> Can anyone ELI5 how Apple & Google Pay work in detail?
Oh, in case this was not really answered in other responses ...
When you add a card to an Apple or Google wallet, the wallet softwares goes off to your card issuer and asks for permission to include it in the wallet. Your card issuer may then ask you directly if it's OK and please confirm. When you have confirmed, they provide some details to your phone including some private keys (likely derived from a master) and other bits and pieces like the PAN to use, supported transaction types etc.
OK, now it's set up in your phone. What happens when you tap?
The terminal first goes through a sort of rapid handshake - hey, I'm a terminal, please select your default card application, let's go!
Then it asks for a bunch of data - can I have your PAN, expiry, velocity data, hard and soft limits etc, please?
Then it sends a bunch of data to your card - transaction type (payment, cash, refund(?)), amount, date and time, terminal type, some other bits.
Your phone or card will then check these fit in with its internal rules (do I allow cash? etc), add some information (user unlocked biometrically/with PIN) arrange the data in a canonical order, hash and sign it and send back the resulting signature as a cryptogram. Part of this cryptogram will tell the terminal Yes/No to proceed and whether it needs to ask for a PIN or go online to the acquiring bank for approval. The terminal applies its own rules to the transaction as well, and can optionally downgrade the transaction from approved to online or denied, or from online to denied.
If it needs to go online, it will transmit the transaction details to the acquiring (merchant's) bank, which may approve the transaction immediately or itself refer the transaction to the issuing (your) bank. It's at this point, for Apple Pay, that Apple steps into the picture - as the PAN is not the 'real' PAN, the acquiring bank refers to apple, and they then refer to the issuer.
Then the approved message pops up :)
Apart from the issuer-proxying, the process is basically identical if you use a phone or your physical card.
I've probably glossed over quite a lot and got a couple of details wrong, but hey, that's the nature of ELI5.
Oh, in case this was not really answered in other responses ...
When you add a card to an Apple or Google wallet, the wallet softwares goes off to your card issuer and asks for permission to include it in the wallet. Your card issuer may then ask you directly if it's OK and please confirm. When you have confirmed, they provide some details to your phone including some private keys (likely derived from a master) and other bits and pieces like the PAN to use, supported transaction types etc.
OK, now it's set up in your phone. What happens when you tap?
The terminal first goes through a sort of rapid handshake - hey, I'm a terminal, please select your default card application, let's go!
Then it asks for a bunch of data - can I have your PAN, expiry, velocity data, hard and soft limits etc, please?
Then it sends a bunch of data to your card - transaction type (payment, cash, refund(?)), amount, date and time, terminal type, some other bits.
Your phone or card will then check these fit in with its internal rules (do I allow cash? etc), add some information (user unlocked biometrically/with PIN) arrange the data in a canonical order, hash and sign it and send back the resulting signature as a cryptogram. Part of this cryptogram will tell the terminal Yes/No to proceed and whether it needs to ask for a PIN or go online to the acquiring bank for approval. The terminal applies its own rules to the transaction as well, and can optionally downgrade the transaction from approved to online or denied, or from online to denied.
If it needs to go online, it will transmit the transaction details to the acquiring (merchant's) bank, which may approve the transaction immediately or itself refer the transaction to the issuing (your) bank. It's at this point, for Apple Pay, that Apple steps into the picture - as the PAN is not the 'real' PAN, the acquiring bank refers to apple, and they then refer to the issuer.
Then the approved message pops up :)
Apart from the issuer-proxying, the process is basically identical if you use a phone or your physical card.
I've probably glossed over quite a lot and got a couple of details wrong, but hey, that's the nature of ELI5.