smooth payment experience, explore the available decryption methods. These methods allow you to securely retrieve and process the tokenised payment data.


Prerequisites

Your certificate and decryption requirements depend on the integration method you use:

  • Web Payment Form (WPF): emerchantpay manages the Apple Pay configuration and payment token decryption. You don’t need to generate or upload a .p12 file for this hosted flow.
  • Server-to-server integration: To send encrypted Apple Pay tokens to emerchantpay for decryption, you need a valid .p12 certificate. For more information, see Generate a .p12 file for Apple Pay.

Decryption methods

There are three decryption methods to consider, each offering varying degrees of convenience and control. Understanding these decryption approaches will help you determine the most suitable option for your specific needs and preferences.

  • Decryption through emerchantpay’s Web Payment Form
  • emerchantpay decryption
  • Merchant decryption

Decryption through emerchantpay’s Web Payment Form

Decrypting through emerchantpay’s Web Payment Form provides the simplest Apple Pay setup. With this method, you don’t need to create an Apple Developer account and Apple Pay certificates, upload a .p12 file. emerchantpay hosts the payment page, manages the Apple Pay configuration, and decrypts the Apple Pay payment token for processing. However, using this decryption method comes with reduced independence and customisation options.

emerchantpay decryption

When using emerchantpay’s decryption service, you retain control over managing your payment page and making direct requests to Apple. You send the transaction results to emerchantpay for decryption and processing, relieving you of the responsibility of decrypting the payment tokens yourself.

Example of passing a request:

<payment_transaction>
<transaction_id>***</transaction_id>
<usage>***</usage>
<description>***</description>
<remote_ip>***</remote_ip>
<amount>10714</amount>
<currency>EUR</currency>
<customer_email>***</customer_email>
<customer_phone>***</customer_phone>
<notification_url>***</notification_url>
<return_success_url>***</return_success_url>
<return_failure_url>***</return_failure_url>
<billing_address>
<first_name>John</first_name>
<last_name>Smith</last_name>
<address1>45 North Str</address1>
<zip_code>W1T 2QS</zip_code>
<city>London</city>
<country>UK</country>
</billing_address>
<transaction_type>apple_pay</transaction_type>
<payment_subtype>sale</payment_subtype>
<payment_token>{“paymentData”:{“signature”:”MIAGCSqGSIb3DQEHAqCAMIACAQExDTALBglghkgBZQMEAgEwgAYJKoZIhvcNAQcBAACggDCCA+MwggOIoAMCAQICCEwwQUlRnVQ2MAoGCCqGSM49BAMCMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xOTA1MTgwMTMyNTdaFw0yNDA1MTYwMTMyNTdaMF8xJTAjBgNVBAMMHGVjYy1zbXAtYnJva2VyLXNpZ25fVUM0LVBST0QxFDASBgNVBAsMC2lPUyBTeXN0ZW1zMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMIVd+3r1seyIY9o3XCQoSGNx7C9bywoPYRgldlK9KVBG4NCDtgR80B+gzMfHFTD9+syINa61dTv9JKJiT58DxOjggIRMIICDTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCPyScRPk+TvJ+bE9ihsP6K7\/S5LMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwNC1hcHBsZWFpY2EzMDIwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB\/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxlYWljYTMuY3JsMB0GA1UdDgQWBBSUV9tv1XSBhomJdi9+V4UH55tYJDAOBgNVHQ8BAf8EBAMCB4AwDwYJKoZIhvdjZAYdBAIFADAKBggqhkjOPQQDAgNJADBGAiEAvglXH+ceHnNbVeWvrLTHL+tEXzAYUiLHJRACth69b1UCIQDRizUKXdbdbrF0YDWxHrLOh8+j5q9svYOAiQ3ILN2qYzCCAu4wggJ1oAMCAQICCEltL786mNqXMAoGCCqGSM49BAMCMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDUwNjIzNDYzMFoXDTI5MDUwNjIzNDYzMFowejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8BcRhBnXZIXVGl4lgQd26ICi7957rk3gjfxLk+EzVtVmWzWuItCXdg0iTnu6CP12F86Iy3a7ZnC+yOgphP9URaOB9zCB9DBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDQtYXBwbGVyb290Y2FnMzAdBgNVHQ4EFgQUI\/JJxE+T5O8n5sT2KGw\/orv9LkswDwYDVR0TAQH\/BAUwAwEB\/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+veuv2sskqzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwEAYKKoZIhvdjZAYCDgQCBQAwCgYIKoZIzj0EAwIDZwAwZAIwOs9yg1EWmbGG+zXDVspiv\/QX7dkPdU2ijr7xnIFeQreJ+Jj3m1mfmNVBDY+d6cL+AjAyLdVEIbCjBXdsXfM4O5Bn\/Rd8LCFtlk\/GcmmCEm9U+Hp9G5nLmwmJIWEGmQ8Jkh0AADGCAYgwggGEAgEBMIGGMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUwIITDBBSVGdVDYwCwYJYIZIAWUDBAIBoIGTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDQxMTE2NTUwNFowKAYJKoZIhvcNAQk0MRswGTALBglghkgBZQMEAgGhCgYIKoZIzj0EAwIwLwYJKoZIhvcNAQkEMSIEIIt8HtiZPlAqbJ9FFi6tw3+AjQnGDUgas1i1nRpS+Ci7MAoGCCqGSM49BAMCBEcwRQIgFXDNiN9n2hnrmAi6SC+XH4Al+ksy59hpSCKCV9fJcXUCIQDhcWZ9VyUBOISHje6BKaIOWVMeUQiP18ODTvd13qkBDgAAAAAAAA==”,”header”:{“transactionId”:”91a7ecae8c2f7ad36e1b262a9ff836a421a83e1241f2f36646cdceb91caf75d8″,”ephemeralPublicKey”:”MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECeCKHApBVFCNX5BtRF9JnWS2YmNBVrONB2XQKdMp7i2\/eQ\/MU5uzjoD1p8SoLHn7uptvSi5snDuCSDHCJIIH0g==”,”publicKeyHash”:”vIP5spRB7yo3vSNP+szKCvOCnn2BQYQBuNhUGvsdmCY=”},”data”:”EyaclYTgqXSIDf8SGPuhihKUwakvu54J7AD7v5fT3Nt6r0Qv+qRS08G3I7olAY4NPA+AHrtDtSMarlwzVZCqi9kWxMSKYamnrAQyuWJcg2njG2NUW29CXdk9Jxufx3+zvI+jbhiZfS6xtrwrdwV+9hb+EqvzQtQq0bYQ+wdQtEUIr\/SsSWX7rXg6CsetGE8Z0fcWFQoqxoICNSyLdI6yiHhX5+VszgrUohJ2id2g7dES0nQVmzbnFNbCQ2r8Br6liJ4zn6sGHYKN\/mXIZX1OuW8I3urRD8xXU3GXS2xCYlFejHZGaKM8czz6oZiT16PscWMDbKoxZTnRfzeLkPP1b0SNr87OSsf1IbSzgzrBo0YBDD16eBMdrO4PxAoc0wTJRZnTE1L+EA78bI0cUn4F7X0hOhjEsDg9i4zPUhQ8Xt6V”,”version”:”EC_v1″},”paymentMethod”:{“network”:”Visa”,”type”:”debit”,”displayName”:”Visa 0279″},”transactionIdentifier”:”91a7ecae8c2f7ad36e1b262a9ff836a421a83e1241f2f36646cdceb91caf75d8″}</payment_token>
<return_pending_url>***</return_pending_url>
</payment_transaction>

