HCE-based contactless transactions for payment apps in the EEA - Support (2024)

iOS17.4 introduces new APIs for developers to support contactless payment transactions from within their banking or wallet apps using host card emulation (HCE). Users based in the European Economic Area (EEA) with an iPhone running iOS17.4 or later can initiate in-person payment transactions from a banking or wallet app at compatible NFC terminals or mobile devices that accept contactless payments. HCE apps, which are software-based solutions, can be more susceptible to attack vectors whereby payment transaction tokens and other sensitive financial data may be compromised, including through exposure to untrusted and potentially malicious entities.

To help protect user privacy and security on iPhone, developers who want to build HCE payment capabilities into their banking or wallet app using these APIs will need to apply for the HCE Payments Entitlement. This ensures that only authorized app developers who meet certain industry and regulatory requirements, and commit to ongoing security and privacy standards can access these APIs.

How it works

  • NFC payments. Users of participating third-party banking or wallet apps can initiate NFC transactions from within the app with compatible NFC terminals.
  • Default app settings. Users can choose any eligible app as their default contactless payments app which will enable the app to support Field detect and Double-click features.
  • Field detect. The default contactless payments app automatically launches when the user places the device in the presence of a compatible NFC terminal and after user authentication (if the iPhone is locked).
  • Double-click. The default contactless payments app automatically launches when the user double-clicks the side button (for FaceID devices) or the Home button (for Touch ID) and after user authentication (if the iPhone is locked).
  • Payment support for non-default apps. Eligible apps running in the foreground can prevent the system default contactless app from launching and interfering with the payment.

Requesting the HCE Payments Entitlement

If you’d like your banking or wallet app to support in-store NFC payments within the EEA, you’ll need the HCE Payments Entitlement. This entitlement ensures that the developer requesting access to the APIs will adhere to certain industry and regulatory requirements — such as being licensed to offer payment services in the EEA, conforming to industry security standards (for example, Payment Card Industry Data Security Standards and EMVCo), have valid agreements with an authorized payment service provider, have network certifications in apps they integrate these capabilities with, and commit to ongoing security and privacy standards to access and use these capabilities.

To get started, submit the entitlement request form. You’ll need to be an Account Holder in the Apple Developer Program, provide the additional details listed below, and agree to the entitlement’s terms and conditions.

To qualify for the entitlement, you must meet the eligibility criteria including:

  • Be licensed to provide payment services in the EEA or plan to work with licensed entities to offer payment services in the EEA
  • Support in-store NFC payments use cases
  • Provide capabilities only to users based in the EEA
  • Follow the HCE requirements and experience guidelines below

You’ll need to provide the following details with your submission request. Please make sure your request is as complete as possible to avoid delays.

See Also
Payment Gateway: Alles, was du über Online-Bezahlsysteme wissen solltest | acquisa

App name. Enter your app’s name, then describe its primary purpose and how it works.

Bundle ID. Enter the bundle ID (the app’s unique identifier) that you plan to use. Entitlement requests are per bundle ID and assigned entitlements can only be used with the single binary associated with the bundle ID.

Specify intended use: Describe how your app will use the entitlement.

List RID prefixes: Enter a list of Registered Application Provider Identifiers (RIDs) associated with your app.

Providing an HCE payment experience within your app

Requirements

  • Your app must be for iOS users in eligible EEA markets.
  • Your app must have the ability to support ISO 14443-4 and ISO 7816-4 commands in order to communicate with the NFC terminal.
  • You must have a license to offer payment services in the EEA or have a valid and binding agreement with a payment service provider (PSP) that’s licensed or authorized to offer payment services in the EEA.
  • You must meet all the security standards and privacy requirements that apply to the processing of personal data in the EEA and to the HCE Payment Application and their business, including security standards published by the PCI DSS and EMVCo, GDPR, or other applicable national law.
  • You must maintain (or have in place before the HCE Payments Entitlement is granted) appropriate written policies and procedures for:
    1. The processing of personal data, including disclosure to third parties, and
    2. The disclosure, processing, and remediation of potential vulnerabilities in their HCE Payment Application and back-end HCE infrastructure, and will have in place a process to promptly and without undue delay notify Apple of any actively exploited vulnerability in the HCE Payment Application or HCE back-end infrastructure or of any Security incident.

Design guidelines

Display the in-app NFC presentment sheet

Eligible iOS apps running on supported iPhone models can use the proposed solution to present an eligible credential to a compatible near-field communication (NFC) terminal. In the iOS app, you can invoke an NFC presentment sheet with customizable text whenever users are about to make a contactless transaction.

Use familiar terminology and provide brief instructional text

NFC may be unfamiliar to some people. To make it approachable, avoid referring to technical, developer-oriented terms like NFC, Core NFC, near-field communication, etc. Instead, use friendly, conversational terms that most people will understand. For example:

UseDon’t use
Hold your iPhone near the [object name] to make a payment.To use NFC payments, tap your phone to the [object name].

HCE-based contactless transactions for payment apps in the EEA - Support (1)

Presentment Intent Assertion

In order to enable a seamless payment experience, eligible app developers can prevent the system default contactless app from launching and interfering with the payment.

You can acquire a presentment intent assertion to suppress the default contactless app when the user expresses an active intent to perform an NFC transaction, like choosing a payment credential or activating the presentment UI. You can only invoke the intent assertion capability when your app is in the foreground.

