1.15. Apple Pay Web

Introduction

Apple Pay is an electronic wallet system that allows Payer to make one-click payment using a card token issued together with Apple and Issuer bank. There is no need to enter card details during Apple Pay transaction. Access to this payment mechanism is possible from any device, which supports Apple Pay. After choosing Apple Pay payment method, the payer will see the form on which he confirms his Apple account and card he is going to use to pay for order. If payer doesn’t have a previously registered card, he may do it while making payment.

See terms definitions in Glossary.

If accepting payments occurs on the Gumballpay payment page, no additional integration with Apple is required from the Connecting Party.
To use Apple Pay on the Gumballpay payment page, do the following:
  1. Enable Apple Pay on the payment page template by adding macro.

  2. Inform Gumballpay support about the need to connect Apple Pay and send updated templates.

The Apple Pay button will automatically appear on the Gumballpay checkout page if:
  1. The payer uses the Safari browser on a device that supports Apple Pay.

  2. The payer has Apple Pay cards available for payment.

Note

It might be necessary for Connecting Party to register Merchant ID, issue Payment Processing Certificate and Merchant Identity Certificate in Apple in order to launch Apple Pay. For details please contact Gumballpay support manager.

Apple Pay Flow

participant Payer as C
participant "Connecting Party" as cp
autonumber
C -> cp: Checkout
activate cp
alt sale/preauth
cp -> Gumballpay: sale-form/ENDPOINTID
activate Gumballpay
cp -> Gumballpay: preauth-form/ENDPOINTID
end
Gumballpay --> cp: status=processing\nredirect-url
deactivate Gumballpay
cp --> C: Provide **redirect-url** to payer's browser
deactivate cp
activate C
loop
cp -> Gumballpay: Request /api/v2/status
activate cp
activate Gumballpay
Gumballpay --> cp: status=processing
deactivate cp
deactivate Gumballpay
end
C -> "Apple Pay": Check if Apple Pay is supported on Payer's device
activate "Apple Pay"
"Apple Pay" --> C: Apple Pay response
deactivate "Apple Pay"
C -> C: Display Apple Pay button
C -> "Apple Pay": Provide Apple payment data for processing
deactivate C
activate "Apple Pay"
"Apple Pay" --> Gumballpay: Processing with Apple Pay payment data
deactivate "Apple Pay"
activate Gumballpay
Gumballpay -> Gumballpay:  Process payment
Gumballpay --> C: Redirect to **redirect_url**
activate C
C -> cp: Return to the Shop
deactivate C
activate cp
group Get Final Status
== Receive Connecting Party Callback ==
cp <- Gumballpay : callback with final status
Gumballpay <-- cp: HTTP 200
deactivate Gumballpay
== Order Status request ==
cp -> Gumballpay: Get status by Order ID\napi/v2/status
activate Gumballpay
Gumballpay --> cp : Response\nstatus,order-stage
deactivate Gumballpay
end
cp --> C: Show result
deactivate cp

(2) To implement sale-form payment request see /api/v2/sale-form.
(3) Instead of sale-form it is possible to implement preauth-form payment request, see /api/v2/preauth-form. Preauth allows to hold the specified amount in the Payer’s card account for a limited time. Preauth can be followed by Capture or Cancel.
(14) Payer is returned to Connecting Party site. To implement final redirect see Final Redirect.
(16) To implement callback with final status handling see Connecting Party Callbacks.
(18) To implement order status request see /api/v2/status. Status should be requested multiple times with 3-5 seconds interval until final status will be received in response.

Capture Flow

Capture is a transaction followed after preauth which deducts the locked amount from Payer’s card. It is important to know that the block remains for a definite period of time depending on whether this is a debit or a credit card (usually the maximum block period is 7 days for debit cards and 28 days for credit cards).

skinparam roundcorner 20
skinparam sequenceArrowThickness 1
skinparam maxmessagesize 100
skinparam sequenceParticipant underline
actor Payer
participant "Connecting party" as A
participant "Gumballpay" as B
hnote over A,B : Successful Preauth Transaction
autonumber
group Optional
Payer -> A: Initiate Capture
activate A
end
== Capture ==
A -> B: api/v2/capture
activate B
B --> A: Order ID
B -> B: Process Capture
group Get Final Status
== Receive Callback ==
A <- B: Callback with Final Status
A --> B: HTTP 200
deactivate B
== Order Status Request ==
A -> B: Get Status by Order ID api/v2/status
activate B
B --> A: Response with Status, Order-stage
deactivate B
end
group Optional
A --> Payer: Final Status
deactivate A
end

