Receive the PKPaymentToken from the Apple Pay payment sheet; the token contains an encrypted payment data blob and header metadata
Retrieve your Apple Pay payment processing certificate private key from secure storage; use it to perform ECDH key agreement with the ephemeral public key in the token header
Derive a symmetric decryption key using the ECDH shared secret combined with the merchant identifier and other header fields according to Apple's key derivation specification
Decrypt the payment data using AES-256-GCM with the derived key to obtain the decrypted payment data JSON, which contains the DPAN (device PAN), expiry, and payment cryptogram
Submit the DPAN, expiry, ECI indicator, and cryptogram to your payment processor in the authorization request, flagging it as a network token or wallet transaction as appropriate
Validate the token's transaction time and amount against your order before submitting; reject tokens where these values do not match the expected order
Known gotchas
The Apple Pay cryptogram (TAVV equivalent) is single-use and tied to the transaction amount; reusing it or submitting a different amount will cause a decline or cryptogram validation failure
Certificate handling is critical: using the wrong merchant certificate or a certificate from a different merchant ID will produce garbage decryption output with no clear error message
Apple Pay tokens have a short validity window; implement timestamp validation before attempting decryption to detect and reject expired or replayed tokens
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp