Once your card is approved, your bank or your bank’s authorized service provider creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes unique to each transaction) to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store your payment information safely. The Device Account Number in the Secure Element is unique to your device and to each credit or debit card added. It’s isolated from iOS and watchOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites.
Apple doesn’t store or have access to the credit, debit, or prepaid card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion of your Device Account Numbers, along with a card description, to help you manage your cards.
When you pay using Apple Pay in stores
Paying in stores that accept contactless payments with Apple Pay uses Near Field Communication (NFC) technology between your device and the payment terminal. NFC is an industry-standard contactless technology designed to work only across short distances. If your iPhone is on and it detects an NFC field, it will present you with your default card. To send your payment information, you must authenticate using Touch ID or your passcode. ...
After you use Touch ID or enter your passcode on iPhone, or double-click the side button on Apple Watch at a payment terminal, the Secure Element provides your Device Account Number and a transaction-specific dynamic security code. This information is sent along with additional information needed to complete the transaction to the store’s point of sale terminal. Neither Apple nor your device sends your credit or debit card number. Before they approve the payment, your bank or payment network can verify your payment information by checking the dynamic security code to make sure it’s unique and that it’s tied to your device.