Apple Pay is a mobile payment system that lets iPhone users pay for goods and services using Touch ID. Instead of entering or confirming payment card information (credit or debit card) every time they make a purchase, users can authorize payment for items securely by touching the Home button. It is important to note that during an Apple Pay transaction, payment card information never leaves the user's phone; this information is stored securely in the device. Instead, a payment token stores all the information you need to process the payment all the way from authorization to settlement (that is, when the user's funds are transferred to your merchant bank account).
Using Apple Pay, you do not have to store your customers' payment card information on your servers. This helps reduce your customers' misgivings about paying for goods within your app; they trust that their payment card information is secure in their devices. You benefit by not having to deal with payment card information at all, at least not for Apple Pay-based transactions. (When a user's device does not support Apple Pay, or the user has not yet added payment cards to the device, you may have to process payment using regular means, which may involve capturing and storing payment card information.)
Although you are freed from storing payment card details on your systems, you still have to deal with processing the payments, either directly or through a payment gateway. In either case, you need to get an Apple Pay merchant identifier and certificate to decrypt the payment token that Apple Pay creates with a transaction's payment information. To use Apple Pay in your app, you need to enable the Apple Pay capability in your project, which requires the Apple Pay merchant identifier.
This chapter describes how online payments work, online payments being a web-centric version of the traditional Electronic Draft Capture (EDC) system used to process credit card transactions. You will also learn the basics of the Apple Pay payment workflow, starting with displaying the Apple Pay button when Apple Pay is available on the user's device, presenting the Apple Pay payment sheet, and processing the transaction on your servers.
This chapter will do the following:
Provide an overview of the online payment process
Introduce the Apple Pay payment workflow
Show you how to create an Apple Pay merchant identifier and certificate
Describe how to turn on the Apple Pay capability for an app in Xcode
Customers usually carry payment cards (debit or credit cards) in purses or wallets, which they use to pay for goods and services. When a cardholder pays a merchant with a payment card, the merchant usually uses a payment gateway to process the payment. A payment gateway is an e-commerce service that authorizes payment card-based transactions. The payment gateway performs several tasks to process the transaction, but it's its main task is the encryption of payment card information before submitting the transaction for authorization to a payment processor. A payment processor interacts with the bank that issued the customer's card (known as the issuing bank or issuer) that ultimately authorizes or declines the transaction. The payment processor may be implemented by the payment gateway, a third party, or the merchant. A merchant would implement a custom payment processor to, for example, integrate with a custom inventory and ordering system.
Merchants that do not manage inventory may deal only with a payment gateway. Payment gateways provide libraries or frameworks that apps can link to. When processing a payment, the app hands off a payment token to the library, which processes the payment and returns the result (authorized or declined) to the app. The gateway performs all the tasks necessary to authorize the transaction and transfer the payment amount from the card issuer to the merchant's acquiring bank. The acquiring bank (also known as the acquirer) is the bank that receives the cardholder's payments and credits them to the merchant's bank account (which is a special type of account used to receive payment from payment cards, also known as a merchant account).
Merchants that need to integrate with custom ordering and inventory management systems need a more hands-on approach to payment processing. This is the scenario discussed in this book.
In a successful authorization, an authorization hold is placed on the customer's card, reserving the funds that finance the transaction. Later, the merchant consumes or settles the transaction to transfer the funds from the customer's card into the merchant's account.
The following steps describe the authorization process:
The payment gateway then forwards the authorization request to the payment processor.
The payment processor forwards the authorization request to the appropriate payment card association (Visa, MasterCard, American Express, Discover, and so on).
The card association forwards the authorization request to the issuing bank, which ultimately approves or declines the transaction. Some card associations, such as Discover and American Express, are also issuing banks.
The issuing bank receives the authorization request from the payment processor and sends its response (authorized or declined) to the payment processor. The issuing bank then holds a transaction authorization or authorization hold that links the merchant, payment card, and amount approved (the funds are reserved but not debited from the cardholder's account).
The payment processor forwards the issuing bank's response to the payment gateway.
The payment gateway, in turn, forwards the response to the merchant, who relays the information to the cardholder.
Either immediately, or at the end of the day, the merchant starts the settlement process to receive the funds. This process is similar to the procedure used to request the payment authorization; however, instead of authorizing the transaction, the issuing bank moves the authorization hold to a debit and prepares the transaction for settlement with the acquiring bank:
The merchant submits the approved authorization to its acquiring bank through the payment processor.
The acquiring bank makes a settlement request to the issuing bank.
The issuing bank makes a settlement payment to the acquiring bank.
The acquiring bank deposits the approved amount into the merchant's bank account.
