NFC & SE Platform for secure contactless transactions
iOS 18.1 introduced APIs that support secure contactless transactions within compatible iOS apps using the NFC & SE Platform for in-store payments, car keys, closed loop transit, corporate badges, student ID, home keys, hotel keys, merchant loyalty and rewards, and event tickets, with government IDs to be available at a later date.
The NFC & SE Platform is a secure solution developed by Apple that enables authorized developers to provide capabilities, such as securely adding, storing, and presenting a contactless card for NFC use cases, from within their iOS app.
The NFC & SE Platform uses several hardware and software features, such as the Secure Element, Secure Enclave, and Apple Servers, to facilitate secure and reliable NFC transactions on iPhone. Developers and partners, such as bank card issuers, car key manufacturers, and transit operators (to name a few), will find the platform an effective component of a seamless and secure iOS experience.
To help protect user privacy and security on iPhone, developers who want to build secure contactless experiences into their iOS apps using these APIs will need to enter into an agreement with Apple and request the NFC & SE Platform Entitlement. This ensures that only authorized developers who meet certain industry and regulatory requirements, and commit to ongoing security and privacy standards, can access these APIs.
How it works
- NFC transactions. Users of eligible iOS apps can initiate NFC transactions from within the app with compatible NFC terminals.
- Default app settings. Users can choose any eligible app as their default contactless app which will enable the app to support Field-detect and Double-click features.
- Field-detect. The default contactless app automatically launches when a user presents their iPhone to a compatible NFC terminal and after user authentication (if their iPhone is locked).
- Double-click. The default contactless app automatically launches when the user double-clicks the side button (for Face ID devices) or the Home button (for Touch ID) and after user authentication (if the iPhone is locked).
- Support for non-default apps. Eligible apps running in the foreground can prevent the system default contactless app from launching and interfering with the NFC transaction.
Requirements and availability
Supporting NFC transactions using the NFC & SE Platform requires the following.
- iPhone XS or later running iOS 18.1 or later.
- The NFC & SE Platform Entitlement. To be eligible for the entitlement, you must:
- Be established in one of the following eligible territories: Australia, Brazil, Canada, Japan, New Zealand, the United Kingdom, and the United States (excluding Guam, American Samoa, Puerto Rico, US Virgin Islands, and Northern Mariana Island).
- Meet all of the security standards and privacy requirements that apply to the processing of personal data in the eligible territory and to the NFC & SE Platform Application and your business, including security standards published by the PCI DSS and EMVCo (for supporting In-store NFC payments), data protection laws, GDPR, or other applicable national law.
- Maintain (or have in place before the NFC & SE Platform Entitlement is granted) appropriate written policies and procedures for:
- The processing of personal data, including disclosure to third parties, and
- The disclosure, processing, and remediation of potential vulnerabilities in your iOS app and back-end NFC & SE Platform related infrastructure, and will have in place a process to promptly and without undue delay notify Apple of any actively exploited vulnerability in the NFC & SE Platform Application or NFC & SE Platform partner back-end infrastructure or of any security incident.
- Your app must be for iOS users in eligible territories*
- Your app must support one or more of the following use cases:
- In-store NFC payments: If you are a financial institution (or you’ve partnered with a financial institution) and have a license to offer payment services or have a valid and binding agreement with a payment service provider (PSP) that’s licensed or authorized to offer payment services in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based Payment Application.
- Car Keys: If you are a car manufacturer or have a valid and binding agreement with a car manufacturer enabling you to offer or facilitate the offering of virtual keys in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing virtual keys.
- Closed-loop transit: If you are a transport operator (or you’ve partnered with a transport operator) and have a license to offer transit tickets or have a valid and binding agreement with an entity that’s licensed or authorized to offer transit tickets in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for closed-loop transit contactless transactions.
- Corporate Badge access: If you operate an office building or have a valid and binding agreement with another entity enabling you to offer or facilitate the offering of virtual corporate badges to access office spaces in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing virtual corporate badges.
- Home Keys: If you are a home key manufacturer or you’ve partnered with a home key manufacturer and you want to offer virtual home keys for your customers to lock or unlock their homes (single-family, multi-family, etc.) in the eligible territories, you can request access to iOS APIs to develop, test or distribute an NFC & SE Platform-based application for accessing and managing virtual home keys.
- Hotel Keys: If you operate a hotel or have a valid and binding agreement with a hotel operator enabling you to offer or facilitate the offering of virtual keys to access hotel rooms in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing virtual keys.
- Student ID: If you are a university/school campus administrator or have a valid binding agreement with a university or school another entity enabling you to offer or facilitate the offering of virtual keycards to access the campus space in the eligible territories, you can request APIs to develop, test, or distribute capability for your app to offer virtual student IDs for accessing and managing virtual campus keycards.
