1

If I understand correctly: Apple Pay, Android Pay and NFC-enabled credit cards can all be accessed using APDU commands via NFC according to the EMV standard.

I want to use information from this data exchange to associate the device/card with some persistent server-side information, typically a check-in/check-out scenario.

The NFC Tag ID is randomized on most devices, making this obvious approach unusable.

I am NOT trying to take payment, only use an unique identifier that does not change over time. It is also important that the identifier is unique per device, so that the same credit card registered on two phones does not appear to be identical.

Reading about the use of temporary tokens makes we wonder if this is at all possible on the phones due to the one-time tokenization employed. Apple creates a Device Account Number that is unique for a device, but this is supposedly not shared with the Point Of Sale. But still, travellers can use EMV Cards as well as Apple Pay to check in/out on the London underground, this is not possible without reading the same identifier twice.

So my question is what information can I use to read a persistent unique token that works across all EMV mediums?

Extra bonus points for some information on the APDU commands used for reading this information or thoughts on the security aspects of using this token as an non-cloneable identifier (can offline PIN verification be used?).

The following threads could not provide an answer:

Serials on NFC Tags - truly unique? cloneable?

Create Token With Apple Pay Without Payment

Community
  • 1
  • 1
Karl Ivar Dahl
  • 1,023
  • 2
  • 11
  • 23

2 Answers2

2

I think you might be getting a bit confused around how Apple Pay works - it's just a regular EMV contactless card payment with a device specific card number/token instead of the actual token. The uniqueness comes from the EMV cryptogram. The public Apple Security Whitepaper details this: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

lxt
  • 31,146
  • 5
  • 78
  • 83
  • I was led to believe that the card number/token was one-time only, but if I understand you correctly, the reported "temporary" card number will be unchanged for a single physical device across multiple transactions? – Karl Ivar Dahl Aug 01 '16 at 10:52
  • Yes - the card number is unchanged for a single physical device, but the cryptogram that's associated with that card number (and required to process the charge) is dynamic and changes per transaction. – lxt Aug 01 '16 at 16:02
2

Apple Pay Contactless payment scenario is a sub-part of Visa PayWave specification. During the card(or Apple Pay device)-to-terminal interaction Card(or Apple Pay device) generate ARQC cryptogram which, together with other transaction details, needs to be validated by Acquirer host.

Nothing actually new invented here. Apple Pay is just method to provide Card data and Transaction Cryptogram (TC) via Apple devices. The same or at least similar scenario as for usual PayWave Contactless-EMV card.

The Apple Pay UK and US profiles and test scenarios now covered by Visa PayWave Test Procedures (VpTP).

iso8583.info support
  • 2,130
  • 14
  • 18
  • Yes, but in this exchange, what can be used as a persistent identifier? If I understand correctly, the ARQC submitted by the card is basically an encrypted random number that is provided(unencrypted) by the POS. By decrypting it on the POS again, it can be used to authenticate the card (if I too know the key). It must surely change for each interaction. Is the card key diversified so that if I always send the same random number to the card the resulting ARQC can be used as an unique identifier? – Karl Ivar Dahl Aug 01 '16 at 11:16
  • 2
    Card number (PAN) is the persistent identifier. Apple Pay transfer card PAN to the Terminal and to the next authorisation authorities. In live potentially can be several cards with same PAN, in this case Issuer Bank must change Card PAN Sequence Number to understand which exactly physical card(device) used. ARQC is not "random" value. It is cryptogram based on a transaction details and card data. ARQC is the synonym of digital signature like SHA/MD5 in SW development. I would suggest you to open EMV specifications to clear a bit the Tags and its Values used during data exchange. – iso8583.info support Aug 01 '16 at 18:20