If I understand correctly: Apple Pay, Android Pay and NFC-enabled credit cards can all be accessed using APDU commands via NFC according to the EMV standard.
I want to use information from this data exchange to associate the device/card with some persistent server-side information, typically a check-in/check-out scenario.
The NFC Tag ID is randomized on most devices, making this obvious approach unusable.
I am NOT trying to take payment, only use an unique identifier that does not change over time. It is also important that the identifier is unique per device, so that the same credit card registered on two phones does not appear to be identical.
Reading about the use of temporary tokens makes we wonder if this is at all possible on the phones due to the one-time tokenization employed. Apple creates a Device Account Number that is unique for a device, but this is supposedly not shared with the Point Of Sale. But still, travellers can use EMV Cards as well as Apple Pay to check in/out on the London underground, this is not possible without reading the same identifier twice.
So my question is what information can I use to read a persistent unique token that works across all EMV mediums?
Extra bonus points for some information on the APDU commands used for reading this information or thoughts on the security aspects of using this token as an non-cloneable identifier (can offline PIN verification be used?).
The following threads could not provide an answer:
I think you might be getting a bit confused around how Apple Pay works - it's just a regular EMV contactless card payment with a device specific card number/token instead of the actual token. The uniqueness comes from the EMV cryptogram. The public Apple Security Whitepaper details this: https://www.apple.com/business/docs/iOS_Security_Guide.pdf