Apple Pay

Apple Pay

Apple Pay is a digital payment service that enables secure checkout on websites through Safari and supported browsers. Scripts load the Apple Pay button, present the payment sheet, and process tokenized card transactions without exposing raw payment details to the merchant. Handles biometric authentication via Touch ID or Face ID for payment authorization.

Apple
Part of Apple
Back to Vendor Library

Overview

Apple Pay enables secure, tokenized payment processing directly within web browsers. It appears on e-commerce websites as an alternative checkout method, allowing customers to authorize purchases using Face ID, Touch ID, or device passcode without exposing their actual card numbers to the merchant. Apple Pay on the web is supported in Safari and other browsers that implement the Payment Request API with Apple Pay support.

What This Script Does

Apple Pay integration loads the Apple Pay JS SDK from apple-pay-gateway.apple.com and related Apple domains. The SDK renders the Apple Pay button (the distinctive black button with the Apple logo) and handles the entire payment sheet lifecycle.

When a user taps the Apple Pay button, the SDK invokes the browser's native payment sheet. This sheet runs in a secure, sandboxed context controlled by the operating system — the merchant's JavaScript cannot access the payment sheet contents. The flow works as follows:

  1. The merchant's script creates an ApplePaySession with supported payment networks, merchant capabilities, and transaction details.
  2. Apple's servers validate the merchant identity via a merchant validation URL.
  3. The user authenticates with Face ID, Touch ID, or passcode on their device.
  4. Apple returns a payment token containing a Device Account Number (DAN) and a dynamic security code — not the actual card number.
  5. The merchant forwards this token to their payment processor for settlement.

Apple Pay does not set tracking cookies. It does not collect browsing behavior, build user profiles, or share data with advertising networks. The only network requests are to Apple's payment gateway for merchant validation and token generation. Session data is ephemeral and scoped to the active payment transaction.

The apple-pay-gateway.apple.com and apple-pay-gateway-nc-pod*.apple.com domains are contacted during the merchant validation handshake. No persistent storage is written to the browser beyond what the merchant's own checkout flow requires.

Consent & Compliance

Apple Pay is classified as essential. It is a payment processing mechanism — a core website function that users explicitly invoke when they choose to pay.

Under the GDPR, payment processing has a clear legal basis: contract performance (Article 6(1)(b)). The user is initiating a purchase, and processing their payment data is necessary to fulfill that contract. No consent banner is required for the Apple Pay scripts themselves.

Under the ePrivacy Directive, Apple Pay qualifies for the strictly necessary exemption. The scripts and any transient storage are required to provide a service explicitly requested by the user (completing a payment). Article 5(3) does not require consent for such access.

Under CCPA/CPRA, Apple Pay does not sell or share personal information. Apple acts as a payment intermediary, and the tokenized transaction data is used solely for payment processing. Apple's privacy architecture specifically prevents merchants from receiving the user's actual card details.

Should You Block This Without Consent?

No. Apple Pay is a payment processing service that users explicitly invoke. Its scripts are strictly necessary for completing transactions and do not perform any tracking, profiling, or advertising. Blocking Apple Pay behind a consent wall would prevent customers from completing purchases, which is both a usability failure and unnecessary from a privacy standpoint.

Visit website

Consent Categories

Essential

Also Known As

Apple Pay webApple Pay JSApple WalletSafari paymentsApple checkout

Industries

Computers Electronics and TechnologyComputer Hardware

Tracked Domains (2)

apple-pay-gateway.apple.comEssential
apple-pay-gateway-cert.apple.comEssential

Frequently Asked Questions

Does Apple Pay require cookie consent?

No. Apple Pay is a payment service users explicitly invoke at checkout. GDPR Article 6(1)(b) covers payment processing under contract performance. No tracking cookies are set — all storage is transient and scoped to the active payment session. ePrivacy's strictly necessary exemption applies directly to payment transaction processing.

What does Apple Pay transmit during checkout?

The SDK contacts apple-pay-gateway.apple.com for merchant validation. Apple returns a payment token with a Device Account Number and dynamic security code — not the actual card number. The merchant never receives raw card data. No persistent cookies are written; session data clears after the transaction completes. No behavioral data is collected.

How does ConsentStack handle Apple Pay?

ConsentStack classifies Apple Pay as essential. Because it is a payment mechanism with no tracking or profiling functions, ConsentStack never blocks Apple Pay scripts regardless of consent state. The Apple Pay JS SDK loads from applepay.cdn-apple.com without restriction, keeping the checkout flow fully operational for all site visitors.

Other Apple Products

Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Apple Pay

ConsentStack automatically detects and manages Apple Pay trackers so your site stays compliant with global privacy regulations.

Get started free