One of the joys of Touch ID on a Mac laptop is using Apple Pay without needing an iPhone or iPad at hand to validate a secure credit or debit card transaction. This was extended to M-series Macs with the Magic Keyboard with Touch ID, which allows a Mac mini, iMac, or Mac Studio to add Touch ID through a special wireless connection to an M-series Mac’s Secure Enclave module.
But some readers have found Apple Pay disabled. In > System Preferences/Settings > Wallet & Apple Pay, macOS offers the explanation “Apple Pay has been disabled because the security settings of this Mac were modified.” Several different causes could be the root, and Apple omits one for M-series Macs in the document linked via a Learn More button in the pane–the company says it doesn’t apply, though I found in testing that it does.
Full Security on an Intel or M-Series Mac
To ensure Apple Pay works, system security must be set to Full Security on both Intel and M-series Macs. This requires restarting or starting up in recoveryOS and then using the Startup Security Utility to reset system security.
You may have downgraded security on an Intel Mac to boot off an external volume or to install some low-level drivers for third-party software. With an M-series Mac, the most likely reason is you enabled its Reduced Security mode to install a kernel extension required by some software that taps into low-level drivers, such as MacFuse or SAT SMART for drive monitoring.
With a reduced-security macOS startup, Apple may be unable to create the level of integrity it and the credit-card system requires for mobile payments that match the degree offered by a point-of-sale system accepting a chip on a card. If so, Apple Pay is disabled on the Mac. (Apple explains in technical detail how this relates to the M-series boot security policy process in this platform security document.)
There are separate paths on how to re-enable Full Security by Mac architecture type. Apple offers a full page walkthrough on reverting to Full Security with an Intel Mac with a T2 Security Chip. For an M-series Mac, look at the “Change the security policy” heading in this support document.
Other causes
Apple also suggests other causes:
- If you have a laptop, its lid must be open. This makes sense because how would you otherwise use the Touch ID sensor? There’s an exception: you can still use the sensor on a Magic Keyboard with Touch ID with an M-series Mac with the lid closed. (Apple doesn’t list this exception; I tested it, and it works.)
- A necessary security update may not have been installed. In the Software Update preference pane, click Advanced: the “Install system data files and security updates” box should be checked for automatic installation.
- Apple also notes more ambiguously that macOS disables Apple Pay “when it detects third-party software or malware that affects its ability to keep your payment information secure.”
You might wonder why Safari continues to allow you to fill in stored credit and debits cards from Safari > Preferences > Autofill if Apple Pay is disabled? Safari doesn’t perform a mobile payment transaction when it auto-fills card information—it just drops the information in without additional typing. If you’ve stored the Card Verification Code (CVC, also known as CVV and by the names), Safari will fill that in, too.
Credit-card processors that manage transactions for online retailers treat form-entered cards as among the most potentially fraudulent transactions; they don’t differentiate—nor do they have a way to—between browser auto-filled card details or those entered manually. Apple Pay mobile payments are among the least likely to be fraudulent because of the way the transaction is created and validated and are scored for risk accordingly.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.