(1) Capture can be initiated by Connecting Party based on internal business model or Payer’s request.
(2) To implement capture request see /api/v2/capture/.
(5) Callback for Capture will be sent only if notify_url was provided in initial transaction request or additional callback URL for Capture transactions is specified on the endpoint level. If server_callback_url was provided in initial transaction request, callback for Capture will not be sent. To implement callback with final status handling see Connecting Party Callbacks.
(7) To implement order status request see /api/v2/status/. Status should be requested multiple times with 3-5 seconds interval until final status will be received in response.
(9) Final Status can be sent by Connecting Party based on internal business model or by Payer’s request.

Cancel Flow

Cancel is opposite of Capture which cancels the deduction and returns locked by Preauth amount back to Payer’s card. It is important to know that the block remains for a definite period of time depending on whether this is a debit or a credit card (usually the maximum block period is 7 days for debit cards and 28 days for credit cards).

skinparam roundcorner 20
skinparam sequenceArrowThickness 1
skinparam maxmessagesize 100
skinparam sequenceParticipant underline
actor Payer
participant "Connecting party" as A
participant "Gumballpay" as B
hnote over A,B : Successful Preauth Transaction
autonumber
group Optional
Payer -> A: Initiate Cancel
activate A
end
== Cancel ==
A -> B: api/v2/cancel
activate B
B --> A: Order ID
B -> B: Process Cancel
group Get Final Status
== Receive Callback ==
A <- B: Callback with Final Status
A --> B: HTTP 200
deactivate B
== Order Status Request ==
A -> B: Get Status by Order ID api/v2/status
activate B
B --> A: Response with Status, Order-stage
deactivate B
end
group Optional
A --> Payer: Final Status
deactivate A
end

(1) Cancel can be initiated by Connecting Party based on internal business model or Payer’s request.
(2) To implement cancel request see /api/v2/return/.
(5) Callback for Cancel will be sent only if notify_url was provided in initial transaction request or additional callback URL for Cancel transactions is specified on the endpoint level. If server_callback_url was provided in initial transaction request, callback for Cancel will not be sent. To implement callback with final status handling see Connecting Party Callbacks.
(7) To implement order status request see /api/v2/status/. Status should be requested multiple times with 3-5 seconds interval until final status will be received in response.
(9) Final Status can be sent by Connecting Party based on internal business model or by Payer’s request.

Apple Pay Account Setup

To configure the terminal on the Payment Gateway side, the following data needs to be sent to the Gumballpay support service:
  • Merchant ID.

  • The private key of the Payment Processing Certificate.

  • Private key password.

Note

Please note that the Payment Processing Certificate lasts 25 months. To renew the certificate, see the section “Reissue of Payment Processing Certificate”.

Register Merchant ID

Merchant ID - Apple Merchant Site ID (or MID) is a unique identification number that tells the payment processing systems involved in a transaction where to send which funds.

  1. Open developer account. Go to Certificate, Identifiers & Profiles.

  2. Go to Identifiers.

  3. Click on “+”.

  4. Select Merchant IDs.

  5. Specify the description and the Merchant ID. It is recommended to use the website domain in reverse order with the Connecting Party’s prefix. Example: connecting party.com.Gumballpay.applepay.test.

  6. Click Register.

Merchant ID is now registered.

Create Certificate Signing Request

Certificate Signing Request is a request to issue a certificate, in our case in order to get Payment Processing Certificate.
  1. Open Keychain Access on Mac.

  2. Certification assistant -> Request a certificate from a Certificate Authority.

  3. Specify the email, to which the developer’s account was registered, the name (also key name). Select Saved to disk and Specify information about a pair of keys manually.

  4. Select the key size 256 bits and the ECC Algorithm. Click Continue button. Save the .certSigningRequest file.

Issue Payment Processing Certificate

  1. Return to the developer’s office. Go to Certificates, Identifiers & Profiles / Identifiers. Select needed Merchant ID.

