Apple Cash security
In iOS 11.2 or later, iPadOS 13.1 or later, and watchOS 4.2 or later, Apple Cash can be used on an iPhone, iPad or Apple Watch to send, receive and request money from other users. When a user receives money, it’s added to an Apple Cash account that can be accessed in Apple Wallet or within Settings > Wallet & Apple Pay across any of the eligible devices the user has signed in with their Apple ID.
In iOS 14, iPadOS 14 and watchOS 7, the organiser of an iCloud family who has verified their identity with Apple Cash can enable Apple Cash for their family members under the age of 18. Optionally, the organiser can restrict the money sending capabilities of these users to family members only or contacts only. If the family member under the age of 18 goes through an Apple ID account recovery, the organiser of the family must manually re-enable the Apple Cash card for that user. If the family member under the age of 18 is no longer part of the iCloud family, their Apple Cash balance is automatically transferred to the organiser’s account.
When the user sets up Apple Cash, the same information as when the user adds a credit or debit card may be shared with our partner bank Green Dot Bank and with Apple Payments Inc., a wholly owned subsidiary created to protect the user’s privacy by storing and processing information separately from the rest of Apple and in a way that the rest of Apple doesn’t know. This information is used only for troubleshooting, fraud prevention and regulatory purposes.
Using Apple Cash in iMessage
To use person-to-person payments and Apple Cash, a user must be signed in to their iCloud account on an Apple Cash–compatible device and have two-factor authentication set up on the iCloud account. Money requests and transfers between users are initiated from within the Messages app or by asking Siri. When a user attempts to send money, iMessage displays the Apple Pay sheet. The Apple Cash balance is always used first. If necessary, additional funds are drawn from a second credit or debit card the user has added to Apple Wallet.
Using Apple Cash in shops, apps and on the web
The Apple Cash card in Apple Wallet can be used with Apple Pay to make payments in shops, in apps and on the web. Money in the Apple Cash account can also be transferred to a bank account. In addition to money being received from another user, money can be added to the Apple Cash account from a debit or pre-paid card in Apple Wallet.
Apple Payments Inc. stores and may use, the user’s transaction data for troubleshooting, fraud prevention and regulatory purposes once a transaction is completed. The rest of Apple doesn’t know who the user sent money to, received money from or where the user made a purchase with their Apple Cash card.
When the user sends money with Apple Pay, adds money to an Apple Cash account or transfers money to a bank account, a call is made to the Apple Pay servers to obtain a cryptographic anti-replay value, which is similar to the value returned for Apple Pay within apps. The anti-replay value, along with other transaction data, is passed to the Secure Element to compute a payment signature. The signature is returned to the Apple Pay servers. The authentication, integrity and correctness of the transaction are verified through the payment signature and the anti-replay value by Apple Pay servers. Money transfer is then initiated and the user is notified of a completed transaction.
If the transaction involves:
A debit card for adding money to Apple Cash
Providing supplemental money if the Apple Cash balance is insufficient
An encrypted payment credential is also produced and sent to Apple Pay servers, similar to how Apple Pay works within apps and websites.
After the balance of the Apple Cash account exceeds a certain amount or if unusual activity is detected, the user is prompted to verify their identity. Information provided to verify the user’s identity — such as social security number or answers to questions (for example, to confirm a street name the user lived on previously) — is securely transmitted to the Apple partner and encrypted using their key. Apple can’t decrypt this data. The user is prompted to verify their identity again if they perform an Apple ID account recovery, before regaining access to their Apple Cash balance.