NOTA BENE: This PayDecoding article was updated in June 2025, following major regulatory and technical changes in the XPay ecosystem.

 

For kids

Dad forgot his wallet again… but this time, he smiles. He now uses his phone to pay for lunch.

He scanned his card last week and added it to his digital wallet. Now, he just presses a button, looks at the screen… ping! Paid.

Even at the bakery, even at the cinema, even at the post office. And next year, even his pocket money could come through that!

Because now, phones, even iPhones, work with lots of wallets, not just Apple Pay. Goodbye, “sorry kid, no card”.

 

The multiplicity of NFC

“XPay” isn’t one brand. It’s a nickname for any digital wallet that lets you emulate a card on your phone using NFC technology.

Whether it’s Apple Pay, Google Pay, Samsung Pay, or now Wero, these wallets all rely on the same underlying mechanisms:

  1. Card emulation: Your phone mimics a contactless card.
  2. Tokenization: A virtual token replaces your card number, unique to your device.
  3. Authentication: Every tap is protected by a PIN, fingerprint, or Face ID.
  4. Secure Element: Payment data is encrypted and stored safely.

Once set up, the experience is seamless: one tap to pay, with full security.

 

Xpay Protocol: The ‘lasagna’ of secure transactions

The Xpay protocol operates in a ‘lasagna’ mode, layered with various elements each serving a unique purpose:

  1. NFC Layer: The conduit for data exchange.
  2. EMV Layer: The payment protocol of the card scheme like VISA.
  3. Payment Information Layer: Residing in the HCE (on Android) or the Security Module (on iOS).
  4. Wallet Layer: The fortress of security and authentication.

When creating a card image, Xpay introduces a Dynamic Pan (DyPan), a token unique to the device. Change your phone, and you lose your token, a feature ensuring an added layer of security.

 

Seamless authentication: a notch higher

The e-wallet further amplifies security with two-factor authentication via Touch ID, Face ID, PIN, or passcode. These secure elements not only ensure safe storage of payment data but also execute cryptographic functions, presenting a fortress for your financial data.

Furthermore, the life cycles of a physical card and a virtual card in the e-wallet (via Xpay protocol) are distinct. Thanks to Token networks like MDES at Mastercard and VTS at VISA, banks can automatically update the card image when the plastic card expires.

 

The big shift in 2025

In April 2025, German bank group BVR completed the first Girocard transaction on an iPhone without using Apple Pay. Starting in late 2024, iOS 17.4 opened access to the NFC controller for third-party developers in the EU.

Until now, Apple Pay had a monopoly on iPhone-based in-store payments. Developers couldn’t access the NFC antenna. Apple has opened this access, under strict conditions:

  • Only available in EU markets
  • Developers must sign up via Apple’s Entitlement Program
  • Apple still controls some UX flows (like invoking the wallet via double-press)

Despite this, Vipps MobilePay launched “Tap with Vipps” in Norway in December 2024. Other wallets, including Curve, Wero, and bank-native apps, are actively integrating this new NFC capability.

 

The Wallet wars

Apple’s closed ecosystem gave it massive control over mobile payments. That’s changing, especially in Europe. The Digital Markets Act (DMA) forces gatekeepers to ensure interoperability and user choice. This opens the door for regional initiatives like Wero, a pan-European wallet backed by major banks (EPI).

Wero aims to offer a neutral alternative to Apple Pay and Google Pay, supporting instant payments, QR codes, and now contactless via NFC, on both Android and iPhone. With that, the “XPay” club is growing beyond Big Tech:

  • Wero (Europe)
  • Vipps MobilePay (Nordics)
  • Curve (UK)
  • and traditional bank wallets (DKB, Sparkasse…)

 

What about security?

The move to third-party NFC doesn’t mean less security.

Each wallet must:

  • Use tokenized card data (e.g. MDES, VTS)
  • Authenticate every transaction
  • Store data in a secure enclave or certified software module

Card issuers and networks still control provisioning via Digital Enablement Platforms (e.g. Mastercard MDES, Visa VTS).

Even if you change your phone, you’ll need to re-provision your card,because tokens are device-bound.

 

Usage in 2025

  • 68% of Americans used a digital wallet in 2024 (Fiserv)
  • 4.8 billion people are expected to use digital wallets globally by end of 2025 (Juniper)
  • In China, over 85% of all point-of-sale payments are mobile (Statista)

Contactless is now the default expectation, not a fancy feature.

 

What’s next?

We’re witnessing the end of a monopoly, and the start of a more open wallet ecosystem. Will users adopt Wero or other alternatives at scale? Will banks regain control of their wallet UX? And will Apple ever allow tap-to-pay from a browser, or will apps remain the gatekeepers?

One thing’s sure: in 2025, XPay has never been more open or more competitive.

 

The curiosity surrounding Xpay is palpable. Venture deeper into this disruptive tech in our #PayDecoding library, where the future of transactions unfolds.

 

The curiosity surrounding Xpay is palpable. Venture deeper into this disruptive tech in our #PayDecoding library, where the future of transactions unfolds.

Share This Story, Choose Your Platform!