Visa Bank App–Initiated Provisioning (Legacy)

Stable version 1.0.1 (Compatible with OutSystems 11)

Uploaded

on 17 Dec (18 hours ago)

0.0

(0 ratings)

Documentation

1.0.1

VisaProvisioningUtils – Updated Extension Overview

1. Introduction

The VisaProvisioningUtils extension provides implementation support for Visa Mobile Provisioning aligned with modern MPAD/MPAC flows and Apple Wallet payload creation.
This version replaces the legacy MBPAD/MBPAC naming and introduces a unified wallet payload generation with end-to-end encryption handling.

The extension is designed to work with HSM-protected keys, issuer encryption requirements, and Apple Wallet provisioning specifications.

2. Overview

The extension exposes four core utility methods:

Method Name	Purpose
`CreateAuthenticationData`	Creates MPAD (Mobile Provisioning Authentication Data)
`CreateActivationData`	Creates MPAC (Mobile Provisioning Activation Data)
`CreateWalletWrapperForVisa`	Creates the Apple Wallet provisioning payload with complete encryption
`DecryptKeyWithHSM`	Decrypts encrypted keys using HSM key components

This updated implementation centralizes encryption logic and aligns naming with Visa MPAD / MPAC terminology.

3. Method Summary

Method Name	Description
CreateAuthenticationData	Generates MPAD used to authenticate the provisioning request
CreateActivationData	Generates MPAC used during token activation
CreateWalletWrapperForVisa	Builds the Apple Wallet encrypted payload, including all required Visa and Apple encryption
DecryptKeyWithHSM	Uses three HSM key components to decrypt an encrypted key and return the clear component key

4. Method Details

4.1 CreateAuthenticationData (MPAD)

Purpose
Generates Mobile Provisioning Authentication Data (MPAD) required by Visa during Apple Wallet provisioning initiation.

Input Parameters

PAN
Expiry Date (MMYY)
Timestamp (UTC – CCYYMMDDHHMMSS)
Key Set Identifier
Issuer Encryption Key (or HSM reference)

Process Summary

Constructs the MPAD data block using Visa-defined formatting
Applies required padding and control fields
Encrypts the data using issuer-approved encryption (HSM or secure key)
Returns MPAD in Visa-compliant structure

Output

MPAD string used in Visa provisioning requests

4.2 CreateActivationData (MPAC)

Purpose
Generates Mobile Provisioning Activation Data (MPAC) required to complete token activation in Apple Wallet.

Input Parameters

Device Nonce (from Apple)
Issuer-generated Authentication Code
Key Set Identifier
Issuer Encryption Key (or HSM reference)

Process Summary

Combines nonce and authentication code
Applies Visa encryption block formatting
Encrypts the activation payload
Produces a Visa-compliant MPAC output

Output

MPAC string used during Visa token activation

4.3 CreateWalletWrapperForVisa

Purpose
Creates the Apple Wallet provisioning payload, including fully encrypted data, ready to be sent to Apple’s PKAddPaymentPassRequest.

Key Responsibilities

Accepts MPAD and MPAC data
Performs all required Visa and Apple encryption
Wraps encrypted data into the Apple Wallet payload structure
Ensures compliance with Apple Pay In-App Provisioning specifications

Output

Encrypted Apple Wallet payload ready for transmission to Apple

4.4 DecryptKeyWithHSM

Purpose
Decrypts an encrypted key using HSM-based key components, ensuring secure key handling.

Input Parameters

HSM Key Component 1
HSM Key Component 2
HSM Key Component 3
Encrypted Value

Process Summary

Uses the three HSM key components to reconstruct the master key
Decrypts the provided encrypted value
Returns the clear component key securely

Output

Clear (decrypted) cryptographic key for controlled internal use

1.0.0

1. Introduction

This extension provides implementation support for the Visa Mobile Banking App–Initiated Provisioning process — a legacy approach used by issuers to enable card provisioning into Apple Wallet (and other digital wallets) using symmetric encryption (Triple-DES) and WSD zone keys.

