How Does Apple/Google Pay Work?

Doesn’t Apple also have Wallet on Mac though?

@@aame6643 I think so, yes. So they must transmit the token to the Mac, too.

@@aame6643 They may store the encrypted tokens on iCloud to transfer between devices.

Never mind, to use it on Mac you need to verify using the PIN number, which btw is also the case when using Apple Pay on the watch.
So the token definitely isn’t stored on their servers.

Cards that you add directly on device is not added to your Google account. Just recently I've encountered this after wanting to pay online with a card added on my phone and it wasn't in the list.

That is how I would imagine it would work. Private key would be stored in the device, tokens are generated and signed with that key with addition to expiration date and perhaps vendor id so if it stolen it is useless.

Thank you for the questions.
For 1, we don't think the exact token specification is that interesting. The payment token is a proxy for the actual card number, and it is tied to the device. The sensitive part is the mapping from the token to the card number, and it is stored in the token service provider.
For 2 and 3, if you are interested, look up the EMV contactless specification. It uses cryptography to safeguard the token between the card (in this case, the phone emulating the card) and the card issuer. It is similar to how credit card with a chip works. There's quite a bit of complexity. The general idea is roughly the same as what you suggested.

For one, I suspect the DAN in apple is linked to the device, thus only allowing payment requests to be made through that specific device where it is stored whereas in GPay, it's not and stored on the cloud and allows payment from a web based google account as mentioned in comment above ?

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

For clarity, the token is just a normal card number, 16 digits, specific bins, just not the real card.

Apple haters always find a way to desribe shit as a better alternative.

@@TheMrMerudin Let me guess, in the sterile isolated bubble of Apple, they probably marketed the about to be implemented USB Type-C as some sort of revolutionary technology invented by Apple.

@@MetoF50Narliev Let me guess, you never had more than an Apple device at home. Everything connects instantly and easly, if you want to pass a file from your phone to your computer you can just use AirDrop and that's it, or iCloud. On android you need to instal something like whatsapp or telegram or discord, login, and then you can pass something (with limits) on your PC. AirPods work with EVERYTHING: iPhone, iMac, MacBooks and iPads. Calls and messages are synced in every devices, so you always have your stuff with you. Even HomePod is perfectly connected with Apple music and your other devices. AppleWatch transfers fitness information in everything you have so you won't miss anything, even calls or messages. Even the fucking magic mouse is beautifully connected across nearby devices so you don't have to plug and unplug (or buy more) your SAME MOUSE everytime you have to work on stuff.
Sterile? Isolated? Try to do this stuff on Android.

@@TheMrMerudin at what point does one use their brain to get something done then?

@@TheMrMerudin So if I use PC under Windows/Linux than buying IPhone is a mistake 'couse many cool features (that were paid for) will work only with others Apple devices? Sheesh

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

Apple develops their own hardware such as SoC chips and iOS so it is easier for them to make it even secure than Android as there's too many different phone manufacturers using the different type of hardware chips and most of them might not want to spend more times in these for development as the chips are not self-made by the phone manufacturers, rather than made by Qualcomm, MediaTek except Huawei, Google and Samsung phones using their own SoC.

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

Adobe After Effects and Adobe Illustrator.

We cut out an entire section on how the Apple Pay and Google Pay buttons work that would have answered your question.
In short, with the Google Pay button, the Google web server sends the payment token to the web browser, and from the web browser, the token is forwarded to the Payment Service Provider (PSP) for processing.
The Apple Pay button only works in Safari on the Mac. As mentioned in the video, the payment token is only stored in the Secure Element on the phone. Once the phone authorizes the web payment, the payment token is sent from the phone to the apple server securely, the apple server re-encrypts the token with the developer's encryption key before sending it from the apple server to the developer (or their payment processor).

@@ByteByteGo Thats correct. Also just to bring in the ApplePay on the web flavor where you can pay using your MACBOOK(as long as you have the biometric sensor on your MAC)
With Earlier version of ApplePay only your Phone would act as payment source and Apple would create DAN only for your iPhone(6 and Above), with the release of MAC with biometric you can use your MACBOOK as a payment source and now your MACBOOK will have its own DAN.
One thing to notice is ApplePay is only available if you are using SAFARI and not other browser.

Adobe After Effects and Adobe Illustrator. Our editors get all the credit, though. :)

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

@@TheCommunicationCoach File a complaint to the federal trade commission. What do you expect from me dude.

@@DarkGT From you? Nothing. My only goal was to pass on information, and that's done.

@@TheCommunicationCoach Create your own video, make a posts around the social media like Reddit exposing your findings. Hijacking comments won't get you far, I tell you I don't care about your particular problem.

@@DarkGT Like I care any less about you or yours. You want to be spied on and info stolen? GL with that, so stop bothering me.

Do you still need that answered? If so, I might be able to give some insight. From what I've read (doing a lot of that lately), Samsung Pay is kind of a hybrid approach. It still uses Samsung servers, can sync with them (to backup that financial data), but the token is saved on the device (like Apple) by default. It uses the Knox secure enviroment, to keep your details safe. It's why only Samsung devices, have Samsung Pay.

