HCE-based contactless transactions for apps in the European Economic Area (EEA)
iOS 17.4 or later includes APIs that support contactless transactions for in-store payments, car keys, closed loop transit, corporate badges, home keys, hotel keys, merchant loyalty/rewards, and event tickets from within compatible iOS apps using host card emulation (HCE). Users based in the European Economic Area (EEA) with an iPhone running iOS 17.4 or later can initiate in-person NFC transactions from iOS apps at compatible NFC terminals or mobile devices.
To support contactless transactions, eligible iOS apps will need an HCE entitlement. The entitlement ensures that only authorized app developers who meet certain industry and regulatory requirements, and commit to ongoing security and privacy standards can access these APIs.
To help protect user privacy and security on iPhone, and to prevent payment transaction tokens and other sensitive personal and financial data from being compromised when using HCE, developers who want to build HCE capabilities into their app using these APIs will need to apply for the HCE Entitlement.
How it works
- NFC transactions. Users of eligible apps can initiate NFC transactions from within the app with compatible NFC terminals.
- Default app settings. Users can choose any eligible app as their default contactless app which will enable the app to support field detect and double-click.
- Field detect. The default contactless app automatically launches when the user places the device in the presence of a compatible NFC terminal and after user authentication (if the iPhone is locked).
- Double-click. The default contactless app automatically launches when the user double-clicks the side button (for Face ID devices) or the Home button (for Touch ID) and after user authentication (if the iPhone is locked).
- Support for non-default apps. Eligible apps running in the foreground can prevent the system default contactless app from launching and interfering with the NFC transaction.
Requirements and availability
Requires iPhone XS or later running iOS 17.4 or later.
If you’d like your app to support NFC transactions within the EEA, you’ll need the HCE Entitlement. To be eligible for the entitlement,
You must:
- Be established in the EEA;
- Meet all the security standards and privacy requirements that apply to the processing of sensitive personal and financial data in the EEA and to the HCE Application and their business, including security standards published by the PCI DSS and EMVCo (for supporting In-store NFC Payments), GDPR, or other applicable law; and
- Maintain (or have in place before the HCE Entitlement is granted) appropriate written policies and procedures for:
- The processing of personal data, including disclosure to third parties, and
- The disclosure, processing, and remediation of potential vulnerabilities in their HCE Application and back-end HCE infrastructure, and will have in place a process to promptly and without undue delay notify Apple of any actively exploited vulnerability in the HCE Application or HCE back-end infrastructure or of any Security incident.
Your app must:
- Be for iOS users in eligible EEA markets;
- Have the ability to support ISO 14443-4 and ISO 7816-4 commands in order to communicate with the NFC terminal;
- Follow the HCE requirements and experience guidelines below; and
- Support one of the following use cases:
- In-store NFC payments: If you are a financial institution (or you’ve partnered with a financial institution) and have a license to offer payment services or have a valid and binding agreement with a payment service provider (PSP) that’s licensed or authorized to offer payment services in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE Payments Application.
- Closed-loop transit: If you are a transport operator (or you’ve partnered with a transport operator) and have a license to offer transit tickets or have a valid and binding agreement with an entity that’s licensed or authorized to offer transit tickets in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application for closed-loop contactless transactions.
- Car Keys: If you are a car manufacturer or have a valid and binding agreement with a car manufacturer enabling you to offer or facilitate the offering of virtual car keys for specific car brands in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application.
- Home Keys: If you are a home key manufacturer or you’ve partnered with a home key manufacturer and you want to offer virtual home keys for your customers to lock or unlock their homes (single-family, multi-family, etc.), you can request access to iOS APIs to develop, test or distribute an HCE application.
- Hotel Keys: If you operate a hotel or have a valid and binding agreement with a hotel operator enabling you to offer or facilitate the offering of virtual keys to access hotel rooms in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application.
- Corporate Badge access: If you operate an office building or have a valid and binding agreement with another entity enabling you to offer or facilitate the offering of virtual corporate badges to access office spaces in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application.
- Merchant Loyalty/Reward programs: If you operate a loyalty program or have a valid and binding agreement with another entity enabling you to offer or facilitate the offering of a loyalty program to consumers in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application.
- Event Tickets: If you are a live event operator or have a valid and binding agreement with a live event operator enabling you to offer or facilitate the offering of NFC-enabled tickets to access specific venues in the EEA, you can request access to iOS APIs to develop, test or distribute an HCE application.
Requesting the HCE Entitlement
This entitlement ensures that the developer requesting access to the APIs will adhere to certain industry and applicable regulatory requirements — such as conforming to industry security standards when handling personal data (for example, Payment Card Industry Data Security Standards), have a license or an agreement with entity that’s licensed (if the service you want to offer is regulated), have the required certifications for your app, and commit to ongoing security and privacy standards to access and use these capabilities. You are responsible for ensuring you meet these requirements before submitting your request.
To get started, submit the entitlement request form. You’ll need to be an Account Holder in the Apple Developer Program, provide the additional details listed below, and agree to the entitlement’s terms and conditions. Please make sure your request is as complete as possible to avoid delays.
App name and Bundle ID. Enter your app name, and the bundle ID (the app’s unique identifier) that you plan to use. Entitlement requests are per bundle ID and assigned entitlements can only be used with the single binary associated with the bundle ID.
Use case: Indicate the use cases you plan to support in your app with the HCE Entitlement.
List AID or RID prefixes: Enter a list of Application Identifier (AIDs) or Registered Application Provider Identifiers (RIDs) associated with your app.
Important: If you had been previously granted a HCE development entitlement and would like to apply for a distribution entitlement, please resubmit your request and accept the terms on the entitlement request form. As part of your resubmission request, please also include AIDs you’ve previously submitted and plan to continue using as part of your HCE solution.
