Digital wallets with Issuing

Let users add cards to Apple Pay, Google Pay, and Samsung Pay for seamless, tokenized payments.

Digital wallets allow cardholders to store payment credentials securely and make contactless, in-app, and online payments without using a physical card.

Passport-issued debit cards can be added to supported wallets, enabling:

  • Faster checkout experiences
  • Secure, tokenized transactions
  • Improved user engagement and activation

Wallet provisioning is supported via API-based integrations, ensuring that sensitive card data is never exposed during the process.

Supported Wallets

  • Apple Pay
  • Google Pay
  • Samsung Pay

Wallet Provisioning Lifecycle

The sequence diagram below shows the end-to-end flow for push provisioning a card to a digital wallet.

sequenceDiagram
    participant User as Cardholder
    participant App as Your application
    participant PCE as PCE
    participant Wallet as Wallet Provider
    participant Network as Card Network
    
    User->>App: Tap "Add to Wallet"
    App->>PCE: POST /card/{id}/provision
    PCE->>PCE: Generate encrypted payload
    PCE-->>App: Encrypted card data
    App->>Wallet: Forward payload (SDK)
    Wallet->>Network: Request device token
    Network-->>Wallet: Device-specific token
    Wallet-->>User: Card added to wallet

Scenarios

Scenario 1: Provision Card to Apple Pay

Use this scenario to add a card to Apple Pay directly from your app using push provisioning for instant tap-to-pay capability.

Business Context: A neobank customer opens their mobile app and taps "Add to Apple Wallet" on their newly issued debit card. The app uses push provisioning to instantly add the card to Apple Pay, enabling contactless payments at millions of merchants worldwide without waiting for the physical card to arrive.

Flow

sequenceDiagram
    participant App as Your application
    participant PCE as PCE
    participant Apple as Apple Pay
    participant Network as Visa/Mastercard
    
    App->>PCE: POST /card/{id}/provision
    Note right of App: walletProvider: APPLE_PAY
    Note right of App: cert1, cert2, nonce, nonceSignature
    PCE->>PCE: Encrypt card data (PCI-DSS compliant)
    PCE-->>App: 200 — Encrypted payload
    App->>Apple: PassKit SDK
    Apple->>Network: Request device-specific token
    Network-->>Apple: DPAN token generated
    Apple-->>App: Provisioning complete

Prerequisites

  • Card (id: 55903) is issued and in ACTIVE status.
  • Apple Pay certificates (cert1, cert2) are configured in your Apple Developer account.
  • Nonce and signature from Apple PassKit SDK are available (generated per provisioning request).
  • Device supports Apple Pay (iPhone 6 or later, Apple Watch).
  • Customer has completed identity verification.

Example Request

POST /v1/customer/id/48201/issuance/card/id/55903/provision

{
  "walletProvider": "APPLE_PAY",
  "cert1": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
  "cert2": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
  "nonce": "8a7b6c5d4e3f2g1h",
  "nonceSignature": "MEUCIQDKvP8vKLg9..."
}

Example Response

{
  "status": "success",
  "data": {
    "encryptedPassData": "eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0...",
    "activationData": "VGhpcyBpcyBhY3RpdmF0aW9uIGRhdGE=",
    "ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
  }
}

Security Note: The original card number (PAN) is never stored on the device. Apple Pay uses a device-specific token (DPAN) for all transactions, ensuring PCI-DSS compliance and reducing fraud risk.


Scenario 2: Provision Card to Google Pay

Use this scenario to add a card to Google Pay from your Android app for NFC tap-to-pay at merchants.

Business Context: A fintech app user on Android wants to pay for coffee using their phone. They tap "Add to Google Pay" in the app, and within seconds their debit card is tokenized and ready for contactless payments at any NFC-enabled terminal.

