web
You’re offline. This is a read only version of the page.
close

What can we help you with?

Apple Pay - Setup and Troubleshooting


KA-08853


115

12/18/2025 18:43 PM

1.2

Introduction

Use this article to configure Apple Pay with Cybersource and resolve the most common configuration, cryptogram/DSRP, and acquirer-specific wallet authorization issues. The guide provides setup steps, validation procedures, and structured troubleshooting aligned to merchant expectations and Support efficiency needs.

1. Prerequisites Checklist

  • Apple Pay enabled on each Cybersource profile
  • Sandbox and production Cybersource accounts
  • Apple Developer Program account (Account Holder or Admin)
  • Apple Pay Merchant ID created
  • Acquirer certified for Mastercard MDES network tokens
  • Merchant domain supports HTTPS with valid TLS
  • Sandbox tester Apple ID & Mastercard test cards
  • (Web) Ability to host the Apple verification file at the required path

2. Register the Apple Pay Merchant ID

  1. Sign in to Apple Developer.
  2. Select Certificates & Identifiers → Identifiers.
  3. Click + → Merchant IDs and continue.
  4. Enter the identifier (e.g., merchant.com.example.test).
  5. Click Register.

3. Create the Payment Processing Certificate

3A • Cybersource-Managed Decryption (Recommended)

  1. Go to Business Center → Payment Configuration → Digital Payment Solutions → Apple Pay.
  2. Enter the Merchant ID.
  3. Select Generate New CSR & download the .certSigningRequest.
  4. Upload the CSR in Apple Developer and download the .cer file.

3B • Merchant-Managed Decryption (If Required)

  1. Open Keychain Access → Certificate Assistant (macOS).
  2. Generate a 2048‑bit RSA CSR.
  3. Upload CSR → download .cer → import to Keychain → export a .p12.
  4. Deploy the .p12 to the merchant’s decryption service.
Note: Certificates expire every 25 months. Set a renewal reminder.

4. Optional: Enable Apple Pay on the Web

  1. Create an Apple Pay Merchant Identity certificate (TLS).
  2. Register each domain:
    1. Go to Merchant Domains → Add Domain.
    2. Download the verification file.
    3. Host it at: /.well-known/apple-developer-merchantid-domain-association
    4. Click Verify.

5. Sandbox Validation

  1. Sign in to a test device using the sandbox Apple ID.
  2. Add Mastercard sandbox test cards.
  3. Send an authorization to https://apitest.cybersource.com using:
    • processingInformation.paymentSolution = "001"
    • paymentInformation.tokenizedCard.transactionType = "1"
  4. Confirm an AUTHORIZED reply.
  5. Test negative/error scenarios.

6. Go Live

  1. Create the production certificate for the production Merchant ID.
  2. Switch API credentials to production.
  3. Verify production web domains.
  4. Send a low-value or $0 authorization.

7. Troubleshooting & Wallet Authorization Failures

Most errors relate to cryptogram mapping, domain validation, or acquirer-specific routing.

7.1 Cryptogram / DSRP Mapping Issues

  • Cryptogram must be forwarded unaltered.
  • Incorrect ECI values lead to declines.
  • Merchant-managed decryption may be unsupported.

Expected ECI values:

  • 05 = Wallet device-present
  • 07 = Wallet device-not-present

Resolution:

  • Forward cryptogram exactly as provided.
  • Ensure transactionType = "1".
  • Confirm acquirer supports MDES tokenization.

7.2 Domain Validation Issues (Web)

Symptoms:

  • Apple Pay button does not appear
  • Token is never generated
  • "invalid merchant domain"

Resolution:

  • Host the verification file at the exact path required.
  • Purge all CDN caches.
  • Ensure valid HTTPS with no certificate warnings.
  • Match the domain exactly as registered in Apple Developer.

7.3 Acquirer-Specific Behaviors

  • Some acquirers require specific ECI/cryptogram combinations.
  • Some do not support merchant-managed decryption.
  • Some route Apple Pay differently than PAN e-commerce transactions.

Resolution:

  • Verify MDES tokenization support.
  • Provide acquirer full transaction details (ECI, cryptogram, token reference ID).
  • Switch to Cybersource-managed decryption if unsupported.

7.4 Expected Behaviors (Not Errors)

  • AVS/CVV may be unavailable for digital wallet transactions.
  • Test tokens behave differently than production tokens.
  • Apple Pay may show wallet identifiers instead of card brand.
  • Mastercard cryptograms lack some fields present in PAN transactions.

7.5 Quick Diagnostic Flow

  1. Apple Pay button missing → domain validation
  2. Token fields missing → integration issue
  3. Cryptogram/ECI errors → mapping issue
  4. Decline from acquirer → acquirer nuance
  5. Certificate mismatch → regenerate CSR
  6. Ensure:
    • paymentSolution = "001"
    • transactionType = "1"
Error-Resolution Table
Reply CodeMessageCauseResolution
101Missing fluidDataToken not sentPopulate fluidData.value
101Missing transactionTypeMissing flagSet "1"
102Invalid paymentSolutionWrong or blank valueSet "001"
152Tokenization not supportedProcessor not MDES-enabledConfirm certification
233Cryptogram errorMissing/invalid ECI or cryptogramForward values unaltered

8. Escalation Criteria

Escalate only when:

  • Domain verification succeeds but token generation fails
  • CSR generation fails repeatedly
  • Acquirer returns unsupported errors despite MDES certification
  • Cryptogram validation fails even when values are unaltered
  • Merchant-managed decryption fails with correct key material

9. References



Was this article helpful?


Articles Recommended for You