Digital wallets with Issuing
Let users add cards to Apple Pay, Google Pay, and Samsung Pay for seamless, tokenized payments.
Digital wallets allow cardholders to store payment credentials securely and make contactless, in-app, and online payments without using a physical card.
Passport-issued debit cards can be added to supported wallets, enabling:
- Faster checkout experiences
- Secure, tokenized transactions
- Improved user engagement and activation
Wallet provisioning is supported via API-based integrations, ensuring that sensitive card data is never exposed during the process.
Supported Wallets
- Apple Pay
- Google Pay
- Samsung Pay
Wallet Provisioning Lifecycle
The sequence diagram below shows the end-to-end flow for push provisioning a card to a digital wallet.
sequenceDiagram
participant User as Cardholder
participant App as Your application
participant PCE as PCE
participant Wallet as Wallet Provider
participant Network as Card Network
User->>App: Tap "Add to Wallet"
App->>PCE: POST /card/{id}/provision
PCE->>PCE: Generate encrypted payload
PCE-->>App: Encrypted card data
App->>Wallet: Forward payload (SDK)
Wallet->>Network: Request device token
Network-->>Wallet: Device-specific token
Wallet-->>User: Card added to wallet
Scenarios
Scenario 1: Provision Card to Apple Pay
Use this scenario to add a card to Apple Pay directly from your app using push provisioning for instant tap-to-pay capability.
Business Context: A neobank customer opens their mobile app and taps "Add to Apple Wallet" on their newly issued debit card. The app uses push provisioning to instantly add the card to Apple Pay, enabling contactless payments at millions of merchants worldwide without waiting for the physical card to arrive.
Flow
sequenceDiagram
participant App as Your application
participant PCE as PCE
participant Apple as Apple Pay
participant Network as Visa/Mastercard
App->>PCE: POST /card/{id}/provision
Note right of App: walletProvider: APPLE_PAY
Note right of App: cert1, cert2, nonce, nonceSignature
PCE->>PCE: Encrypt card data (PCI-DSS compliant)
PCE-->>App: 200 — Encrypted payload
App->>Apple: PassKit SDK
Apple->>Network: Request device-specific token
Network-->>Apple: DPAN token generated
Apple-->>App: Provisioning complete
Prerequisites
- Card (id: 55903) is issued and in
ACTIVEstatus.- Apple Pay certificates (
cert1,cert2) are configured in your Apple Developer account.- Nonce and signature from Apple PassKit SDK are available (generated per provisioning request).
- Device supports Apple Pay (iPhone 6 or later, Apple Watch).
- Customer has completed identity verification.
Example Request
POST /v1/customer/id/48201/issuance/card/id/55903/provision
{
"walletProvider": "APPLE_PAY",
"cert1": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
"cert2": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
"nonce": "8a7b6c5d4e3f2g1h",
"nonceSignature": "MEUCIQDKvP8vKLg9..."
}Example Response
{
"status": "success",
"data": {
"encryptedPassData": "eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0...",
"activationData": "VGhpcyBpcyBhY3RpdmF0aW9uIGRhdGE=",
"ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
}
}Security Note: The original card number (PAN) is never stored on the device. Apple Pay uses a device-specific token (DPAN) for all transactions, ensuring PCI-DSS compliance and reducing fraud risk.
Scenario 2: Provision Card to Google Pay
Use this scenario to add a card to Google Pay from your Android app for NFC tap-to-pay at merchants.
Business Context: A fintech app user on Android wants to pay for coffee using their phone. They tap "Add to Google Pay" in the app, and within seconds their debit card is tokenized and ready for contactless payments at any NFC-enabled terminal.
Flow
sequenceDiagram
participant App as Your application
participant PCE as PCE
participant Google as Google Pay
participant Network as Visa/Mastercard
App->>PCE: POST /card/{id}/provision
Note right of App: walletProvider: GOOGLE_PAY
Note right of App: walletAccountId, deviceId
PCE->>PCE: Generate OPC (Opaque Payment Card) data
PCE-->>App: 200 — Provisioning data
App->>Google: TapAndPay SDK
Google->>Network: Token request
Network-->>Google: Device token issued
Google-->>App: Card tokenized
Prerequisites
- Card (id: 55903) is issued and in
ACTIVEstatus.- Google Pay is available on the device (Android 5.0+ with NFC).
