Apple Will Shake up Contactless Payments in iOS 18.1
Toggle Dark Mode
If you’re not a fan of Apple’s Wallet app, you’ll be happy to know that iOS 18.1 is about to bring you more options. In a surprise announcement today, Apple confirmed it will soon be taking the restrictions off its iPhone NFC contactless hardware to allow any developer to build its own payment solution.
Whether it’s a banking app for a single credit or debit card or a full-fledged wallet app, third-party app developers will not only be able to access the NFC chip and Secure Element but even set their apps up as the default that comes up when tapping to pay or double-pressing the side button to bring up a payment method.
Apple shared the first details today in a newsroom announcement, and it’s fair to say that it’s a game changer. Not only will the Secure Element be open to financial apps and third-party wallets, but it will also allow easier access to keys for your car, home, hotel, or office, along with loyalty cards, closed-loop transit systems, security badges, event tickets, and more.
The only thing that won’t be supported out of the gate are government IDs, but Apple says even those are coming. This means that those states that don’t want to sign on with Apple’s Digital ID program will be able to roll iPhone NFC support into their own digital ID apps rather than relying on clumsier QR codes.
While third-party apps have had limited access to the iPhone’s NFC hardware for years, they were previously restricted by Apple’s policies and practical security limitations from using NFC for things like payments. However, Apple isn’t just changing its policies here; it’s also opening up the Secure Element to ensure that sensitive security keys and payment information can be stored safely on the iPhone.
A Secure Element is a tamper-resistant chip designed to store confidential data in a way that can’t be easily accessed by unauthorized apps or processes. With NFC payments it’s essentially the mobile version of the smart EMV microprocessor chips found on physical credit and debit cards, and it’s formed the basis of Apple Pay from the very beginning.
When you provision a new credit or debit card for Apple Pay, or even a key or digital ID in Apple Wallet, the credentials for that card are cryptographically stored in the Secure Element. No other app on your iPhone — not even iOS itself — can read this data, making it impossible for your credit card information to be leaked or captured by malware. This hardware-level security means this data can’t be accessed even on a fully jailbroken iPhone. Apple Wallet can only instruct the Secure Enclave to present a payment or other security credential, and it can only be ready by an authorized NFC reader.
Apple has dedicated significant resources to design a solution that protects users’ security and privacy, leveraging a number of Apple’s proprietary hardware and software technologies when making a contactless transaction, including the Secure Enclave, biometric authentication, and Apple servers.Apple
In iOS 18.1, third-party developers will now be able to use new NFC and SE APIs to store information in the Secure Element in the same way as Apple Wallet and call it up when requested for things like making payments, unlocking doors, or presenting security badges.
Even more significantly, iOS 18.1 will allow users to set up a default contactless app to replace Apple Wallet. The default app will automatically launch in the same situations as Apple Wallet, either by double-clicking the side button or when a compatible NFC reader is detected. However, the default won’t interfere with another NFC app running in the foreground, making it possible for multiple contactless apps to coexist.
While Apple is being forced to open up NFC in the European Union under the new Digital Markets Act (DMA), its decision to do so globally comes as a surprise. Other concessions under the DMA, like alternative app distribution, remain limited to the 27 EU countries. Apple may have decided it’s easier to make this available to developers worldwide, but it also likely sees the writing on the wall here and wants to get ahead of regulatory scrutiny in other countries.
It’s fair to say that Apple has a lot less to lose now that it’s established Apple Pay and Apple Wallet as a dominant platform. Had it launched open NFC payments from the start, many banks and credit card companies would have likely rolled their own solutions rather than embracing Apple Pay, and we might have found ourselves in a fragmented mess. That’s what happened with Android; although most banks eventually got on board with Google Wallet, some stubbornly held out for years, forcing customers to use their own apps to make payments instead.
Who Will Be Able to Create NFC Apps?
Apple isn’t opening the floodgates entirely here, as it wants to make sure that only trustworthy developers can participate. This means that a developer will have to prove to Apple that it meets the stringent security and privacy standards required for processing sensitive personal data. For example, any app wanting to support in-store NFC payments will need to comply with the same EMVCo standards required for physical credit and debit cards.
Apps that want to use the new NFC and SE APIs must also cover one of the following use cases:
- In-store NFC payments
- Car Keys
- Closed-loop transit
- Corporate Badget access
- Home Keys
- Hotel Keys
- Student IDs
- Merchant Loyalty/Reward programs
- Event Tickets
- Government IDs (coming in a future release)
Developers will need to enter into a special commercial agreement with Apple and have written policies and procedures covering how personal data is processed, how and when it’s disclosed to third parties, and how potential vulnerabilities in the iOS app and platform-related infrastructure will be handled. The app must also comply with all the NFC terminal standards.
Most of these requirements will be familiar to banks and other financial institutions since Apple isn’t setting a bar here that’s any higher than any other NFC platform. However, developers of less sensitive applications for things like event tickets, loyalty cards, and student IDs will likely have to do some legwork to meet Apple’s requirements.
Apps for such things must also come from the organizations behind them. For example, an app that handles student IDs can only be created by a university/school campus administrator or a developer with a valid, binding agreement with that university to do so. Similarly, car key apps have to be made by car manufacturers, hotel key apps by hotel chains, and closed-loop transit apps by transit operators — or developers that they’ve commissioned to do so under contract in each of these cases.
The NFC & SE Platform APIs are opening in iOS 18.1 and will likely be available in a future beta to allow developers to start getting apps ready. It will be rolling out initially to eligible developers based in Australia, Brazil, Canada, Japan, New Zealand, the United Kingdom, and the United States.