This is an overview of the payment workflow:
When a user reaches a screen in your app that lets the user purchase something, the app should present the Apple Pay button (if the user can use Apple Pay on the device) so that the user can tap the button, verify the purchase details, and authorize the app through Touch ID to complete the order and charge the order amount to the appropriate payment card. Deciding whether the user can use Apple Pay involves two steps:
Determining whether the device supports Apple Pay
Determining whether the user has added payment cards that you support to the device
If the user can use Apple Pay, your app prepares a payment request. A payment request is an object that describes the items to charge for, the card associations that you support, and billing and shipping information.
The main components of a payment request are payment summary items, which describe the payment request to the user. A payment summary item represents a component of the transaction, such as the subtotal, a discount, shipping cost, tax, and the grand total. Each item has a label that describes what each amount means. The last item is the most important because it identifies the payee and the debit amount that the user will see in the next payment card statement. Therefore, this item should have your company's name as its label.
In addition to the payment summary items, your app sets properties of the payment request that describe which card associations and online payment protocols you support. Your app must support at least the 3D Secure protocol. The EMV (Europay, MasterCard, and Visa) protocol is optional.
The payment request also lets you indicate that you want the user to specify particular order details, such as shipping or billing information. For example, you may require an e-mail or postal address.
If your ordering system requires additional information, such as the order number, you can include this information in the payment request as custom application data. Apple Pay includes a hash of this information in the payment token you receive when the user authorizes the payment. If your ordering system requires this information later, your app must be able to provide it separately.
Once your app creates the payment request and the user taps the Apple Pay button, the app presents a payment sheet to the user. The payment sheet (formally known as the payment authorization view controller) presents the payment summary items in the payment request to the user for review. The user can change aspects of the order before authorizing payment. The user may also decide not to purchase the goods and cancel the transaction.
Your app implements a delegate of the payment sheet to respond to the user's actions by, for example, updating the order shipping cost and grand total when the user chooses a different shipping method.
When the user authorizes the payment request with Touch ID, Apple Pay interacts with the device's secure element (the chip that securely stores payment card details on the device, details that not even Apple has access to) and Apple's servers to generate a one-time-use payment token. The payment information describes the payment transaction and contains all the information needed to charge the payment amount to the user's payment card (but this does not contain card numbers).
When the payment sheet tells its delegate that the user has authorized the payment request and sends the user the payment information, the delegate calls a synchronous method that forwards the payment information to your payment gateway. When the method returns, it provides the delegate with the result of the payment request. If the payment request is approved, the payment sheet displays a confirmation to the user that the transaction is approved and informs its delegate. The delegate then dismisses the payment sheet and displays a custom confirmation screen; such a screen may display the order number and a thank you message. If the payment request is not approved, the delegate must display an appropriate screen and ask the user for another form of payment.
For your app to be able to use Apple Pay, you must have an Apple merchant identifier and merchant certificate. Apple uses the certificate to encrypt payment information in the payment token. Your payment gateway (Stripe, Worldpay, and so on) uses the certificate to decrypt information in the payment token.
In Member Center, click on Certificates, Identifiers & Profiles.
Under iOS Apps, click on Identifiers.
Under Identifiers, click on Merchant IDs.
Click on Continue (if this is your first merchant identifier) or on the plus sign (+) button in the upper-right corner of the page.
Enter a description for the merchant identifier in the Description field, for example
MerchantApp merchant identifier.
Enter the identifier string in the ID field, for example
Click on Continue and then click on Register.
Click on Done.
Request an Apple Pay certificate from your payment gateway by performing the following:
Now, follow these steps to create your app merchant certificate in Member Center:
In the Certificates, Identifiers & Profiles page, under iOS Apps, under Certificates, click on All.
Then, select Apple Pay Certificate and click on Continue.
Under Which Merchant ID would you like to use?, select the appropriate merchant identifier and click on Continue.
Under Generate your certificate, click on Choose File.
Choose the CSR file you obtained from your payment gateway.
Next, click on Generate and then click on Download to download your app merchant certificate to your Mac.
Upload your app merchant certificate to your payment gateway via the following steps:
First, open your project in Xcode.
Select the target that builds the app to open the target editor.
Then, click on Capabilities.
Find the Apple Pay capability and toggle the corresponding switch to its on position.
In the dialog that appears, select the appropriate development team, and click on Choose.
In this chapter, you learned about the online payment process followed by merchants to obtain card-based payments. The chapter introduced general online payment concepts to describe how an app uses Apple Pay to perform a similar function but more securely. Finally, you learned how to create the Apple Pay merchant identifier and merchant certificate to enable Apple Pay payment in your apps.
The next chapter focuses on the payment request workflow, where you present the Apple Pay button when Apple Pay is available on the device, create the payment request, and present the payment sheet based on that request.