Decrypt Apple Pay Payment Token with-in App

Question

How can I decrypt PKPaymentToken (Apple Pay Payment Token), in iOS (using Objective-C or Swift)?

It's recommended to decrypt the payment token at the server end (ideally done by the payment processor), but what if I want to decrypt the payment token data on the client side (iOS end).

Yes, I want to decrypt `paymentData` inside `PKPaymentToken`. — Mustafa, May 31 '16 at 04:51

score 8 · Answer 1 · answered May 31 '16 at 05:51

8

Don't do this. It is a terrible idea. To decrypt the payment token requires your private key. You would have to embed this key into your app, which would allow anyone to take it and decrypt your payments. You should never decrypt the payment data on device for this reason.

Instead, store the private key securely on your servers and decrypt there, or see if your payment processor offers direct support for Apple Pay token decryption.

answered May 31 '16 at 05:51

lxt

31,146
5
78
83

Not going to do it in production environment. I just want to check HOW we can do it on the client end. Thanks for the warning though. – Mustafa May 31 '16 at 13:08
The decryption process is documented, so if you're familiar with CommonCrypto or OpenSSL you should be able to implement it. But again, don't do it on the client, even for testing. It's a terrible idea. – lxt Jun 04 '16 at 05:43

score -1 · Answer 2 · answered Jun 03 '16 at 17:53

-1

The process used to decrypt an Apple Pay payload is confidential and Apple only releases it to select payment gateway / processor partners. The private key you have for your merchant certificate to enable Apple Pay is used as part of this process but it is not the sole component and there is a complex series of steps to actually receive a card number (3-D Secure) usable for processing.

I would recommend signing up for a developer account at a place like Stripe and using their sandbox environment to test processing of encrypted Apple Pay payloads. Stripe's merchant tools will then expose redacted card info and other authorization details you may find helpful.

answered Jun 03 '16 at 17:53

Matt Bishop

1,010
7
18

1

This is incorrect. The process is publicly documented here: https://developer.apple.com/library/ios/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html - you can decrypt a token and receive a token (which is the card number) and the cryptogram. You then pass these to your payment processor who runs them over the 3DS rails, as you allude to. – lxt Jun 04 '16 at 05:42
See http://stackoverflow.com/a/37620790. There's deliberate reasons why this is desired to be a secure online solution. – Matt Bishop Jun 06 '16 at 11:13

Decrypt Apple Pay Payment Token with-in App

2 Answers2