Flow

sequenceDiagram
    participant App as Your application
    participant PCE as PCE
    participant Google as Google Pay
    participant Network as Visa/Mastercard
    
    App->>PCE: POST /card/{id}/provision
    Note right of App: walletProvider: GOOGLE_PAY
    Note right of App: walletAccountId, deviceId
    PCE->>PCE: Generate OPC (Opaque Payment Card) data
    PCE-->>App: 200 — Provisioning data
    App->>Google: TapAndPay SDK
    Google->>Network: Token request
    Network-->>Google: Device token issued
    Google-->>App: Card tokenized

Prerequisites

  • Card (id: 55903) is issued and in ACTIVE status.
  • Google Pay is available on the device (Android 5.0+ with NFC).
  • Wallet Account ID retrieved from Google TapAndPay SDK.
  • Device ID from the Android device (unique per device).
  • Google Play Services is up to date.

Example Request

POST /v1/customer/id/48201/issuance/card/id/55903/provision

{
  "walletProvider": "GOOGLE_PAY",
  "walletAccountId": "ABCDEfghij1234567890",
  "deviceId": "android-device-a1b2c3d4e5f6"
}

Example Response

{
  "status": "success",
  "data": {
    "opaquePaymentCard": "eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiI...",
    "tokenServiceProvider": "VISA",
    "lastFourDigits": "4567",
    "network": "VISA"
  }
}

Token Management: Each device gets a unique token. If the user provisions the same card on multiple devices, each device will have its own DPAN (Device Primary Account Number).


Scenario 3: Provision Card to Samsung Pay

Use this scenario to add a card to Samsung Pay on supported Samsung devices.

Flow

sequenceDiagram
    participant App as Your application
    participant PCE as PCE
    participant Samsung as Samsung Pay
    
    App->>PCE: POST /card/{id}/provision
    Note right of App: walletProvider: SAMSUNG_PAY
    PCE-->>App: 200 — Provisioning data
    App->>Samsung: Samsung Pay SDK
    Samsung-->>App: Card added

Prerequisites

  • Card is issued and in ACTIVE status.
  • Samsung Pay is available on the device.
  • Samsung Pay SDK is integrated in your app.

Example Request

POST /v1/customer/id/{customerId}/issuance/card/id/{cardId}/provision

{
  "walletProvider": "SAMSUNG_PAY",
  "walletAccountId": "samsung-wallet-67890",
  "deviceId": "samsung-device-xyz"
}

Provisioning Methods

Cards can be added to digital wallets using two approaches:

MethodExperienceIntegration Effort
Manual ProvisioningCardholder enters card details in wallet appNo integration required
Push ProvisioningAdd card directly from your app (one-tap experience)Requires API + wallet integration

Push provisioning is recommended for a frictionless user experience and higher activation rates.


How Push Provisioning Works

The push provisioning flow enables secure, tokenized card addition directly from your application.

Push provisioning follows a standard, network-defined flow used across digital wallet providers (such as Apple Pay, Google Pay, and Samsung Pay).

The steps below represent the typical industry process for securely provisioning a card to a digital wallet.

  • Cardholder taps “Add to Wallet” in your app
  • Create card using card issuance API
  • Receive card identifier
  • Call provisioning API
  • Receive encrypted card payload
  • Forward payload to wallet provider (SDK/API)
  • Wallet requests token from card network
  • Network generates device-specific token
  • Wallet stores token → card is ready for use

Provision a Card

Use the POST /v1/customer/id/{id}/issuance/card/id/{id}/provision API to provision a card to a digital wallet.

Key Parameters:

FieldDescription
walletProviderTarget wallet (APPLE_PAY, GOOGLE_PAY, SAMSUNG_PAY)
cert1, cert2Apple Pay certificates (required for Apple Pay)
nonce, nonceSignatureApple-provided security parameters
walletAccountIdWallet account ID (Google / Samsung)
deviceIdDevice identifier from wallet provider

When a card is provisioned:

  • A device-specific network token is generated
  • The original card number is never exposed
  • Each wallet-device combination gets a unique token

This ensures:

  • Reduced fraud risk
  • Secure transactions across all channels

Operational Considerations

Card Replacement & Wallet Sync: When a card is replaced:

  • Wallets do not automatically update card details
  • Existing tokens may become invalid
  • Transactions may be declined

To restore functionality:

  • Re-provision the card using push provisioning, or
  • Manually re-add the card in the wallet


Did this page help you?
.readme-logo { display: none !important; }