2. Overview

The extension includes two main methods:

CreateAuthenticationData (MBPAD) – Generates the Provisioning Authentication Data required for initial Apple Wallet provisioning.
CreateActivationData (MBPAC) – Generates the Activation Data required to complete the token activation phase.

Both outputs are formatted according to the Visa legacy structure:

type-version-keyscheme-keysetidentifier-ephemeralkey-algorithm-encryptedinformation

The encryption logic follows Visa’s guidelines for WSD Zone Encryption Keys using Triple-DES (TDEA) in Cipher Block Chaining (CBC) mode.

3. Methods Summary

Method Name	Purpose	Output Example
CreateAuthenticationData	Generates the Provisioning Authentication Data (MBPAD). This data authenticates the card provisioning request and includes the PAN, expiry date, and timestamp, all encrypted under the issuer’s WSD key.	`MBPAD-1-FK-123456.1--TDEA-7AF291C91F3ED4EF92C1D45EFF127C1F9ABC12347E`
CreateActivationData	Generates the Provisioning Activation Data (MBPAC). This data is used to activate the card in Apple Wallet and includes the device nonce and issuer-generated authentication code.	`MBPAC-1-FK-123456.1--TDEA-5BC87F9A12293F0E9C9E0FA5A394D67C7F`

4. Method Details

4.1 CreateAuthenticationData

Purpose:
Constructs the MBPAD string used in Visa’s Provisioning Authentication Data field.

Input Parameters:

PAN: Primary Account Number to be provisioned.
Expiry Date: Expiration date in MMYY format.
Date/Time: Timestamp in UTC format (CCYYMMDDHHMMSS).
Key Set Identifier: Identifier of the WSD data encryption key (e.g., 123456.1).
Ephemeral Key: Reserved for future use (currently blank).
Encryption Key: Triple-DES symmetric key used for encryption.

Process Summary:

Combines PAN, expiry date, and date/time into a structured text format.
Applies Visa encryption block formatting with control fields, length indicators, and padding.
Encrypts data using Triple-DES (CBC mode) with the specified WSD key.
Converts encrypted data into hexadecimal binary representation.
Concatenates all clear-text and encrypted components using hyphens.

Output:
A formatted MBPAD string used in the Visa–Apple Wallet provisioning request.

4.2 CreateActivationData

Purpose:
Constructs the MBPAC string used in Visa’s Provisioning Activation Data field.

Input Parameters:

Nonce: Device nonce (in hexadecimal) received from Apple during provisioning initiation.
Auth Code: 6-character alphanumeric activation code generated by the issuer for the specific request.
Key Set Identifier: Identifier of the WSD key used for encryption.
Ephemeral Key: Reserved for future use (currently blank).
Encryption Key: Triple-DES symmetric key used for encryption.

Process Summary:

Combines nonce and authentication code into a structured text string.
Formats data according to Visa encryption block structure.
Encrypts using Triple-DES (CBC) with the WSD key.
Converts the encrypted result to hexadecimal binary format.
Builds the final MBPAC string with hyphen-separated components.

Output:
A formatted MBPAC string used during Visa token activation with Apple Wallet.

5. Encryption Standards

Item	Specification
Encryption Algorithm	Triple-DES (TDEA)
Mode of Operation	Cipher Block Chaining (CBC)
Key Type	WSD Zone Data Encryption Key (16 or 32 bytes)
Block Size	64 bits
Fill Character	ASCII `!` (0x21)
Control Fields	ASCII space (0x20) for first block headers
Encoding	HexBinary for encrypted data; Base64 for API transmission

6. Security and Compliance Notes

The WSD key must be securely exchanged with Visa using standard key conveyance protocols (ZCMK).
Keys must not be stored, logged, or transmitted in plaintext.
Encryption operations can optionally be offloaded to an external HSM for compliance.
The generated data strings must be Base64 encoded before being sent to Apple’s PKAddPaymentPassRequest or Visa APIs.
This legacy flow is not recommended for new integrations; the Visa Developer Platform’s JWE-based provisioning is preferred.