Using Apple Card For non-ApplePay Based Online Payments
Apple itself doesn't state anything like this anywhere, but pretty much every article on the web about the recently launched Apple Card seems to confidently state that "iPhone Wallet app will be able to display Apple Card's Card Number and associated CVV info" ... when you need it.
And when exactly would someone need that? That may be necessary when you want to make online payment (not an NFC one), by using your Apple Card, but when online merchant doesn't support integrated in-app or Safari based ApplePay payments.
We looked everywhere for the official Apple confirmation whether Wallet app will display Apple Card number and CVV or not. We could not find a single clear piece of evidence of Apple itself advertising that its Wallet app will indeed be supporting such feature.
What Apple microsite for Apple Card states though, is following ... "When you first get your Apple Card, a unique device number is created on your iPhone. Then it’s locked away in the Secure Element (SE) chip". Ok, it makes perfect sense ... this device number is in fact an EMVCo compliant MasterCard issued payment token, which is mapped, inside MasterCard's Token Vault server, to the Apple Card's funding account number inside Goldman Sachs host system. The Apple Card funding account number is also personalized inside companion physical Apple Card's secure EMV chip, but is not embossed on the card. Therefore no one, except Goldman Sachs and MasterCard, knows the value of the funding credit card account linked to the device number (token) inside iPhone's SE chip. Not even you, and probably not even Apple themselves.
Then Apple site goes further to say "Every purchase requires your device number along with a one‑time, dynamic security code that iPhone generates when you authorize the purchase". Yes, you guessed it right ... every purchase here means exactly that - every ApplePay payment transaction using Apple Card inside your iPhone - in-store (NFC tap on POS) or e-commerce (in-app or Safari initiated 'on the web' purchases).
Apple doesn't indicate anywhere that CVV is created and stored inside the same SE chip, together with device number. Nor it should be, in our view. EMVCo compliant tokenized payments (ApplePay is nothing but that) aren't using CVV values during the payments flow. Instead, they are using unique per transaction EMV compatible cryptogram values (Apple calls it dynamic security code), which are generated (by iPhone / iWatch SE chip) for each transaction. The cryptogram validity is always verified by MasterCard Tokenization server, before the provided device number (in payment authorization message) is de-tokenized into the funding credit card account number, which is then forwarded to Goldman Sachs for final authorization.
So to us it looks that the Apple Card was not really designed to support manual entry of the card number into the merchant checkout form, since ApplePay based online payments (in-app or on the web flows), in fact, do not support auto-populating web browser merchant checkout forms today. ApplePay online payments are always executed OUTSIDE of normal merchant checkout form flow and as such, do not need nor expect anything like CVV value (static or dynamic) for payments processing.
If our understanding of Apple's direction with the Apple Card happens to be true (and we, based on officially available Apple info and our own extensive payment tokenization experience believe it should be), it definitely makes Apple Card duo (digital + physical combo) the most secure 'payment card' in the world.
However, beside normal in-store usage, it may also make it limited to online payments using Apple ecosystem only (Mac OSX, iOS, iWatch, Safari) and online merchants that are enabled to support ApplePay checkout flows (in-app or Safari based 'on the web').
In other words, we do believe that, based on officially released Apple information at this time, Apple Card may not support usage in traditional (manual or auto-populated) online checkout scenarios. Could that be an impediment for its mass adoption (beyond faithful Apple community) is to be seen.