  2. Click Create Certificate in Apple Pay Payment Processing Certificate section.

  3. Select “No” and click Continue.

  4. Choose .certSigningRequest file from step 2 and click Continue.

  5. Download Payment Processing Certificate.

Get the Certificate Private Key and Private Key Password

  1. Double click Payment Processing Certificate on Mac to install.

  2. Open Keychain Access and go to Certificates section.

  3. Find the certificate. Select the created key by clicking on the arrow next to it.

  4. Select Export with the right mouse button.

  5. Select the folder to save the key file in .p12 format, click Save.

  6. Create password and click OK. Private key <name>.p12 and private key password are ready to work.

Reissue of Payment Processing Certificate

The Connecting Party must independently monitor the validity period of the Apple Pay certificate (25 months). Before the certificate expires, a new certificate must be issued.
This requires the following:
  1. Create a new Certificate Signing Request, as described in step 2.

  2. Issue a new Payment Processing Certificate as in step 3. After creating a new certificate for the current Merchant ID, there will be two certificates: old (active) and new (requiring activation). At this step there is no need to activate the new certificate.

  3. Get the certificate private key, private key password and send them to Gumballpay support service as in step 4.

  4. Activate a new certificate only in consultation with Gumballpay support service. After activation, only the new certificate will be used, the old one will become inactive.

Merchant Identity Certificate

The following data needs to be sent to the Gumballpay support service:
  1. Merchant ID.

  2. The private key of the Merchant Identity Certificate.

  3. Private key password.

Note

Please note that the validity period of the Merchant Identity Certificate and domain verification is 25 months. To renew the certificate and re-verify domains, see the section Re-verification of domains and reissue of the Merchant Identity Certificate.

Domain Registration and Verification

Warning

Before receiving the Merchant Identity Certificate, it is compulsory to create and validate domains where Apple Pay will be used.

  1. Go to the developer’s office and go to Certificates, Identifiers & Profiles. Create a Merchant ID before domain registration.

  2. Go to Identifiers.

  3. App IDs -> Merchant IDs.

  4. Select the needed Merchant ID.

  5. Click Add Domain in Merchant Domains.

  6. Specify the domain where Apple Pay will be used and click Save.

  7. To confirm ownership of a domain, download the file and place ot at the specified address, the file at the specified address must be accessible from outside the Connecting Party’s network.

  8. Click Verify to verify the domain.

Creation of Merchant Identity Certificate

Create Certificate Signing Request

Certificate Signing Request is a request to issue a certificate, in our case in order to get Payment Processing Certificate.
  1. Open Keychain Access on Mac.

  2. Certification assistant -> Request a certificate from a Certificate Authority.

  3. Specify the email, to which the developer’s account was registered, the name (also key name). Select Saved to disk and Specify information about a pair of keys manually.

  4. Select the key size 2048 bits and the RSA Algorithm. Click Continue button. Save the .certSigningRequest file.

Issue Merchant Identity Certificate

  1. Return to the developer’s office. Go to Certificates, Identifiers & Profiles / Identifiers.

  2. Go to Identifiers.

  3. App IDs -> Merchant IDs.

  4. Select the needed Merchant ID.

  5. Create Certificate in Apple Pay Merchant Identity Certificate section.

  6. Select created in step 1 .certSigningRequest file and click Continue.

  7. Download Merchant Identity Certificate.

Get the Certificate Private Key and Private Key Password

  1. Double click Merchant Identity Certificate on Mac to install.

  2. Open Keychain Access and go to Certificates section.

  3. Find the certificate. Select Export with the right mouse button.

  4. Select the folder to save the key file in .p12 format, click Save.

  5. Create password and click OK. Private key <name>.p12 and private key password are ready to work.

Domain Re-verification and Merchant Identity Certificate Reissue

The Connecting Party must independently monitor the validity of the certificate and domains’ verification (25 months). A new Merchant Identity Certificate must be issued before the certificate expires. Certificates can be used concurrently, so the procedure for issuing a new one is as described in the “Creating a Merchant Identity Certificate” section. Before the expiration of the domain verification period, the Verify button is activated next to it. The verification procedure corresponds to that described in the section “Domain registration and verification”.