This extension provides implementation support for the Visa Mobile Banking App–Initiated Provisioning process — a legacy approach used by issuers to enable card provisioning into Apple Wallet (and other digital wallets) using symmetric encryption (Triple-DES) and WSD zone keys.
The extension includes two main methods:
CreateAuthenticationData (MBPAD) – Generates the Provisioning Authentication Data required for initial Apple Wallet provisioning.
CreateActivationData (MBPAC) – Generates the Activation Data required to complete the token activation phase.
Both outputs are formatted according to the Visa legacy structure:
type-version-keyscheme-keysetidentifier-ephemeralkey-algorithm-encryptedinformation
The encryption logic follows Visa’s guidelines for WSD Zone Encryption Keys using Triple-DES (TDEA) in Cipher Block Chaining (CBC) mode.
MBPAD-1-FK-123456.1--TDEA-7AF291C91F3ED4EF92C1D45EFF127C1F9ABC12347E
MBPAC-1-FK-123456.1--TDEA-5BC87F9A12293F0E9C9E0FA5A394D67C7F
Purpose:Constructs the MBPAD string used in Visa’s Provisioning Authentication Data field.
Input Parameters:
PAN: Primary Account Number to be provisioned.
Expiry Date: Expiration date in MMYY format.
Date/Time: Timestamp in UTC format (CCYYMMDDHHMMSS).
Key Set Identifier: Identifier of the WSD data encryption key (e.g., 123456.1).
Ephemeral Key: Reserved for future use (currently blank).
Encryption Key: Triple-DES symmetric key used for encryption.
Process Summary:
Combines PAN, expiry date, and date/time into a structured text format.
Applies Visa encryption block formatting with control fields, length indicators, and padding.
Encrypts data using Triple-DES (CBC mode) with the specified WSD key.
Converts encrypted data into hexadecimal binary representation.
Concatenates all clear-text and encrypted components using hyphens.
Output:A formatted MBPAD string used in the Visa–Apple Wallet provisioning request.
Purpose:Constructs the MBPAC string used in Visa’s Provisioning Activation Data field.
Nonce: Device nonce (in hexadecimal) received from Apple during provisioning initiation.
Auth Code: 6-character alphanumeric activation code generated by the issuer for the specific request.
Key Set Identifier: Identifier of the WSD key used for encryption.
Combines nonce and authentication code into a structured text string.
Formats data according to Visa encryption block structure.
Encrypts using Triple-DES (CBC) with the WSD key.
Converts the encrypted result to hexadecimal binary format.
Builds the final MBPAC string with hyphen-separated components.
Output:A formatted MBPAC string used during Visa token activation with Apple Wallet.
!
The WSD key must be securely exchanged with Visa using standard key conveyance protocols (ZCMK).
Keys must not be stored, logged, or transmitted in plaintext.
Encryption operations can optionally be offloaded to an external HSM for compliance.
The generated data strings must be Base64 encoded before being sent to Apple’s PKAddPaymentPassRequest or Visa APIs.
PKAddPaymentPassRequest
This legacy flow is not recommended for new integrations; the Visa Developer Platform’s JWE-based provisioning is preferred.