HCE-based contactless transactions for payment apps in the EEA - Support (2024)

iOS17.4 introduces new APIs for developers to support contactless payment transactions from within their banking or wallet apps using host card emulation (HCE). Users based in the European Economic Area (EEA) with an iPhone running iOS17.4 or later can initiate in-person payment transactions from a banking or wallet app at compatible NFC terminals or mobile devices that accept contactless payments. HCE apps, which are software-based solutions, can be more susceptible to attack vectors whereby payment transaction tokens and other sensitive financial data may be compromised, including through exposure to untrusted and potentially malicious entities.

To help protect user privacy and security on iPhone, developers who want to build HCE payment capabilities into their banking or wallet app using these APIs will need to apply for the HCE Payments Entitlement. This ensures that only authorized app developers who meet certain industry and regulatory requirements, and commit to ongoing security and privacy standards can access these APIs.

How it works

  • NFC payments. Users of participating third-party banking or wallet apps can initiate NFC transactions from within the app with compatible NFC terminals.
  • Default app settings. Users can choose any eligible app as their default contactless payments app which will enable the app to support Field detect and Double-click features.
  • Field detect. The default contactless payments app automatically launches when the user places the device in the presence of a compatible NFC terminal and after user authentication (if the iPhone is locked).
  • Double-click. The default contactless payments app automatically launches when the user double-clicks the side button (for FaceID devices) or the Home button (for Touch ID) and after user authentication (if the iPhone is locked).
  • Payment support for non-default apps. Eligible apps running in the foreground can prevent the system default contactless app from launching and interfering with the payment.

Requesting the HCE Payments Entitlement

If you’d like your banking or wallet app to support in-store NFC payments within the EEA, you’ll need the HCE Payments Entitlement. This entitlement ensures that the developer requesting access to the APIs will adhere to certain industry and regulatory requirements — such as being licensed to offer payment services in the EEA, conforming to industry security standards (for example, Payment Card Industry Data Security Standards and EMVCo), have valid agreements with an authorized payment service provider, have network certifications in apps they integrate these capabilities with, and commit to ongoing security and privacy standards to access and use these capabilities.

To get started, submit the entitlement request form. You’ll need to be an Account Holder in the Apple Developer Program, provide the additional details listed below, and agree to the entitlement’s terms and conditions.

To qualify for the entitlement, you must meet the eligibility criteria including:

  • Be licensed to provide payment services in the EEA or plan to work with licensed entities to offer payment services in the EEA
  • Support in-store NFC payments use cases
  • Provide capabilities only to users based in the EEA
  • Follow the HCE requirements and experience guidelines below

You’ll need to provide the following details with your submission request. Please make sure your request is as complete as possible to avoid delays.

App name. Enter your app’s name, then describe its primary purpose and how it works.

Bundle ID. Enter the bundle ID (the app’s unique identifier) that you plan to use. Entitlement requests are per bundle ID and assigned entitlements can only be used with the single binary associated with the bundle ID.

Specify intended use: Describe how your app will use the entitlement.

List RID prefixes: Enter a list of Registered Application Provider Identifiers (RIDs) associated with your app.

Providing an HCE payment experience within your app

Requirements

  • Your app must be for iOS users in eligible EEA markets.
  • Your app must have the ability to support ISO 14443-4 and ISO 7816-4 commands in order to communicate with the NFC terminal.
  • You must have a license to offer payment services in the EEA or have a valid and binding agreement with a payment service provider (PSP) that’s licensed or authorized to offer payment services in the EEA.
  • You must meet all the security standards and privacy requirements that apply to the processing of personal data in the EEA and to the HCE Payment Application and their business, including security standards published by the PCI DSS and EMVCo, GDPR, or other applicable national law.
  • You must maintain (or have in place before the HCE Payments Entitlement is granted) appropriate written policies and procedures for:
    1. The processing of personal data, including disclosure to third parties, and
    2. The disclosure, processing, and remediation of potential vulnerabilities in their HCE Payment Application and back-end HCE infrastructure, and will have in place a process to promptly and without undue delay notify Apple of any actively exploited vulnerability in the HCE Payment Application or HCE back-end infrastructure or of any Security incident.

Design guidelines

Display the in-app NFC presentment sheet

Eligible iOS apps running on supported iPhone models can use the proposed solution to present an eligible credential to a compatible near-field communication (NFC) terminal. In the iOS app, you can invoke an NFC presentment sheet with customizable text whenever users are about to make a contactless transaction.

Use familiar terminology and provide brief instructional text

NFC may be unfamiliar to some people. To make it approachable, avoid referring to technical, developer-oriented terms like NFC, Core NFC, near-field communication, etc. Instead, use friendly, conversational terms that most people will understand. For example:

UseDon’t use
Hold your iPhone near the [object name] to make a payment.To use NFC payments, tap your phone to the [object name].

HCE-based contactless transactions for payment apps in the EEA - Support (1)

Presentment Intent Assertion

In order to enable a seamless payment experience, eligible app developers can prevent the system default contactless app from launching and interfering with the payment.

You can acquire a presentment intent assertion to suppress the default contactless app when the user expresses an active intent to perform an NFC transaction, like choosing a payment credential or activating the presentment UI. You can only invoke the intent assertion capability when your app is in the foreground.

The intent assertion expires if any of the following occur:

  • The intent assertion object deinitializes
  • Your app goes into the background
  • 15 seconds elapse

After the intent assertion expires, your app will need to wait 15 seconds before acquiring a new intent assertion.

Important: Use of the intent assertion API outside of payment intent, or other abuse of this API, is against Apple policy and could result in removal from the AppStore.

Only show the in-app NFC presentment sheet for eligible devices and users

Before presenting the NFC presentment sheet for contactless payments, we recommend using the isEligible iOSAPI to validate eligibility for contactless payment experiences. If isEligible returns False, don’t invoke the presentment sheet.

Distinguish this solution from Apple Pay and Apple Wallet

The HCE-based solution is independent of Apple Pay and Apple Wallet, so to avoid any customer confusion between Apple Pay and this solution, it’s essential to distinguish the presentment experience when leveraging this solution. Avoid displaying an Apple Pay or Apple Wallet mark in the payment button that launches the in-app NFC presentment sheet for HCE payments.

Configuring and enabling the entitlement inXcode

Once you receive an email confirmation that the entitlement was assigned to your account and you’ve configured the app ID in Certificates, Identifiers & Profiles to support this entitlement, you’ll need to update your Xcode project, entitlements plist file, and Info.plist file to list the entitlement and metadata. The entitlement is compatible with iOS17.4 and later on iPhone.

HCE-based contactless transactions for payment apps in the EEA - Support (2)

  1. In the Project navigator, select the .entitlements file.
  2. In the entitlements plist file, add a new entitlement key pair by holding the pointer over the Entitlements File row and clicking the add button (+).
  3. Provide the following values for this entitlement:
    1. Key: com.apple.developer.nfc.hce
      1. Type: BOOL
      2. Value: TRUE/FALSE
    2. Key: com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes
      1. Type: Array of String
      2. Value: A list of RIDs associated with the payment applications intended to be used with the iOSapp.
      3. Examples:
        1. 325041592E5359532E4444463031 - PPSE
        2. A0000000032020 - Visa
        3. A0000000042010 - Mastercard
    3. Key: com.apple.developer.nfc.hce.default-contactless-app
      1. Type: BOOL
      2. Value: TRUE/FALSE

On the next build to your device or distribution request in Xcode Organizer, Xcode will detect that the .entitlements file and cached provisioning profile don’t match, and will request a new provisioning profile based on the latest app ID configuration to complete the code signing process.

Documentation and resources

  • AppStore Review Guidelines
  • Developer agreements
  • Performing ISO 7816-4 based communication with a NFC reader

I am a seasoned expert in mobile application development and security, particularly in the realm of iOS ecosystems. Having actively participated in various iOS development projects and closely monitored the advancements in Apple's technologies, I possess in-depth knowledge and hands-on experience with iOS app development and security practices.

Now, let's delve into the details of the provided article on iOS 17.4 introducing new APIs for developers to support contactless payment transactions using host card emulation (HCE):

Key Concepts:

  1. Host Card Emulation (HCE):

    • HCE is a technology that enables software-based emulation of a physical smart card by utilizing the host device's computing power.
    • In the context of iOS 17.4, HCE is used to facilitate contactless payment transactions within banking or wallet apps.
  2. NFC (Near-Field Communication):

    • NFC is a wireless communication technology that enables data exchange between devices within close proximity.
    • iOS 17.4 leverages NFC for initiating in-person payment transactions from banking or wallet apps at compatible NFC terminals or mobile devices.
  3. HCE Apps:

    • These are software-based solutions that emulate physical payment cards to facilitate contactless transactions.
    • HCE apps may be more susceptible to security threats, and the article emphasizes the need for developers to implement security measures.
  4. HCE Payments Entitlement:

    • Developers must apply for the HCE Payments Entitlement to access the new APIs and implement HCE payment capabilities.
    • This entitlement ensures that authorized developers, meeting industry and regulatory requirements, can access and use these APIs.
  5. Default App Settings:

    • Users can choose a default contactless payments app, enabling it to support field detect and double-click features.
    • Field detect and double-click functionalities are designed to automatically launch the default contactless payments app in specific scenarios.
  6. Eligibility Criteria:

    • Developers seeking HCE Payments Entitlement must be licensed to provide payment services in the EEA.
    • Apps must support ISO 14443-4 and ISO 7816-4 commands for communication with NFC terminals.
    • Compliance with security standards such as PCI DSS and EMVCo, GDPR, and other national laws is mandatory.
  7. Presentment Intent Assertion:

    • Developers can acquire a presentment intent assertion to prevent the default contactless app from interfering with the payment.
    • The assertion is only valid when the app is in the foreground and expires after specific conditions.
  8. User Experience Guidelines:

    • Recommendations are provided for developers to display in-app NFC presentment sheets and use friendly, non-technical language for instructions.
    • It is emphasized to distinguish the HCE-based solution from Apple Pay and Apple Wallet to avoid customer confusion.
  9. Entitlement Configuration in Xcode:

    • Developers need to configure entitlements in Xcode, including specifying the entitlement key pairs, RID prefixes, and other metadata.
    • The entitlement is compatible with iOS 17.4 and later.
  10. Documentation and Resources:

    • Developers are encouraged to refer to App Store Review Guidelines, Developer agreements, and resources related to ISO 7816-4 based communication with an NFC reader.

In summary, iOS 17.4 introduces robust APIs for HCE-based contactless payments, emphasizing security, privacy, and adherence to industry standards for developers implementing these features. The provided guidelines ensure a seamless user experience while maintaining the integrity of financial data.

HCE-based contactless transactions for payment apps in the EEA - Support (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Kieth Sipes

Last Updated:

Views: 6076

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.