xDECAF 😆☕

Appearance

📊 Diagram: Apple Wallet Case Study

🔗 Link to Original Paper/Article

📝 Short Description

These diagrams represent the main functionalities of the Apple Pay architecture, which are the enrollment process of a credit/debit card in Apple pay as conducted by a carholder and the other diagram illustrates the process of payment with the phone in a contactless device. The diagrams and explanations have been taken from the above source.

🔤 Abbreviations

  • POS: Point Of Sale
  • NFC: Near Field Communication
  • OTP: One-Time Payment (token)
  • PAN: Primary Account Number

📖 Extensive Description (if possible)

Although a more complete and thorough description can be found step-by-step in the source above, here are the explanations for the most important components of the diagram.

First there is the part regarding the enrollment process. First the Cardholder and the User Identification nodes for the authentication process. Then there is one of the main nodes of the diagram which is Apple Wallet. This node receives the card_information (such as name, cvv, expiration date, etc) and forwards it to the Check_Card node which, in case the card information is correct, forwards it to the Apple Server. This node then does a process of signing the terms_and_conditions with the Cardholder. When accepted, the Apple Server then sends the id of the terms and conditions in addition with the cards CVV to the Link And Provision node, which forwards the device_information (e.g. device model, phone number, approx. location) to the Issuer Bank. When this process is finished the Download Pass File node sends a pass_file (which represents the card in the app) to the Apple Wallet node which then passes the card information to the Apple Pay App to end the process.

For te part regarding the contactless payment, first the Terminal App node sends the payment_data to the NFC Reader App node which resides in POS. This node then forwards this to the NFC Controller node which in turn forwards it to the Apple Pay App. Then this last node exchanges the transaction_information with the Apple Wallet node in exchange for the card_information. Then after the previously mentioned authentication process between Cardholder and User Identification the Apple Pay App sends the otp to the NFC Controller. This token is forwarded through a series of nodes (NFC Reader App, Terminal App an Payment Processor) till it ends up at the Token Service. This node then determines the pan usign the otp and it sends it to the Payment Processor, which forwards it in addition with the transaction details and cvv of the card to the Payment Network. This node finally sends this information to the Issuer Bank as an authorization_request. After the Issuer Bank authorizes the payment it sends and authorization_response to the Terminal App of the device of the Cardholder thorugh a series of nodes (Payment Network, Payment Processor).

🏷️ Label description

  • 🗂️ Data Labels:

    • CardholderStatus:

      • Authenticated: Cardholder has been correctly authenticated
      • Authorized: Cardholder has been correctly authorizes

    • CardInformation:

      • Name: Name of the cardholder
      • Number: Number of the card
      • ExpirationDate: Expiration date of the card
      • CVV: CVV code of the card

    • TermsConditions:

      • Accepted: Signed terms & conditions
      • Normal: Terms & conditions before being accepted
      • Id: Identifier of the terms & conditions

    • DeviceInfomation:

      • Model: Model of the cardholders phone
      • PhoneNumber: Phone number of the cardholder
      • Location: Coarse location of the device

    • PassFile:

      • PassFile: Pass file which represents the card in the Wallet App

    • PaymentData:

      • Amount: Amount of money payed in the transaction
      • Token: Payment token
      • Location: Location where the payment has taken place
      • Others: Other extra information from the payment
      • Authorization: Payment's authorization

    • Tokens:

      • OTP: One-Time Payment Token
      • PAN: Primary Account Number

    • RequestTypes:

      • Authentication: Request for an authentication
      • Authorization: Request for an authorization

  • 🏷️ Node Labels:

    • Secure:

      • Enclave: This node belongs to a secure enclave
      • Element: This node is a secured element

    • Location:

      • PointOfSale: This node resides in the POS
      • CardholderDevice: This node resides in the Cardholders device

    • Module:

      • TerminalApp: This node is part of the Terminal App component
      • AppleServer: This node is part of the Apple Server component

⚠️ Constraints

  • The Authentication and Authorization Request types should never flow to a node which is not in a secured enclave

    1. Auth_request: data RequestTypes.Authentication,RequestTypes.Authorization neverFlows vertex !Secure.Enclave

🚨 Violations

  • None