Wallet card security
Apple Wallet and Google Wallet pass security at The Wallet Crew (WaaS): GDPR/CCPA, EU data residency, encryption, tenant isolation, and signed “Add to Wallet” links.
Apple Wallet and Google Wallet pass security
The Wallet Crew is a white-label Wallet as a Service (WaaS) platform. We help brands issue secure mobile wallet cards and wallet passes. These passes work in Apple Wallet and Google Wallet.
Common use cases include loyalty cards, gift cards, coupons, and tickets.
This page covers end-to-end wallet pass security:
privacy and compliance (GDPR, CCPA)
EU hosting and data residency
encryption in transit and at rest
API authentication, throttling, and abuse protection
secure pass distribution (email, web, QR, NFC)
Apple Wallet vs Google Wallet update flows
Compliance and data protection (GDPR, CCPA)
Security and privacy are built into the platform. The Wallet Crew aligns with GDPR and CCPA requirements.
PII is not stored by default. When PII processing is needed, it is driven by your configuration and use case.
Our infrastructure runs on Microsoft Azure in Europe. This supports EU data residency requirements for many organizations.
References
We maintain a documented Security Insurance Plan (SIP). It covers security controls and risk management. Read it here: Security Insurance Plan (SIP).
We also provide a Data Processing Agreement (DPA) model. It defines compliance responsibilities. Read it here: Data Processing Agreement model.
For practical privacy details, see: Data Protection FAQ.
For consent capture and evidence, see: Consents & GDPR compliance.
Security Architecture
The Wallet Crew is a multi-tenant platform with strict tenant isolation. Data and operations are segregated between brands. Per-tenant throttling reduces abuse and noisy-neighbor risk.
API authentication supports OAuth 2.0 and API keys. Back-office access uses Auth0 for identity and access management.
Internal services run inside a dedicated Azure Virtual Network. This network is not publicly accessible. Public traffic is routed through Cloudflare. Cloudflare provides CDN, WAF, DDoS protection, and rate limiting.
We support custom domains for pass distribution. Brands can use a subdomain on their own domain. TLS certificates are managed via Cloudflare by default. Brands can also bring their own certificate and DNS configuration.
All communications use TLS 1.2 or TLS 1.3. Data at rest is stored in Azure Cosmos DB and encrypted by Azure. Analytics data is stored in Azure Data Explorer and encrypted by Azure. See Insights API for usage and analytics access patterns.
Service-to-service traffic inside the virtual network is also encrypted with TLS.
For hosting details, see Infrastructure.
Wallet pass distribution security (links, email, QR, NFC)
The Wallet Crew supports secure pass distribution to end users. All channels enforce HTTPS and use signed parameters. This prevents tampering, replay, and unauthorized access.
Each pass in our system is associated with two types of identifiers:
Internal identifier: An opaque, non-sequential UUID generated by The Wallet Crew. It is unique and not guessable. It is safe for direct retrieval.
External identifier: Provided by your systems. Examples include loyalty numbers, ticket numbers, and gift card IDs. These values are often sequential or predictable. Predictable IDs must be protected to prevent enumeration (IDOR) attacks.
To secure retrieval based on external identifiers, we support several mechanisms. They are designed to prevent enumeration and replay attacks.
HMAC-SHA256 Signature Compute an HMAC with SHA-256 and a tenant-specific shared secret. Your system signs the external identifier. The Wallet Crew verifies the signature before granting access.
Shared Secret Token Generate a token using a secret shared with The Wallet Crew. Send the token with the identifier. Our API validates it before returning any pass data.
JWT (JSON Web Token) Use a signed JWT that includes the external identifier as a claim. Sign with HMAC or an asymmetric key pair (RSA/ECDSA). The Wallet Crew validates signature, expiry, and claims.
These controls apply to API retrieval and to distribution links. That includes email, QR codes, and NFC tags. Identifiers in URLs are useless without a valid token.
Passes can be distributed via email using secure “Add to Wallet” links. Email flows integrate with major marketing automation tools. See Via Email and Integrations.
For web distribution, we provide an SDK for an “Add to Wallet” button. The SDK keeps the browser-to-platform flow secure. See On your website.
We also provide secure enrolment forms. They can add verification steps before pass access. See Enrolment form design.
You can also embed secure links into physical touchpoints. Use QR codes on flyers or NFC tags on plastic cards. These links are signed and can be one-time or time-limited. We also offer a web app that displays temporary QR codes. Contact support to pick the right setup for your use case.
Mobile wallet data flow and privacy
The Wallet Crew is designed to minimize PII storage. PII is not persisted by default.
For performance, some connectors can use an optional temporary cache. Typical cache duration is under 15 minutes. Cache data can be deleted via The Wallet Crew API. Data deletion requests can also be handled through our support team.
Our architecture ensures that sensitive operations occur within secure boundaries.
Apple Wallet and Google Wallet communication flows
Communication with wallet providers differs between Apple and Google.
Apple Wallet Passes are installed on the user’s device. They are not stored on Apple servers by default. Updates are triggered via Apple Push Notification service (APNs). APNs tells the device to fetch the updated pass asynchronously. Passes may sync via iCloud, but we cannot access iCloud content.
Apple Wallet flow Google Wallet Passes are stored in the user’s Google account. Updates are managed through the Google Wallet API using OAuth credentials. Device delivery and refresh are handled by Google.
Google Wallet flow
API security (authentication, rate limiting, audit logs)
Our APIs are protected with per-tenant rate limiting. Additional controls mitigate brute-force and token abuse.
Audit logs are available on request for compliance and forensic analysis. Platform usage signals are available via the Insights API.
Monitoring and Incident Response
We use Azure Application Insights for monitoring and anomaly detection. Alerts are automated and tuned for suspicious patterns.
We maintain an incident response process and a business recovery plan.
Risk Mitigation
We enforce HTTPS and signed URLs across all distribution channels. QR codes and NFC tags can be configured as temporary or one-time use. Tenant isolation and throttling further reduce abuse and unauthorized access.
Quick security FAQ
Does The Wallet Crew store personal data (PII)?
By default, no. The Wallet Crew is designed so PII is not persisted. Some connectors may use an optional short-lived cache.
Are Apple Wallet passes stored on Apple servers?
Apple Wallet passes are installed on the user’s device. Updates are triggered through APNs. The Wallet Crew cannot access iCloud-stored pass content.
Last updated