Stores biometrics and other personal AI features. I wanna beleive it also involves in the Google Wallet App

GPay is available for all Android phones, not just Pixel.. and at the moment there isn't a large enough userbase of Pixel phones for Google to consider device specific changes in GPay functioning.

I've commented on it under the video already, but in short - yes, it's used to store GPay tokens. "stored in GPay itself" is a very misleading claim. Phones that have secure enclave use that to store payment tokens.

That's due to a limitation imposed by RBI regarding storing debit card information

Gpay is different in India.

No it doesn't work differently. I'm no expert but I believe IBANs are used specifically for routing funds tranfers to the correct bank and account number, whereas with the concepts in this video the routing is done through the Visa/Mastercard/Amex networks to connect financial institutions at POS - then those respective banks handle account routing internally.

nah it s only walmart and ig a few other stores that don't accept apple pay and that's because they have walmart pay or some shit to collect data from their customers

I think Walmart is an exception. It’s the only store I ever went to which Apple Pay didn’t work with the card terminal

@@SupernovaDragon77 he clearly said it worked for him, even at walmart

Your iPhone literally just mimics your card. So as long as a place accepts NFC *card* payments, you can pay with your iPhone. I’m not sure if Walmart accepts those though as I’m not from the US. What I get from this video is that maybe European cards get handled different by the banks themselves (Walmart might be able to block Apple Pay if a card from an American bank is linked to it). Groetjes uit Luxemburg btw ;^)

A pre-authorization is only valid for 3 weeks (Visa/Master Card) or 7 days (American Express/Discover) if an authorization number obtained by the bank isn't "captured"/offlined/forced by the POS/Terminal the funds are automatically refunded to the card holder after the set time limit has expired. If a payment has been captured and needs to be refunded, generally the sponsor bank will allow for a refund to be preformed as most refunds are made blindly and can be interpreted by the bank's servers. Interestingly enough, while you can close out a pre-authorization amount for a higher amount, you generally cannot recharge a contactless card number. Since a new transaction needs to obtain an authorization number generally the bank will produce a host code 05 decline response if recharged.

@@Coonotafoo So there are problems also with usong the card, wirelessly. Do all these work when you use Google Pay / Samsung Pay / Apple Pay?

​@@FlorinArjocu It's not actually a problem, no. What's stated above just about applies to ALL credit/debit card transactions, not just contactless transactions. About the only difference is that with a regular credit card the business can call the card processor and get the full credit card number and expiration date to rerun it (for example, if one of the employees accidentally undercharges the transaction by X amount.) Otherwise it's pretty much the same process. Plastic card/Apple Pay/Google Pay/Samsung pay, it doesn't matter. About the only card type that doesn't follow these rules are cards numbers that are generated to be ran for a very specific amount. (There's a few exceptions of course, but for 98% of all card transactions this is the case.)

@@Coonotafoo Thank you for the answers. I am curious as I think these phone&online systems use also some virtual cards, so the bank/visa&co. would not know how to pair the virtual card and the actual one. I have no idea how they work.

The phone talks to the POS terminal over NFC. Look up EMV contactless if you would like to learn more.

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

Yes I also was left in wish of this information

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

yes, of course. And a bank could do that too. It's all relying on your trust in these entities to not screw you. One redeeming point is that if Apple or Google faked transactions, they would still appear in your bank statement so you could refute them (which would end up looking really bad for Apple / Google over time and the bank would drop them, crippling their business, so it's really not in their best interest to screw you over.

YES, and here's proof!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

Also, could they bypass Visa/Mastercard in the future and if so, how?

Ever heard of reading? You are asking for information which is for people who need to know and you don't need to know, otherwise, you would know it by now.

@@eglintonflats lol okay, who hurt you!

Adobe After Effects and Adobe Illustrator.

I think thats a big difference between apple and google. Apple will NEVER email you asking for information, in this case if it were to happen, you would be prompted with an error forcing you to call them or schedule an appointment to be called back. No information is ever transferred between customer and apple through email. Also, almost everything you do in regards to Apple go through 2FA to ensure its really you using it, so changing addresses and information that be authenticated

Hmm so because you had a issue with Google, it makes their whole customer support bad? Never had issues with the Google support.

They lie and deny all day!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!

@@electricz3045 That was only one example. I have couple more, but what's the point. And, by the way, for that example I managed, they only answered 3(!) months later.

@@markus.schiefer Google is a big company with a lot of users who want support so it's obvious that it takes time to answer questions.

You mean a web payment?

