Apple Pay

Decrypted Server-Side Implementationanchor


Decrypting Apple Pay payment data on your server is not recommended, as it increases your risk and compliance burden (typically requires PCI SAQ D compliance).

See Configuration for our recommended integration method.

Creating transactionsanchor

If you decrypt the encrypted Apple Pay payment data on your server, you can create a transaction with the decrypted parameters.


If there is an electronic commerce indicator (ECI) within the decrypted payment data, it must be included below.

  1. PHP
$result = $gateway->transaction()->sale([
  'amount' => '10.00',
  'applePayCard' => [
    'number' => applicationPrimaryAccountNumber,
    'cardholderName' => cardholderName,
    'cryptogram' => onlinePaymentCryptogram,
    'expirationMonth' => substr(applicationExpirationDate, 2, 2),
    'expirationYear' => substr(applicationExpirationDate, 0, 2),
    'eciIndicator' => eciIndicator
  'options' => [
    'submitForSettlement' => True

The amount you specify in your client-side payment request should reflect the actual amount you authorize and submit for settlement; transactions will still process in cases where the amount changes during order fulfillment.

Vaulting via Customer create and updateanchor


Vaulting decrypted Apple Pay cards without tokenizing is currently only available in the Python SDK. This feature is only available via Customer.create and Customer.update.

You may vault a decrypted Apple Pay Card while creating a new Customer object.

For an existing customer, you can vault a new Apple Pay card by supplying that customer's ID. You may also update the PaymentMethod's token this way.


An Apple Pay payment method.


The name associated with the Apple Pay card. Must be less than or equal to 175 characters.


The expiration month of an Apple Pay card, formatted MM.


The two or four digit year associated with an Apple Pay card, formatted YYYY or YY.


Typically requires PCI SAQ D compliance.

The 12-19 digit device primary account number (DPAN).


A one-time use string generated by the token requester to validate the transaction.


Electronic Commerce Indicator (ECI), a card brand-specific two-digit string describing the mode of the transaction. This field is optional, as some card networks do not return an ECI.


Optional values that can be passed with a request.



This option makes the specified payment method the default for the customer.


An alphanumeric value that references a specific payment method stored in your Vault. Must be less than or equal to 36 characters. If using a custom integration, you can specify what you want the token to be. If not specified, the gateway will generate one that can be accessed on the result. If using our Drop-in UI with a customer ID to vault payment methods, you can't specify your own token. Length and format of gateway-generated tokens and IDs may change at any time.


A billing address associated with a specific credit card. The maximum number of addresses per customer is 50.


The first name. The first name value must be less than or equal to 255 characters.


The last name. The last name value must be less than or equal to 255 characters.


Company name. 255 character maximum.


The street address. Street address must be less than or equal to 255 characters. Must contain at least 1 digit.


The extended address information—such as apartment or suite number. 255 character maximum.


The locality/city. 255 character maximum.


The state or province. The region must be a 2-letter abbreviation and must be less than or equal to 255 characters.


The postal code. Postal code must be a string of 4-9 alphanumeric characters, optionally separated by a dash or a space. Spaces and hyphens are ignored.


The ISO 3166-1 alpha-2 country code specified in an address. The gateway only accepts specific alpha-2 values .


The ISO 3166-1 alpha-3 country code specified in an address. The gateway only accepts specific alpha-3 values .


The ISO 3166-1 numeric country code specified in an address. The gateway only accepts specific numeric values .


The country name specified in an address. We only accept specific country names .


Phone number. Phone must be 10-14 characters and can only contain numbers, dashes, parentheses and periods.

Next Page: Testing and Go Live →