Apple Payment Processing Certificate getting expired.

Can someone please let us know that adding a new certificate to the current Apple Payment processing will not affect the current certificate for the existing users until it gets expires and also do we need to generate a new provisioning profile for this apple payment certificate update?

You would need to generate either the new PSP Assets to be added to your Merchant Identifier. Once generated the new keys / certificate are dormant on the Apple Developer account, ready to be activated. Next, you would download the new Payment Processing Certificate (and provide it to their PSP if they are decrypting). At this point there should be two key pairs/certificates on the platform. Next, you will need to activate the new keys/certificate within the Apple Developer Account and this triggers the new keys to be propagated to our data centers and will be used for all new transactions.

Finally, PSP checks the publicKeyHash for each transaction to identify the appropriate private key to use for decryption of the payment token.

This process is not specifically bound to the provisioning profile.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Thank you for your response.

As I understood from your above response is that if we upload a new certificate for Apple Pay then the payments through the old certificate will no longer work. If we upload a new build with a new certificate then it may take at least two days for approval and may take around 1 week for the majority of the users to migrate to the new build. So many users will not be able to use Apple Pay and will receive errors.

Can you suggest the best approach for updating the certificate without affecting the existing users?

As I understood from your above response is that if we upload a new certificate for Apple Pay then the payments through the old certificate will no longer work.

If you create a new Payment Processing Identity and then once that Identity (identity being Certificate with it's corresponding Private Key) is activated, the new payments will cut over to using that Identity and your Payment Processor will need to use that identity instead of the old one. The benefit of creating two at the same time is that it gives you and your payment processor time to align the new Payment Processing Identity so that they can decrypt the new token when they come through.

Regarding:

If we upload a new build with a new certificate then it may take at least two days for approval and may take around 1 week for the majority of the users to migrate to the new build. So many users will not be able to use Apple Pay and will receive errors.

Are you bundling your Payment Processing Identity in your app? Can you tell me more about this and what your use case is?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Will the old certificate no longer be active for transactions after activating the new certificate?

This is a good question that I do not readily have the answer for. You can have two active Merchant Identity Certificates attached to an Merchant Identifier at one time, but I do not know about Payment Processing Identities. If you run into further issues here you can open a TSI and I can research this further.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Why can't I create more than one certificate?