This guide walks through the complete setup process for integrating Apple Pay with Cybersource in the Recurrente application.
- Apple Developer Program membership ($99/year)
- Access to Cybersource Business Center
- macOS computer (for certificate generation)
- Go to Certificates, Identifiers & Profiles
- Click Identifiers in the sidebar
- Click the + button to add a new identifier
- Select Merchant IDs and click Continue
- Enter a description (e.g., "Recurrente Production")
- Enter an identifier (e.g.,
merchant.com.recurrente.production) - Click Continue then Register
This certificate encrypts payment data. Cybersource will decrypt it.
- Log into Cybersource Business Center
- Go to Payment Configuration → Digital Payment Solutions
- Select Apple Pay
- Click Generate CSR (Certificate Signing Request)
- Download the
.csrfile
- Go to Certificates, Identifiers & Profiles
- Click Identifiers → Select Merchant IDs
- Select your merchant identifier
- Under Apple Pay Payment Processing Certificate, click Create Certificate
- Select No when asked "Will payments be processed exclusively in China?"
- Click Continue
- Upload the CSR file you downloaded from Cybersource
- Click Continue then Download the
.cerfile
- Back in Cybersource Business Center
- Go to Payment Configuration → Digital Payment Solutions → Apple Pay
- Upload the
.cerfile you just downloaded from Apple - Save the configuration
This certificate authenticates your server when validating the merchant session with Apple.
- Open Keychain Access (Applications → Utilities)
- Go to Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority
- Enter your email address
- Enter a common name (e.g., "Recurrente Apple Pay")
- Select Saved to disk
- Click Continue and save the
.certSigningRequestfile
- Go to Certificates, Identifiers & Profiles
- Click Identifiers → Select Merchant IDs
- Select your merchant identifier
- Under Apple Pay Merchant Identity Certificate, click Create Certificate
- Click Continue
- Upload the
.certSigningRequestfile you created - Click Continue then Download the
.cerfile
- Double-click the downloaded
.cerfile to install it in Keychain - Open Keychain Access
- Find the certificate (under "My Certificates")
- Right-click and select Export
- Choose Personal Information Exchange (.p12) format
- Set a password (you'll need this for Rails credentials)
- Save the file
- Extract the certificate and private key
- Base64 encode both files
# Extract the certificate
openssl pkcs12 -in merchant_identity.p12 -clcerts -nokeys -out merchant_identity_cert.pem
# Extract the private key
openssl pkcs12 -in merchant_identity.p12 -nocerts -out merchant_identity_key.pem
# Base64 encode for Rails credentials
base64 -i merchant_identity_cert.pem -o merchant_identity_cert.b64
base64 -i merchant_identity_key.pem -o merchant_identity_key.b64- Go to Certificates, Identifiers & Profiles
- Click Identifiers → Select Merchant IDs
- Select your merchant identifier
- Under Merchant Domains, click Add Domain
- Enter your domain (e.g.,
checkout.recurrente.com) - Click Save
- Click Download to get the verification file
- Place the downloaded file at the required path
https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association
Option A: Place the file directly in public/.well-known/
mkdir -p public/.well-known
cp ~/Downloads/apple-developer-merchantid-domain-association public/.well-known/Option B: Add a route in Rails (if you need dynamic handling)
# config/routes.rb
get ".well-known/apple-developer-merchantid-domain-association",
to: proc { [200, {}, [File.read(Rails.root.join("public/.well-known/apple-developer-merchantid-domain-association"))]] }- Back in Apple Developer Portal
- Click Verify next to your domain
- Apple will crawl your site to confirm the file exists
Note: You must verify each domain separately (e.g.,
recurrente.com,checkout.recurrente.com,staging.recurrente.com)
- Edit your credentials file:
EDITOR="code --wait" bin/rails credentials:edit --environment production- Add the following configuration:
apple_pay:
merchant_identifier: "merchant.com.recurrente.production"
display_name: "Recurrente"
merchant_identity_cert_b64: "<paste contents of merchant_identity_cert.b64>"
merchant_identity_key_b64: "<paste contents of merchant_identity_key.b64>"
merchant_identity_key_passphrase: "<your .p12 password>"- For staging/test environments, create separate merchant IDs and certificates:
EDITOR="code --wait" bin/rails credentials:edit --environment stagingEnsure the following are configured in Cybersource Business Center:
- Apple Pay enabled for your merchant account
- Payment Processing Certificate uploaded (from Part 2)
- Merchant ID matches what you're using in Rails credentials
- Safari browser on macOS or iOS (Apple Pay only works in Safari)
- Apple device with a card added to Apple Wallet
- For sandbox: Use Apple's test cards
- Create a sandbox tester account in App Store Connect
- Sign into iCloud with sandbox account on test device
- Add test cards to Apple Wallet
- Test on your staging environment
Apple provides test cards for sandbox environments. See Apple Pay Sandbox Testing for the full list.
- Verify the merchant identity certificate is correctly Base64 encoded
- Check that the passphrase is correct
- Ensure the certificate hasn't expired (valid for 25 months)
- Confirm the domain is registered and verified in Apple Developer Portal
- Apple Pay only works in Safari
- User must have a card in Apple Wallet
- Domain must be served over HTTPS
- Check browser console for specific errors
- Verify the Payment Processing Certificate is uploaded to Cybersource
- Check Cybersource transaction logs for detailed error messages
- Ensure the merchant ID in Cybersource matches Apple Developer Portal
- Ensure the verification file is accessible at the exact path
- Check that your server returns the file with correct content-type
- Verify there are no redirects (must be served directly)