@@Hi-db5cd yep, my understanding is that a 3rd party payment gateway needs to be involved

Would it be more secure? Sure, but there’s not a lot of point.
Firstly, the process is plenty encrypted and you’ll rarely see an attack of that type because of it.
Second, issuing a new token every time would take a lot more time at the time of purchase. They use temporary authorizing codes that change between purchases so that covers that potential for intercepting the info for unauthorized additional purchases, like a new cvc code per purchase. That’s the equivalent to why change the entire safe when you could just change the lock.
Third and probably most important, these services need to be able to work offline. If you’re deep in rural country and you need to pay at the corner store which somehow has tap to pay, you can’t be SOL because you don’t have the phone signal to receive a new token. Also if you have a limited data plan, you want to be able to make purchases even if you have your data turned off. All these companies want to get to the point where your digital wallet replaces your physical one, and that can’t happen if you have to rely on having signal to use it. It would be overkill and really inconvenient!

It has nothing to do with blockchain

I think that the token is single-use only, just like rolling codes are on garage doors.

VISA token service started only 2014. So Wallet couldn't use it yet. 🤷‍♂

@@tamaskiss6379 yet, people still could use Google Wallet to pay via NFC 😉

That was called Google Wallet back then.

We deal in cold hard cash.

Google Pay stores the payment token in the wallet app on the device and communicates over NFC with the POS terminal using Host Card Emulation. It does not require an internet connection.

@@ByteByteGo thank you very much for the enlightenment!

They don’t, not in the same way. If you aren’t accessing the site on an apple device using safari, then that button won’t appear for Apple Pay at all. From there, you can only use Apple Pay on devices that have a Secure Enclave with iPhone, iPad, and Apple Watch which it’s been a while so most in the wild apple devices have one. For Macs that have Secure Enclave, it works the same way. With Macs before 2012 that don’t, it will send the payment request to your iPhone or Apple Watch which will process the transaction for the Mac once you authenticate with FaceID or whatever. If you add a card to your apple wallet, it doesn’t automatically sync to your other devices. When setting up, it’ll ask if you want to add to your Apple Watch too and if you say yes, it will run the process to add it to your Apple Watch separate from the iPhone’s wallet add. If you want to add the card to your Mac, you do that locally on the Mac. The purpose is that none of this information is stored in the cloud or communicated without your permission, it’s all local on the respective Secure Enclave.

Ithink the secure enclave is a part of the M-series chips found in Mac and some iPad models. They may not be related necessarily, but probably some of the secure element development techniques can be found in the M-series

@@Kamroks455 No no. The Secure Enclave Processor (SEP) predates the M-series chips by at least 6 years. The SEP has been the cornerstone of the Apple Pay system architecture since day one.

@@Kamroks455 By the way, not only is the SEP its own distinct chip that long predates the M-series chips but it runs its own proprietary OS literally called sepOS. And I’ve since independently confirmed that it is definitely Secure Enclave and NOT Secure Element. Apple Patent US8832465B2.

@@robertholtz I think you have a slight misunderstanding throwing you off. Most Apple mobile device has a secure element. Apple has called it the Secure Enclave. Pixel 6 devices have a secure element. Google calls it the Tensor Security Core. It’s the vague terminology. A secure element is a chip that is by design protected against unauthorized access and is limited to storing and utilizing sensitive data, like biometrics. He’s talking about the Secure Enclave but it’s a secure element, so he’s not wrong. You’re right too though, it is the Secure Enclave.

I can't find you

The guy literally said it is similar just it differs with how they store your token.

Yes, the phone hands the token off to the POS terminal over NFC.
There are two contactless standards currently used.
EMV contactless is newer and more advanced. It uses something called "cryptogram" to safeguard the information.
MSD contactless mimics a magnetic card. It is slightly better than straight magnetic card because the CVV is dynamically generated.
Look up EMV and MSD contactless if you would like to learn more.

@@ByteByteGo thanks , the question is here is not safety of transmission of token, but trust to vendor that they would not store the token, any reasonable security system would not transmit it such security element to a third party, the general practice is generate something temporary and add a trust mechanism in this case would be by signing it with the private key provided by payment provider. Basically oauth 2 or Jsonweb token concept.

As we mentioned in the previous reply, we encouraged you to look up EMV contactless specification if you want to learn more about how it secures the payment token and its associated information. The idea is very similar to what you are talking about.

@@ByteByteGo The detail about EMV cryptograms is totally glossed over in the video but I feel it's important to why EMV is more secure than legacy magstripe payments.
During device provisioning, the device receives in addition to the DAN some cryptographic keys that are used to encrypt the data sent over NFC to the terminal. During a transaction, the cryptogram sent from the device to the terminal includes the DAN and a unique transaction identifier provided by the terminal. In addition to protecting the confidentiality of the DAN, this prevents replay attacks if a malicious actor intercepted the NFC transmission, since the cryptogram will not be able to be used for a different transaction in the future. This is a key benefit of EMV over legacy magnetic stripe card payments which were highly susceptible to "skimmers": since the data on the magstripe was static, a copy of it could be used for future fraudulent transactions without the original card being present.
The video implies that only the DAN is sent from the device to the POS terminal. If this were the case, the same sort of replay attack that's possible with magstripe cards would also be possible with EMV chip cards and digital wallets.

GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!