Example of a Success response:

<payment_response>
<transaction_type>apple_pay</transaction_type>
<status>approved</status>
<crypto>true</crypto>
<cvv_result_code> </cvv_result_code>
<authorization_code>274760</authorization_code>
<scheme_response_code>00</scheme_response_code>
<unique_id>cc7857dbb22892e03abe833e7733c3ca</unique_id>
<transaction_id>dab15c49-95d3-46d6-87d9-8027c468a2ca</transaction_id>
…
<amount>10714</amount>
<currency>EUR</currency>
<threeds>
<eci>05</eci>
</threeds>
<sent_to_acquirer>true</sent_to_acquirer>
</payment_response>

Merchant decryption

You can also choose to handle the decryption process yourself. You decrypt the payment tokens and send the transaction elements to emerchantpay. Instead of specifying apple_pay as the transaction_type and providing a payment_token, you must flag the transactions as scheme-tokenised.

This approach depends on your specific integration and it allows you to have direct control over the decryption process. You may choose to decrypt the payment tokens yourself for greater control, customisation, and adherence to specific security or compliance requirements.

To use this method, you must:

Example of passing a request:

<payment_transaction xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<transaction_type>sale3d</transaction_type>
<transaction_id>***</transaction_id>
<remote_ip>***</remote_ip>
<amount>49000</amount>
<currency>EUR</currency>
<card_holder>John Smith</card_holder>
<card_number>513659…8108</card_number>
<expiration_month>xxx</expiration_month>
<expiration_year>xxx</expiration_year>
<cvv>xxx</cvv>
<customer_email>jsmith@example.com</customer_email>
<customer_phone>***</customer_phone>
<billing_address>
<first_name>John</first_name>
<last_name>Smith</last_name>
<address1>45 North Str</address1>
<zip_code>W1T 2QS</zip_code>
<city>London</city>
<country>UK</country>
</billing_address>
<mpi_params>
<eci>02</eci>
<cavv>kBNCQdOyR7+gC0TewtJQZZeBXA+c</cavv>
<protocol_version>2</protocol_version>
</mpi_params>
<scheme_tokenized xsi:nil=”true”/>
<crypto>false</crypto>
</payment_transaction>

Example of a Success response:

<payment_response>
<transaction_type>sale3d</transaction_type>
<status>approved</status>
<cvv_result_code>M</cvv_result_code>
<authorization_code>428352</authorization_code>
<retrieval_reference_number>310709004106</retrieval_reference_number>
<scheme_response_code>00</scheme_response_code>
<unique_id>3994cd30195e79bf984e24557f2d865e</unique_id>
<transaction_id>z629tVws</transaction_id>
<response_code>00</response_code>
<mode>live</mode>
<timestamp>2023-04-17T09:15:49Z</timestamp>
<descriptor>***</descriptor>
<amount>49000</amount>
<currency>EUR</currency>
<threeds>
<eci>02</eci>
</threeds>
<sent_to_acquirer>true</sent_to_acquirer>
<scheme_transaction_identifier>MCSGVSHD8</scheme_transaction_identifier>
<scheme_settlement_date>0417</scheme_settlement_date>
</payment_response>