- Merchant Loyalty/Reward programs: If you operate a loyalty program or have a valid and binding agreement with another entity enabling you to offer or facilitate the offering of a loyalty program to consumers, you can request access to APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing loyalty programs.
- Event Tickets: If you are a live event operator or have a valid and binding agreement with a live event operator enabling you to offer or facilitate the offering of NFC-enabled tickets to access specific venues in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing NFC-enabled tickets.
- Government ID: If you are a government entity or have a valid and binding agreement with a government entity enabling you to offer or facilitate the offering of NFC-enabled government IDs to access specific services in the eligible territories, you can request access to iOS APIs to develop, test, or distribute an NFC & SE Platform-based application for accessing and managing NFC-enabled government IDs.**
- Your app must have the ability to support ISO 14443-4 and ISO 7816-4 commands in order to communicate with the NFC terminal.
- You must have a fully configured and approved NFC & SE Platform product configuration in Apple Business Register (ABR) in order to develop, test, and or distribute your apps in eligible territories.
Requesting access to the NFC & SE Platform
If you’re interested in delivering an NFC & SE Platform-enabled experience to iOS users, the Account Holder of your Apple Developer Program membership will need to submit a request for the NFC & SE Platform, and follow the steps below.
- Enter into a valid and binding agreement with Apple. This agreement includes commercial terms and any applicable fees for the use of the NFC & SE Platform for secure storage and presentment of relevant credentials.
- If you don’t have an existing Confidentiality Agreement with Apple, enter into a valid and binding Confidentiality Agreement with Apple.
- Once you’ve entered into a valid agreement and Confidentiality Agreement with Apple, you can onboard your organization into Apple Business Register (ABR) and request the NFC & SE Entitlement for your iOS app.
- This entitlement ensures that you will adhere to certain industry and applicable regulatory requirements — such as conforming to industry security standards when handling personal data (for example, Payment Card Industry Data Security Standards), having a license or an agreement with an entity that’s licensed (if the service you want to offer is regulated), having the required certifications for your app, and committing to ongoing security and privacy standards to access and use these capabilities. You are responsible for ensuring you meet these requirements before submitting your request.
- Once a valid contract is in place, the partner can source and deliver its applets to Apple as per Apple’s specifications using Apple Business Register (ABR).
- Perform a security review of your applet through a designated lab.
- Before you deliver your applet to Apple to be installed on a users’ iPhone, you’ll need to ensure the applet has been reviewed and validated by an independent accredited third party lab. This validation ensures that the applet is not harmful, can be safely deployed onto iPhone, and follows Apple platform security guidance.
- You can then deliver your applet bundle along with other product specifications (e.g., SP-TSM, Team ID, etc.) to Apple for verification. Upon successful verification, the applet bundle is signed and hosted on Apple servers, and is subsequently downloaded to a user’s iPhone when the credential associated with your solution provisioned by the user.
- Develop in-app UX for Provisioning, Presentment, Life Cycle Management, Presentment Intent Assertion APIs in accordance with Apple specifications.
- Provisioning: On a request from your iOS app running on your user’s iPhone for provisioning a card, the Apple server will download the signed applet corresponding to the card scheme that is requested by the user, create a memory partition on the Secure Element for the card (also referred to as ‘applet instance’) and then pass control to the NFC & SE Platform partner servers for personalizing the card. Once the personalization process is complete, the card is ready to use for NFC transactions.
- NFC Transaction and Presentment:
- An NFC transaction can be made only after authorization from the Secure Enclave. On iPhone, this involves confirming that the user has authenticated with Face ID, Touch ID, or the device passcode. While the default method is Face ID or Touch ID, if available, the passcode can be used at any time.
- A user can initiate an NFC transaction by launching an eligible iOS app and selecting the credential to present to the NFC terminal which invokes a transaction authorization API.
- The transaction authorization API presents a user interface that prompts the user to double-click the side button and authenticate using Face ID or activate the Touch ID sensor and authenticate through fingerprint matching. If biometrics is unavailable or disabled, the device passcode can be used instead. When the user authorizes a transaction, which includes a physical gesture communicated directly to the Secure Enclave, the Secure Enclave sends signed data about the type of authentication and details about the type of transaction to the Secure Element. The applet within the Secure Element associated with the user’s selected credential prepares the transaction data, which is routed to the NFC field.
- Life Cycle Management: You can update a user’s credential data by sending the appropriate commands directly to your iOS app. A provisioned credential can be deleted by the user from within the iOS app or if the user deletes the or initiates a remote wipe using FindMy.
- Presentment Intent Assertion:
- In order to enable a seamless transaction experience, eligible app developers can prevent the system default contactless app from launching and interfering with contactless transactions.
- You can acquire a presentment intent assertion to suppress the default contactless app when the user expresses an active intent to perform an NFC transaction, like choosing a payment or closed-loop transit credential, or activating the presentment UI. You can only invoke the intent assertion capability when your app is in the foreground.
- The intent assertion expires if any of the following occur:
- The intent assertion object de-initializes.