Providing an HCE experience within your app
Design guidelines
Display the in-app NFC presentment sheet
Eligible iOS apps running on supported iPhone models must use the proposed solution to present an eligible credential to a compatible near-field communication (NFC) terminal. In the iOS app, you must invoke an NFC presentment sheet with customizable text whenever users are about to make a contactless transaction.
Use familiar terminology and provide brief instructional text
NFC may be unfamiliar to some people. To make it approachable, avoid referring to technical, developer-oriented terms like NFC, Core NFC, near-field communication, etc. Instead, use friendly, conversational terms that most people will understand. For example:
| Use | Don’t use |
|---|---|
| Hold your iPhone near the [object name] to make a payment. | To use NFC payments, tap your phone to the [object name]. |
Presentment Intent Assertion
In order to enable a seamless experience, eligible app developers can prevent the system default contactless app from launching and interfering with their contactless transaction.
You can acquire a presentment intent assertion to suppress the default contactless app when the user expresses an active intent to perform an NFC transaction, like choosing a payment or closed-loop transit credential or activating the presentment UI. You can only invoke the intent assertion capability when your app is in the foreground.
The intent assertion expires if any of the following occur:
- The intent assertion object deinitializes
- Your app goes into the background
- 15 seconds elapse
After the intent assertion expires, your app will need to wait 15 seconds before acquiring a new intent assertion.
Important: Use of the intent assertion API outside of the presentment intent, or abuse of this API for unsupported use cases, is against Apple policy and could result in being blocked from installation from the App Store or through alternative app marketplaces.
Only show the in-app NFC presentment sheet for eligible devices and users
Before presenting the NFC presentment sheet for contactless transactions, we recommend using the CardSession.isEligible iOS API to validate eligibility for contactless experiences. If CardSession.isEligible returns False, your app will be unable to invoke the presentment sheet. Applications should hide or otherwise disable features requiring CardSession when not eligible to deliver a good user experience.
Distinguish this solution from Apple Pay and Apple Wallet
The HCE-based solution is independent of Apple Pay and Apple Wallet, so to avoid any customer confusion between Apple Pay, Apple Wallet and this solution, it’s essential to distinguish the presentment experience from Apple Pay and Apple Wallet when leveraging this solution.
Specifically, avoid displaying an Apple Pay or Apple Wallet mark or logo in any button that launches the in-app NFC presentment sheet for HCE transactions.
In addition, when you design the user experience in your iOS app using the HCE-based solution, do not use visuals, graphic symbols, logos, icons or marks that appear confusingly similar to Apple Pay or Wallet.
Finally, you may not use any Apple Wallet or Apple Pay owned graphic symbol, logo, or icon in your HCE-based solution. This includes any variations or takeoffs of the Apple Wallet UI or the “Checkmark” presented after the transaction.
Configuring and enabling the entitlement in Xcode
Once you receive an email confirmation that the entitlement was assigned to your account and you’ve configured the app ID in Certificates, Identifiers & Profiles to support this entitlement, you’ll need to update your Xcode project, entitlements plist file, and Info.plist file to list the entitlement and metadata. The entitlement is compatible with iOS 17.4 and later on iPhone.
- In the Project navigator, select the .entitlements file. The filename is prefixed with an
icon. - In the entitlements plist file, add a new entitlement key pair by holding the pointer over the Entitlements File row and clicking the add button (+).
- Provide the following values for this entitlement:
- Key: com.apple.developer.nfc.hce
- Type: BOOL
- Value: YES/NO
- Key: com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes
- Type: Array of String
- Value: A list of AIDs or RIDs associated with the applications intended to be used with the iOS app.
- Examples:
- 325041592E5359532E4444463031 - PPSE
- A0000000032020 - Visa
- A0000000042010 - Mastercard
- A0000004400001010001 - HID
- A0000003964D344D24040181F8020001 - MIFARE
- Key: com.apple.developer.nfc.hce.default-contactless-app
- Type: BOOL
- Value: YES/NO
- Key: com.apple.developer.nfc.hce
- Provide the required metadata in your Info.plist file as described in Updating your Info.plist file.
On the next build to your device or distribution request in Xcode Organizer, Xcode will detect that the .entitlements file and cached provisioning profile don’t match, and will request a new provisioning profile based on the latest app ID configuration to complete the code signing process.
Testing requirements
To test HCE-based contactless transactions, you’ll need to test with an iPhone and NFC hardware within the EEA. CardSession requires the presence of an NFC reader, which isn’t supported in Simulator, to perform an ISO 7816 card emulation session. Please make sure:
- Your iPhone is running iOS 17.4 or later
- You’ve signed in with an Apple ID based in an EEA country or region
Submitting your app for review in App Store Connect
When submitting your new or updated app binary for review in App Store Connect, make sure to follow these submission requirements as well as the design guidelines, terms and conditions of the entitlement, the App Review Guidelines, and the Apple Developer Program License Agreement.
Please provide the following in order for us to evaluate your app and approve it for distribution:
- Access to a pre-release TestFlight version of your app
- Test login details
- At least one Test payment credential that can be provisioned and used in your HCE app for the purposes of making an NFC transaction
- Screenshots or Video of your app being used at a terminal for an NFC transaction
- Video of your app demonstrating an implementation of the Presentment Intent Assertion API
If your submission is incomplete, review times may be delayed or your app may be rejected. Once your app has been reviewed, its status will be updated in App Store Connect and you will be notified. At all times, you’ll need to make sure your app’s entitlement details match your app’s binary, and are up to date.
To make updates to your entitlement details, such as adding a new AID or RID, re-submit the entitlement request form.