The intent assertion expires if any of the following occur:

  • The intent assertion object deinitializes
  • Your app goes into the background
  • 15 seconds elapse

After the intent assertion expires, your app will need to wait 15 seconds before acquiring a new intent assertion.

Important: Use of the intent assertion API outside of payment intent, or other abuse of this API, is against Apple policy and could result in removal from the AppStore.

Only show the in-app NFC presentment sheet for eligible devices and users

Before presenting the NFC presentment sheet for contactless payments, we recommend using the isEligible iOSAPI to validate eligibility for contactless payment experiences. If isEligible returns False, don’t invoke the presentment sheet.

Distinguish this solution from Apple Pay and Apple Wallet

The HCE-based solution is independent of Apple Pay and Apple Wallet, so to avoid any customer confusion between Apple Pay and this solution, it’s essential to distinguish the presentment experience when leveraging this solution. Avoid displaying an Apple Pay or Apple Wallet mark in the payment button that launches the in-app NFC presentment sheet for HCE payments.

Configuring and enabling the entitlement inXcode

Once you receive an email confirmation that the entitlement was assigned to your account and you’ve configured the app ID in Certificates, Identifiers & Profiles to support this entitlement, you’ll need to update your Xcode project, entitlements plist file, and Info.plist file to list the entitlement and metadata. The entitlement is compatible with iOS17.4 and later on iPhone.

HCE-based contactless transactions for payment apps in the EEA - Support (2)

  1. In the Project navigator, select the .entitlements file.
  2. In the entitlements plist file, add a new entitlement key pair by holding the pointer over the Entitlements File row and clicking the add button (+).
  3. Provide the following values for this entitlement:
    1. Key: com.apple.developer.nfc.hce
      1. Type: BOOL
      2. Value: TRUE/FALSE
    2. Key: com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes
      1. Type: Array of String
      2. Value: A list of RIDs associated with the payment applications intended to be used with the iOSapp.
      3. Examples:
        1. 325041592E5359532E4444463031 - PPSE
        2. A0000000032020 - Visa
        3. A0000000042010 - Mastercard
    3. Key: com.apple.developer.nfc.hce.default-contactless-app
      1. Type: BOOL
      2. Value: TRUE/FALSE

On the next build to your device or distribution request in Xcode Organizer, Xcode will detect that the .entitlements file and cached provisioning profile don’t match, and will request a new provisioning profile based on the latest app ID configuration to complete the code signing process.

Documentation and resources

  • AppStore Review Guidelines
  • Developer agreements
  • Performing ISO 7816-4 based communication with a NFC reader

I'm an expert in iOS development and mobile payment technologies, with hands-on experience in developing apps for the Apple ecosystem. My expertise spans various aspects of iOS app development, including leveraging APIs, ensuring security and privacy standards compliance, and configuring entitlements in Xcode.

In the provided article about iOS 17.4 introducing new APIs for contactless payment transactions, several key concepts are discussed. Let's break down the information and elaborate on each concept:

  1. Host Card Emulation (HCE):

    • Host Card Emulation (HCE) allows mobile devices to emulate payment cards for contactless transactions without requiring access to a secure element.
    • HCE enables users to initiate in-person payment transactions from banking or wallet apps at compatible NFC terminals or mobile devices.

  2. APIs for HCE Support:

    • iOS 17.4 introduces new APIs for developers to integrate HCE-based contactless payment capabilities into their banking or wallet apps.
    • These APIs enable developers to securely handle payment transaction tokens and sensitive financial data within their apps.

  3. HCE Payments Entitlement:

    • Developers need to apply for the HCE Payments Entitlement to access and use these APIs.
    • The entitlement ensures that only authorized developers meeting industry and regulatory requirements can integrate HCE payment capabilities into their apps.

  4. Default App Settings:

    • Users can choose an eligible app as their default contactless payments app, enabling features like Field detect and Double-click for initiating transactions.

  5. Presentment Intent Assertion:

    • Developers can use presentment intent assertion to prevent the default contactless app from interfering with transactions when the user expresses an active intent to perform an NFC transaction.

  6. Configuring Entitlements in Xcode:

    • Developers need to configure entitlements in Xcode by updating the entitlements plist file and Info.plist file with specific values and metadata related to NFC HCE support.

  7. Eligibility Criteria for Entitlement:

    • Developers must meet eligibility criteria, including being licensed to provide payment services in the EEA, supporting in-store NFC payments, and adhering to security and privacy standards.

  8. Security and Privacy Requirements:

    • Developers must meet security standards like PCI DSS and EMVCo, comply with GDPR and other applicable laws, and have policies for handling personal data and security incidents.

  9. Documentation and Resources:

    • Additional documentation and resources are provided for developers, including App Store Review Guidelines, developer agreements, and guides for performing ISO 7816-4 based communication with NFC readers.

This breakdown covers the main concepts discussed in the article, providing insights into the new features introduced in iOS 17.4 for supporting contactless payments via HCE.

HCE-based contactless transactions for payment apps in the EEA - Support (2024)
Top Articles
Easy Gluten-Free Wonton Wrappers (+ Wonton Soup Recipe)
14 Amazing Recipes With Caputo Fioreglut Gluten-Free Flour
Pet Pancreatic Supplements Market Analysis: Competitive Landscape, Growth Factors, Revenue
718 Spyder Orderer/Owner Thread - PFF
Latest Posts
Hot cross buns – Paul Hollywood’s recipe
Polish Pierogies: Step-By-Step Recipe with Photographs
Article information

Author: Arielle Torp

Last Updated:

Views: 6066

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.