Apple Pay 令牌 transactionId 是全球唯一的吗?

Is Apple Pay token transactionId globally unique?

我正在调查使用 Apple Pay transactionId 来保护 replay attacks 跨同一支付门的可能性。防御应该依赖参与签名的字段,并且是唯一的。

但是 Payment Token Format ReferencepaymentData.header.transactionId 描述为

Transaction identifier, generated on the device.

这不足以将其视为全球唯一。

下面是ApplePayJS token的测试例子:

{
    "paymentData": {
        "version": "EC_v1",
        "data": "...",
        "signature": "...",
        "header": {
            "ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6jY12R9PoL7bzaC3/ibs6q6+g/cqjSkiO3GVFld2NVUA6kRlq0iJRT+XzfmGFvRs/G2qwgmWY8fKu7p6Ktgxug==",
            "publicKeyHash": "AJiEM3d+czut7s1t4QdtRBPjSOxw0D6iWSp1MUdXueM=",
            "transactionId": "f8f0c804922303decba1a8a4f7c503df1a6314e44e8db5ae7eb6b7fe0323513b"
        }
    },
    "paymentMethod": {
        "displayName": "MasterCard 1471",
        "network": "MasterCard",
        "type": "debit"
    },
    "transactionIdentifier": "F8F0C804922303DECBA1A8A4F7C503DF1A6314E44E8DB5AE7EB6B7FE0323513B"
}

在实践中它总是有顶级 transactionIdentifier 字段匹配不区分大小写的嵌套 paymentData.header.transactionId.

docs 说:

transactionIdentifier

A unique identifier for this payment.

This identifier is suitable for use in a receipt.

Google 搜索还发现 How do I process returns with Apple Pay:

In Japan, you can also use the transaction ID on the receipt to find the purchase and process the return.

另外 transactionId 是 64 个十六进制字符或 32 个完整字节长。比 Unique Transaction Identifier format 长。所以有足够的空间来实现真正的全球独一无二。

仍在寻找更直接可靠的证据。