Apple Card security
On supported models of iPhone and Mac, a user can securely apply for an Apple Card.
Apple Card application
In iOS 12.4 or later, macOS 10.14.6 or later, and watchOS 5.3 or later, Apple Card can be used with Apple Pay to make payments in stores, in apps, and on the web.
To apply for Apple Card, the user must be signed into their iCloud account on an Apple Pay–compatible iPhone or iPad and have two-factor authentication set up on the iCloud account, or they can apply at apply.applecard.apple after signing in with their Apple ID. When the application is approved, Apple Card is available in Apple Wallet or within Settings > Wallet & Apple Pay across any of the eligible devices the user has signed in with their Apple ID.
When a user applies for Apple Card, user identity information is securely verified by Apple’s identity provider partners and then shared with Goldman Sachs Bank USA for the purposes of identity and credit evaluation.
Information such as the social security number or ID document image provided during the application is securely transmitted to Apple’s identity provider partners and/or Goldman Sachs Bank USA encrypted with their respective keys. Apple can’t decrypt this data.
The income information provided during the application, and the bank account information used for bill payments, are securely transmitted to Goldman Sachs Bank USA encrypted with their key. The bank account information is saved in the keychain. Apple can’t decrypt this data.
When adding Apple Card to Apple Wallet, the same information as when a user adds a credit or debit card may be shared with Apple’s partner bank Goldman Sachs Bank USA, and with Apple Payments Inc. This information is used only for troubleshooting, fraud prevention, and regulatory purposes.
In iOS 14.6 or later, iPadOS 14.6 or later, and watchOS 7.5 or later, the organizer of an iCloud family with an Apple Card can share their card with their iCloud Family members over the age of 13. User authentication is required to confirm the invitation. Apple Wallet uses a key in the Secure Enclave to compute a signature that binds the owner and the invitee. That signature is validated on Apple servers.
Optionally, the organizer can set a transaction limit for the participants. Participant cards can also be locked to pause their spending at any time through Apple Wallet. When a co-owner or participant over the age of 18 accepts the invitation and applies, they go through the same application process as defined in the Apple Card application section in Apple Wallet.
Apple Card usage
A physical card can be ordered from Apple Card in Apple Wallet. After the user receives the physical card, it’s activated using the NFC tag that’s in the bifold envelope of the physical card. The tag is unique per card and can’t be used to activate another user’s card. Alternatively, the card can be manually activated in Apple Wallet settings. Additionally, the user can also choose to lock or unlock the physical card at any time from Apple Wallet.
Apple Card payments and Apple Wallet pass details
Payments due on the Apple Card account can be made from a web browser or Apple Wallet in iOS with Apple Cash and a bank account. Bill payments can be scheduled as recurring or as a one-time payment at a specific date with Apple Cash and a bank account. When a user makes a payment, a call is made to the Apple Pay servers to obtain a cryptographic anti-replay value similar to Apple Cash. The anti-replay value, along with the payment setup details, is passed to the Secure Element to compute a signature. The signature is then returned to the Apple Pay servers. The authentication, integrity, and correctness of the payment are verified through the signature and the anti-replay value by Apple Pay servers, and the order is passed on to Goldman Sachs Bank USA for processing.
The Apple Card number is retrieved by Apple Wallet by presenting a certificate. The Apple Pay server validates the certificate to confirm the key was generated in the Secure Enclave. It then uses this key to encrypt the Apple Card number before returning it to Apple Wallet, so that only the iPhone that requested the Apple Card number can decrypt it. After decryption, the Apple Card number is saved in iCloud Keychain.
Displaying the Apple Card number details in the pass using Apple Wallet requires user authentication with Face ID, Touch ID, or a passcode. It can be replaced by the user in the card information section and disables the previous one.
Advanced Fraud Protection
In iOS 15 or later and iPadOS 15 or later, the Apple Card user can enable Advanced Fraud Protection in Apple Wallet. When enabled, the Card Security Code refreshes every few days.