TLDR: Process before technology!
When you create a unique pass for your customer (by enrolling a member, creating a coupon, or issuing a ticket) you are given a unique pass URL for that pass. The unique pass URL is then distributed to your customer by your distribution channel of choice (email, sms, QR code, social channels, etc).
As with any weblink, there is nothing that stops someone visiting the same weblink (if it's shared) or indeed nothing stopping someone taking a screenshot of their pass and sharing it with their friends or wider.
Obviously this is a little easier when you are talking of something that is digital versus a plastic card (although of course people do copy plastic cards).
That's why it's so important you implement the appropriate level of authentication when someone uses their pass in your checkout process. Business uses passes for a broad range of uses; e.g. the airlines that use PassKit for Boarding Passes, require someone to also show their proof of identification and check it matches with what's on the pass before boarding a plane, all the way through to Burger King using PassKit for coupons - where they don't care if someone has shared their coupon with someone else because it still drives traffic to their stores. And in this case when the coupon is used, anyone that has the coupon in their wallet will also see it redeemed, so it can only be used once.
In summary, the key is to make sure you implement authentication processes that are fitting with the value of the pass. There is nothing stopping someone sharing their card with anyone else, and if it's critical that only the person who is given the the pass can use the services, then you'll need an appropriate level of 'checking'.
Some examples off how other businesses are doing this with PassKit:
For membership cards; adding a member thumbnail image to the front of the card, and do a 'visual' check on redemption.
Have the name on the card, and ask your customer to show proof of id when using the card; then make sure this matches
Make a realtime API call to PassKit (or your POS / CRM) when you scan the pass, and verify the data in the database - which will be reflect the true 'state' of the pass (i.e. expiry date, points balance, tier, stored value, etc).