xPay (Apple Pay / Google Pay)

Definition

xPay refers to the payment wallets built into mobile OSes: Apple Pay (iOS), Google Pay (Android), Samsung Pay and their equivalents.

They tokenise the card (DPAN — Device Primary Account Number), use biometrics (Face ID, Touch ID, fingerprint) for SCA, and produce EMV transactions via NFC at the point of sale or via SDK in e-commerce. They account for a growing share of payments: ~30% in-store in France in 2025, and more than 50% among under-35s.

How it works

At enrolment, the user adds their card; the wallet requests a DPAN from the network (VTS, MDES), which checks the card with the issuer (often an SCA), issues the DPAN and stores it in the Secure Element (Apple) or the TEE (Android), never in the OS.

For each payment: local SCA (biometrics or a code), the generation of a dynamic EMV cryptogram signed with the DPAN, transmission via NFC or SDK, then de-tokenisation on the issuer side by the network.

Business model: who pays whom

• Cardholder: free.
• Merchant: the same MDR as a physical card, sometimes +0.01% on tokenised transactions.
• Apple / Google: Apple collects a fee from the issuer (~0.15% in the US); Google is free on the issuer side (monetised via the ecosystem).
• Network: its usual scheme fees, plus a marginal tokenisation fee.

It is this Apple-issuer revenue share that ruffled European banks, resolved in 2024 by opening up iOS NFC to third-party wallets.

SCA and limits

Because SCA is performed locally, xPay has no contactless limit (vs €50 for a physical card in France): the terminal treats the transaction as having already passed SCA, and the liability shift applies fully (fraud → issuer). Hence its suitability for high-value baskets in-store.

xPay vs PayPal vs Click to Pay

What xPay is not

• Not a bank: the card is still issued by your bank (except for cases like the Apple Card in the US).
• Not A2A: it is a layer on top of the card; the payment remains a card payment, not a transfer.
• Not universal without NFC: a terminal without NFC does not accept xPay in-store (~100% coverage in France).
• Not static: since 2024, iOS NFC is open to third-party wallets (DMA).

The iOS NFC dispute and the DMA

Apple long barred third-party apps from accessing NFC for payment, creating a de facto Apple Pay monopoly. After an antitrust procedure and the DMA, the Commission secured the opening up of NFC to third-party wallets in the EEA in 2024. Expected consequences in 2025-2026: banks' own wallets and Wero operable via iPhone NFC, and a drop in Apple's margins on this segment.

Within the PSD2 ecosystem

xPay provides native card SCA (biometrics) compliant with the PSD2 RTS. The networks treat it as a premium SCA channel (generous exemptions, almost systematic frictionless in e-commerce) and it is a major vector for network tokens (DPAN), which reduce PAN exposure.

Real-world examples

• France 2025: Apple Pay and Google Pay account for ~30% of in-store payments among under-35s, ~15% overall, growing by 5 to 10 points a year.
• Eligible cards: virtually all French Visa/Mastercard cards, CB included (CB routing under the DPAN) — Boursorama, Revolut, N26, BNP, SG, CA.
• E-commerce: an Apple/Google Pay button via Stripe converts +10 to +20% on mobile versus the card form.
• Apple Pay Later: a BNPL launched in the US, dropped in June 2024 in favour of Affirm partnerships; absent from Europe.
• Wero: with iOS NFC opening up, banks could launch their own wallets, but Apple Pay's UX remains hard to match.
• CB routing: Apple Pay sometimes forces Visa/MC routing by default; the French Banking Federation is negotiating CB routing by default.
• Trend: with the EUDI Wallet (end of 2026), Apple Pay and Google Pay may have to integrate digital identity and QES (signing a loan, proving your age).