Request special Entitlement and Whitelist from Apple: The issuer must request the Entitlement and Whitelist for their application by sending the specific information to apple-pay-provisioning@apple.com.
Along with the confirmation about granting the entitlement the issuers should receive from Apple a set of documents which should guide them in their application UX and functional design. It is essential to review those documents early in the project to avoid any rework of the issuer's integration.
Configuring the Entitlement in Apple Developer Website: The issuer must configure Entitlement in Apple Developer Website to get aproval to use In-App Provisioning Service.
Configuring the Entitlement in Xcode: The issuer must configure Entitlement in Xcode to declare that the app whants to use In-App Provisioning Service.
Configure necessary settings on the TSP system according to Apple Pay's requirements, paying close attention to the associatedApplicationIdentifiers.
Onboarding: The Thales integrator provides the Thales D1 Onboarding Form to gather all necessary configuration parameters to connect to D1, including Connectivity, Keys, D1 Services Configuration, and Card Products.
The issuers are required to open a project with TSP(s) (Visa/Mastercard) for their push provisioning integration projects. This activity is recommended to be initiated in parallel to the onboarding with Thales.
Connectivity: The APIs exposed by D1 require TLS mutual authentication for all API calls, necessitating explicit setup for both pre-production and production environments with a client certificate signed by Thales CA.
Backend authorisation: Incoming D1 APIs are secured by OAuth JWT Bearer Credentials Flow, where your backend sends a signed JWT to obtain a D1 access token for accessing D1 APIs.
Data encryption: Sensitive information exchanged with the D1 backend must be encrypted using the standard JWE format with specific algorithms and the recipient's EC public key.
Batch Registration: D1 offers a service to execute certain operations (such as consumer & card registration) in batch mode using batch files uploaded via SFTP.
Binary Integration: The issuer must integrate the D1 SDK binary into its application project.
SDK Initialisation: The issuer app must initialize the D1 SDK before it could call its APIs.
User Authentication: The issuer application must provide a proof of the end user authentication before it could consume D1 services.
Check Card State in Apple Pay Wallet: The issuer app must check the card's digitization state in the Apple Pay wallet using the d1Task.cardDigitizationState() API to determine the next action.
Pushing Card to Apple Pay Wallet: When the user taps "Add to Apple Pay", invoke the d1Task.addDigitalCardToOEM() API to tokenize the card.
Apple Wallet Extensions: Card issuers with an iOS mobile banking app must support Wallet Extensions to enable card issuer mobile app customers to provision new cards directly from the iOS Wallet app for all eligible Apple iOS devices.
The issuer is required to test their integration using first Apple Pay sandbox mode.
If issuers face errors in their tests they are required to first consult common errors before reporting the problem to Thales.
Last updated
Was this helpful?
Was this helpful?