Apple Pay allows customers to authenticate card payments using Touch ID or Face ID, eliminating the need to enter card and shipping details manually. It is available on all iOS devices equipped with a Secure Element, a certified chip that securely stores payment information. On macOS, customers can authorize payments using an iPhone, Apple Watch, or a Mac with Touch ID.

When a payment request is made through an app or website, the Secure Element generates an encrypted Apple Pay token containing transaction details. This token allows you to handle decryption on your side or securely transfer transaction details to Solidgate.

Let Solidgate handle decryption

If you are not compliant with PCI DSS, you should use the Solidgate service to decrypt the token. Once the payment is initiated, you receive a token either from your application or website. You need to include its payment data in the Apple Pay API payment request.

For this to work, you need:

Payment flow


  1. The customer initiates a payment by clicking the Apple Pay button on the checkout page.
  2. The merchant invokes the Apple Pay button, and Apple handles the customer authorization.
  3. The Apple Pay Merchant Identity certificate authorizes requests to the Apple Pay API.
  4. If authorization is successful and the customer confirms the payment, Apple Pay provides the merchant with encrypted card data.
  5. The merchant sends the encrypted payment data to Solidgate via the Apple Pay API request, setting is_decrypted false or excluding is_decrypted to complete the payment.
  6. Solidgate uses the Apple Pay Payment Processing Certificate to decrypt the data and process the transaction.

For further information about payment parameters, refer to the Apple Pay API method.

Handle decryption on your side

If you are PCI DSS-compliant, you can decrypt Apple Pay tokens on your side. For that, it is also needed to:

To decrypt Apple Pay tokens, follow the steps on the Apple developer portal Reference . Please note that you need to verify the Apple Pay certificate before proceeding to token decryption.

Payment flow


  1. Use the publicKeyHash value to identify the merchant's public key used by Apple, and retrieve the corresponding public key certificate and private key.
  2. Restore the symmetric key necessary for decryption.
  3. Use the symmetric key to decrypt the data key value.
  4. Check that the payment has not already been credited by ensuring no payment with the same transactionId appears as processed.
  5. Confirm the original transaction details from the Apple Pay payment request.
  6. Send the payment data to Solidgate via the Apple Pay API by specifying is_decrypted true .

The use of is_decrypted true implies that the data sent is decrypted and this parameter defines the required fields in the request.

If is_decrypted true , the request must:

  • include the decrypted_data object
  • specify type auth
  • exclude data and signature

Additionally, the version parameter becomes optional, and the paymentData object depends on the paymentDataType value, which can be either:

  • 3DSecure : for transactions that use 3D Secure authentication.
    • Highly recommended to provide with paymentDataType: 3DSecure the eciIndicator value for better transaction success rate
  • EMV : for EMV chip-based transactions, which require emvData

Example with 3DSecure :

{
  "is_decrypted": true,
  "decrypted_data": {
    "applicationPrimaryAccountNumber": "537421XXXXXX4037",
    "applicationExpirationDate": 270131,
    "currencyCode": 840,
    "transactionAmount": 499,
    "cardholderName": null,
    "deviceManufacturerIdentifier": "050110XXXXXX0273",
    "paymentDataType": "3DSecure",
    "paymentData": {
      "onlinePaymentCryptogram": "MDnQeplHdAB8AXLU5I",
      "eciIndicator": "05"
    },
    "type": "auth"
  }
}