- Wallet Account ID retrieved from Google TapAndPay SDK.
- Device ID from the Android device (unique per device).
- Google Play Services is up to date.
Example Request
POST /v1/customer/id/48201/issuance/card/id/55903/provision
{
"walletProvider": "GOOGLE_PAY",
"walletAccountId": "ABCDEfghij1234567890",
"deviceId": "android-device-a1b2c3d4e5f6"
}Example Response
{
"status": "success",
"data": {
"opaquePaymentCard": "eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiI...",
"tokenServiceProvider": "VISA",
"lastFourDigits": "4567",
"network": "VISA"
}
}Token Management: Each device gets a unique token. If the user provisions the same card on multiple devices, each device will have its own DPAN (Device Primary Account Number).
Scenario 3: Provision Card to Samsung Pay
Use this scenario to add a card to Samsung Pay on supported Samsung devices.
Flow
sequenceDiagram
participant App as Your application
participant PCE as PCE
participant Samsung as Samsung Pay
App->>PCE: POST /card/{id}/provision
Note right of App: walletProvider: SAMSUNG_PAY
PCE-->>App: 200 — Provisioning data
App->>Samsung: Samsung Pay SDK
Samsung-->>App: Card added
Prerequisites
- Card is issued and in
ACTIVEstatus.- Samsung Pay is available on the device.
- Samsung Pay SDK is integrated in your app.
Example Request
POST /v1/customer/id/{customerId}/issuance/card/id/{cardId}/provision
{
"walletProvider": "SAMSUNG_PAY",
"walletAccountId": "samsung-wallet-67890",
"deviceId": "samsung-device-xyz"
}Provisioning Methods
Cards can be added to digital wallets using two approaches:
| Method | Experience | Integration Effort |
|---|---|---|
| Manual Provisioning | Cardholder enters card details in wallet app | No integration required |
| Push Provisioning | Add card directly from your app (one-tap experience) | Requires API + wallet integration |
Push provisioning is recommended for a frictionless user experience and higher activation rates.
How Push Provisioning Works
The push provisioning flow enables secure, tokenized card addition directly from your application.
Push provisioning follows a standard, network-defined flow used across digital wallet providers (such as Apple Pay, Google Pay, and Samsung Pay).
The steps below represent the typical industry process for securely provisioning a card to a digital wallet.
- Cardholder taps “Add to Wallet” in your app
- Create card using card issuance API
- Receive card identifier
- Call provisioning API
- Receive encrypted card payload
- Forward payload to wallet provider (SDK/API)
- Wallet requests token from card network
- Network generates device-specific token
- Wallet stores token → card is ready for use
Provision a Card
Use the POST /v1/customer/id/{id}/issuance/card/id/{id}/provision API to provision a card to a digital wallet.
Key Parameters:
| Field | Description |
|---|---|
walletProvider | Target wallet (APPLE_PAY, GOOGLE_PAY, SAMSUNG_PAY) |
cert1, cert2 | Apple Pay certificates (required for Apple Pay) |
nonce, nonceSignature | Apple-provided security parameters |
walletAccountId | Wallet account ID (Google / Samsung) |
deviceId | Device identifier from wallet provider |
When a card is provisioned:
- A device-specific network token is generated
- The original card number is never exposed
- Each wallet-device combination gets a unique token
This ensures:
- Reduced fraud risk
- Secure transactions across all channels
Operational Considerations
Card Replacement & Wallet Sync: When a card is replaced:
- Wallets do not automatically update card details
- Existing tokens may become invalid
- Transactions may be declined
To restore functionality:
- Re-provision the card using push provisioning, or
- Manually re-add the card in the wallet
Updated 4 days ago