My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Wallets
  3. Introduction

How secure are wallet cards ?

Published:
Updated:

Introduction

The Wallet Crew provides a white-label Wallet as a Service (WaaS) solution that enables brands to digitalize cards for Apple Wallet and Google Wallet. This allows customers to store loyalty cards, gift cards, and other assets directly in their native wallet applications. Our solution is designed with a security-first approach, ensuring compliance with international privacy regulations and delivering enterprise-grade protection for organizations with large user bases.

Compliance and Data Protection

Security and privacy are at the core of our architecture. The Wallet Crew is fully compliant with GDPR and CCPA requirements. By design, no personal data is persisted within our system. All infrastructure is hosted in Microsoft Azure data centers located in Europe, ensuring data residency within the EU.

We maintain a documented Security Insurance Plan, which outlines our security commitments and risk management strategies. This plan is available for review here. Additionally, we provide a Data Processing Agreement to formalize compliance responsibilities between The Wallet Crew and our clients, accessible here. For further details on how we protect data, please refer to our Data Protection FAQ.

Security Architecture

Our architecture is built on a multi-tenant model where each tenant operates in a fully isolated environment. This isolation ensures that data and operations are segregated across clients. We implement configurable throttling per tenant to prevent abuse and maintain system integrity.

Authentication for API calls is handled through OAuth 2.0 or API keys, depending on client requirements. Access to our back-office interface is managed by Auth0, providing a secure and standardized authentication mechanism.

From a network perspective, all internal services are deployed within a dedicated Azure Virtual Network, which is not accessible from outside. Public communication is routed through Cloudflare, which acts as a secure CDN and provides additional protection against DDoS attacks (WAF, etc.). Our domain is not exposed directly to customers; instead, we offer a custom domain system where brands can use a subdomain of their own domain to access the application. SSL certificates for these custom domains are managed by our Cloudflare account, although customers may opt to use their own certificates and DNS configuration upon request.

All communications are encrypted using TLS 1.2 or TLS 1.3. Data at rest is stored in Azure CosmosDB and encrypted by Azure using industry-standard encryption algorithms, analytics data (insights API) is stored in Azure Data Explorer also encrypted by Azure. Internal communication between services within the virtual network is also secured with SSL.

Distribution Security

The Wallet Crew provides several secure methods for distributing wallet passes to end users. All distribution channels enforce HTTPS and use signed URLs to prevent tampering or unauthorized access. Security is our primary concern, and our design ensures that identifiers and tokens cannot be exploited by attackers.

Each pass in our system is associated with two types of identifiers:

  • Internal Identifier: This is an opaque, non-sequential UUID generated by The Wallet Crew. It is unique and cannot be guessed. When using this identifier for retrieval, no additional security measures are required because it is inherently secure and never predictable.

  • External Identifier: This identifier is provided by the brand or external system and may represent values such as a loyalty card number, ticket number, or gift card ID. External identifiers can vary in format and may be sequential, which introduces predictability. If the external identifier is unique and non-guessable (e.g., a UUID), it can be used directly. However, when the identifier is predictable or sequential, additional security measures are mandatory to prevent enumeration attacks.

To secure retrieval based on external identifiers, we support several cryptographic mechanisms:

  • HMAC-SHA256 Signature
    A secure hash-based message authentication code (HMAC) can be computed using SHA-256 and a shared secret. This secret is unique per tenant and never exposed publicly. The external system generates the HMAC using the external identifier and the shared secret, and The Wallet Crew validates the signature before granting access.

  • Shared Secret Token
    The external system can compute a token using a secret known only to The Wallet Crew and the data partner. This token is transmitted along with the identifier and validated by our API. The secret must be strong and non-guessable to prevent brute-force attacks.

  • JWT (JSON Web Token)
    We support JWT-based authentication for pass retrieval. The JWT can include the external identifier as a claim and is signed either with a shared secret (HMAC) or a public/private key pair (RSA or ECDSA). The Wallet Crew validates the signature and claims before processing the request.

These security measures apply both to API-based retrieval and to distribution links embedded in emails, QR codes, or NFC tags. All links are served over HTTPS and include signed parameters to prevent tampering. While identifiers may appear in URLs, they are useless without the corresponding cryptographic token, ensuring that exposure does not compromise security.

Passes can be distributed via email, where secure links are integrated with major marketing automation tools. This allows brands to embed “Add to Wallet” links in their campaigns seamlessly. Detailed instructions for email integration are available here: Send The Wallet Crew link via email to enroll customers in mobile wallet. We also have specialized connectors with major marketing automation tools that allow to build email easily : Marketing automation connectors.

For web-based distribution, we offer an SDK that enables the integration of an “Add to Wallet” button directly on a brand’s website. This SDK ensures secure communication between the website and our platform. Implementation details can be found here How to implement The Wallet Crew sdk “Add to wallet” button on your website?.

We also provide secure enrollment forms that allow customers to complete additional steps, such as verifying assets or creating loyalty cards before accessing their wallet pass. More information on enrollment forms is available here : Enrolment form configuration

Finally, secure links can be embedded in physical objects such as QR codes on flyers or NFC tags on plastic cards. These links are signed and can be configured for one-time use or temporary validity. We also offer a web application that displays temporary QR codes for enhanced security. Feel free to contact our support team to find the best solution for your use case.

The Wallet Crew offers multiple secure methods for distributing and retrieving wallet passes.

Data Flow and Privacy

By default, The Wallet Crew does not store any personally identifiable information (PII). For performance optimization, certain connectors may use a temporary cache, which is optional and configurable. The typical cache duration is less than 15 minutes. Cache data can be deleted from The Wallet Crew API. Data deletion requests (no PII) are handled promptly through our support team.

Our architecture ensures that sensitive operations occur within secure boundaries.

image.png

Wallet Provider Communication

Communication with wallet providers differs between Apple and Google.

For Apple Wallet, cards are installed directly on the user’s device and are not stored on Apple servers. The Wallet Crew communicates with the device through Apple Push Notification Service (APNs) using token-based authentication. When a card update is required, The Wallet Crew sends a push notification to Apple, which then instructs the device to download the updated pass asynchronously. While cards may be persisted in iCloud, The Wallet Crew has no access to this data.

image.png

For Google Wallet, cards are stored in the user’s Google account. Updates are managed through the Google Wallet API using OAuth credentials. Communication with the device is handled entirely by Google, ensuring a secure and streamlined update process.

image.png

API Security

Our APIs are protected by rate limiting, which is configurable per tenant. Proprietary mechanisms are in place to mitigate brute-force attacks. Audit logs are available upon request for compliance and forensic analysis. Insights API also give you information about usage of the platform.

Monitoring and Incident Response

The Wallet Crew employs Azure Application Insights for real-time monitoring and anomaly detection using AI-based alerts. We maintain a documented incident response process and a business recovery plan to ensure continuity in case of disruptions.

Risk Mitigation

We enforce HTTPS and signed URLs across all distribution channels. QR codes and NFC tags are protected against tampering through temporary or one-time-use configurations. Multi-tenant isolation and throttling mechanisms further reduce the risk of abuse or unauthorized access.

References
Attachments
Access denied
Access denied