- Your app goes into the background.
- 15 seconds elapse.
- After the intent assertion expires, your app will need to wait 15 seconds before acquiring a new intent assertion.
Important: Use of the intent assertion API outside of an eligible NFC transaction intent or other abuse of this API is against Apple policy and could result in being blocked from installation from the App Store or through alternative app marketplaces.
To summarize, in order to qualify for the access to NFC & SE Platform, you must:
- Have a valid agreement with Apple for use of the NFC & SE Platform framework.
- Meet the eligibility criteria for the capability you want to use in your iOS app.
- Provide capabilities only to users based in the eligible markets.
- Follow the NFC & SE Platform requirements and experience guidelines below.
- Onboarded your organization into Apple Business Register (ABR) for NFC & SE Platform.
Submit a request and be approved for access to the NFC & SE Platform Entitlement.
Design guidelines
Providing an NFC & SE Platform experience within your app
Reinforce the selected card and app in the Transaction Authorization sheet
Replay the app name and the specific cards used for this transaction to assure your users that the card they picked in your app is the one being used for the transaction.
Only show the in-app NFC Transaction Authorization sheet for eligible devices and users
Before presenting the NFC presentment sheet for contactless transactions, we recommend using the CredentialSession.isEligible iOS API to validate eligibility for contactless experiences. If CredentialSession.isEligible returns False, your app will be unable to invoke the presentment sheet. To deliver a good user experience, apps should hide or otherwise disable features requiring CredentialSession when ineligible to use it.
Distinguish this solution from Apple Pay and Apple Wallet
The NFC & SE Platform is independent of Apple Pay and Apple Wallet, so it’s essential to distinguish the presentment experience when using this solution.
- Avoid displaying an Apple Pay or Apple Wallet mark or logo in any button that launches the in-app NFC presentment sheet for NFC transactions.
- Don’t use visuals, graphic symbols, logos, icons or marks that appear confusingly similar to Apple Pay or Wallet.
- Don’t use any graphic symbols, logos, or icons used by Apple Pay or Apple Wallet in your NFC & SE Platform user experience. This includes any variations or takeoffs of the Apple Wallet UI including the design of Apple Wallet passes including credit, debit, prepaid cards, driver’s license or state ID, transit cards, event tickets, keys, or the checkmark presented after the transaction.
Important: Violation of the above design guidelines is against Apple policy and could result in being blocked from installation from the App Store or through alternative distribution.
Configuring and enabling the entitlement in Xcode
Once you receive an email confirmation that the entitlement was assigned to your account and you configure the app ID in Certificates, Identifiers & Profiles to support this entitlement, you’ll need to update your Xcode project, entitlements plist file, and Info.plist file to list the entitlement and metadata. The entitlement is compatible with iOS 18.1 and later on iPhone.
- In the Project navigator, select the .entitlements file. The filename is prefixed with an icon.
- In the entitlements plist file, add a new entitlement key pair by holding the pointer over the Entitlements File row and clicking the add button (+).
- Provide the following values for this entitlement:
- Key: com.apple.developer.secure-element-credential
- Type: BOOL
- Value: YES/NO
- Key: com.apple.developer.secure-element-credential.default-contactless-app
- Type: BOOL
- Value: YES/NO
- Provide the required metadata in your Info.plist file as described in Updating your Info.plist file.
- Key: com.apple.developer.secure-element-credential
On the next build to your device or distribution request in Xcode Organizer, Xcode will detect that the .entitlements file and cached provisioning profile don’t match, and will request a new provisioning profile based on the latest app ID configuration to complete the code signing process.
Testing requirements
To test NFC & SE Platform-based contactless transactions, you’ll need to test with iPhone and NFC hardware within the eligible markets. CredentialSession requires the presence of an NFC reader, which isn’t supported in Simulator, to perform an ISO 7816 card emulation session.
Please make sure:
- Your iPhone is running iOS 18.1 or later.
- You’ve signed in to an Apple Account based in an eligible territory.*
Submitting your app for review in App Store Connect
When submitting your new or updated app binary for review in App Store Connect, make sure to follow these submission requirements as well as the design guidelines, terms and conditions of the entitlement, the App Review Guidelines, and the Apple Developer Program License Agreement.
Please provide the following in order for us to evaluate your app and approve it for distribution:
- Access to a pre-release TestFlight version of your app.
- Test login details.
- At least one test credential that can be provisioned and used in your NFC & SE Platform capable iOS app for the purposes of making an NFC transaction.
- Screenshots or Video of your app being used at a terminal for an NFC transaction.
- Video of your app demonstrating an implementation of the Presentment Intent Assertion API.
If your submission is incomplete, review times may be delayed or your app may be rejected. Once your app has been reviewed, its status will be updated in App Store Connect and you will be notified. At all times, you’ll need to make sure your app’s entitlement details match your app’s binary, and are up to date.