Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

DPAN, MPAN, Cryptogram and Compliance

App & System Services Apple Pay
JEST
JEST OP
Created May ’25
Replies 0
Boosts 1
Views 68
Participants 1

Hello everyone,

I’m currently in the process of implementing Apple Pay on my company’s e-commerce website under a subscription model with recurring payments. I would appreciate some help in clarifying the following points:

  1. Is the applicationPrimaryAccountNumber the DPAN and the merchantTokenIdentifier the MPAN? If not, which fields represent each one or how do I recognise them?
  2. Is the onlinePaymentCryptogram used only for processing payments with the DPAN, or is it also involved when using the MPAN?
  3. Is the onlinePaymentCryptogram single-use or does it have an expiration time? Or is it reusable with no limits?
  4. According to Apple’s data policies, is it recommended for our servers to perform the payment token decryption (debundling), or should this only be handled by the payment gateway processor to stay compliant?

Below is the payment request I’m using for testing, along with the decrypted payment token returned for a test card:

Payment Request:

{
  "countryCode": "US",
  "currencyCode": "USD",
  "merchantCapabilities": ["supports3DS", "supportsDebit", "supportsCredit"],
  "supportedNetworks": ["visa", "masterCard", "amex", "discover"],
  "requiredBillingContactFields": ["postalAddress", "name"],
  "lineItems": [
    {
      "label": "Subtotal",
      "amount": "9"
    },
    {
      "label": "Taxes",
      "amount": "1"
    }
  ],
  "total": {
    "label": "Demo (Card is not charged)",
    "amount": "10",
    "type": "final",
    "recurringPaymentIntervalUnit": "month"
  },
  "recurringPaymentRequest": {
    "paymentDescription": "Recurring payment",
    "regularBilling": {
      "label": "Demo (Card is not charged)",
      "amount": "10",
      "type": "final",
      "paymentTiming": "recurring",
      "recurringPaymentIntervalUnit": "month"
    },
    "managementURL": "${window.location.origin}/api/managePaymentMethod"
  }
}

Decrypted Payment Token:

{
  "applicationPrimaryAccountNumber": "5204240494898922",
  "applicationExpirationDate": "280630",
  "currencyCode": "840",
  "transactionAmount": 0,
  "deviceManufacturerIdentifier": "050110030273",
  "paymentDataType": "3DSecure",
  "paymentData": {
    "onlinePaymentCryptogram": "MCt5xR+VnQAAAAM/8mUjAAADFIA="
  },
  "merchantTokenIdentifier": "DM4MMC1US000000042e438d170774669844e732a41c28e97",
  "merchantTokenMetadata": {
    "cardMetadata": {
      "longDescription": "Test Bank for MasterCard MTF",
      "cardCountry": "US",
      "shortDescription": "Test Bank 2",
      "fpanSuffix": "0049"
    },
    "cardArt": [
      {
        "url": "https://nc-crt-smp-device-asset.apple.com:443/broker/v1/assets/174ce63257704d93b00aff8aa09ec0d5",
        "name": "cardBackgroundCombined@2x.png",
        "type": "image/png"
      }
    ]
  }
}

Thanks in advance for your help and guidance.

Replies  0
Boosts  1
Views  68
Participants  1
DPAN, MPAN, Cryptogram and Compliance
First post date Last post date
 
 
Q