Understanding the DAN, what builders should know about Apple Pay
Mobile payments are a thing now. Apple Pay is quietly massive. Consumers spent $90bn with Apple Pay in 2021 in the US, and 45% of consumers who have Apple Pay used it in the last 24 hours for a purchase.
At Sardine, we’ve observed Apple Pay become an increasingly popular mechanism for funding wallets and Crypto purchases, ad we’ve learned a few tricks we wanted to share with you.
Apple pay was designed to be highly secure.
Apple markets use Apple Pay as “safer than carrying a card in your wallet.” They ensure this by ensuring that when a credit or debit card is added to the Apple Wallet, it is assigned a unique number (token) that is
Introducing the DAN (sometimes DPAN): The 16-digit long number on the front of your credit or debit card is called the PAN (Primary Account Number). The token Apple stores for your card in the Apple Wallet is the DPAN (Device Primary Account Number).
Registering for Apple Pay
When you add a card to the wallet, you register your device and card with the card network (e.g., Visa or Mastercard) and your bank. In return, your bank associates your actual card with your device.
Then, Apple Pay can only be used with that card number on the registered device. The card can’t be registered for multiple devices. But, of course, multiple cards can be registered to the same device.
Crucially, the same card added to a different device would have a different DAN.
Using Apple Pay
When a customer of Apple Pay makes a purchase (either in-store, online or in-app), the process is as follows.
- Authenticate using biometrics
- The iPhone then develops a unique hash (a combination of the DAN and other unique transaction information) and passes that to the merchant.
- The merchant then sends this on to the payment network (e.g., V/MC)
- The payment network recognizes the Apple Pay transaction and uses the DAN (and other data) to find the real card (PAN)
- The payment network then contacts the Apple Pay users bank (issuer) to authorize the transaction
- The issuer then passes back the authorization to the payment network, which in turn passes it down to the merchant (via the merchant’s bank)
This process takes less than a second and feels almost instant to users.
Fraudsters will use Apple Devices.
Apple Pay’s fantastic user experience makes it an attractive target for fraudsters, who can quickly attempt to add stolen credentials into a device to move money into gambling sites, NFTs, or Crypto to cover their tracks.
But like all payment types, we can make a difference with the right fraud nerds on the case.
How we used the DAN
Sardine had a client experiencing major fraud around Apple Pay transactions.
When using the DAN with 1000s of other signals, we can be effective at reducing fraud 👇
The above shows the moment we introduced a new set of controls for the same client.
As with everything in Fraud, no single signal alone is effective, and fraudsters continue to learn and adapt to new techniques. But the more signals we have, the more we can combine them to reduce fraud.
Which made us wonder.
How will you use the unique features of Apple Pay?
As always, if you’re curious about what we do at Sardine, we’d love it if you get in touch with us
Huge thanks to Garret and Soups for helping inspire this blog
ST.
