How device tokens keep your payment cards safe in Google Wallet
General summary
Device tokens are virtual account numbers that replace your real card number when making payments with Google Wallet, enhancing security by keeping your FPAN private. These tokens are linked to your bank account, not your physical card, and provide built-in Android device authentication for added protection. Even if your phone is stolen, your device token can still be used for payments while you wait for a replacement card.
Summaries were generated by Google AI. Generative AI is experimental.Bullet points
-
Title: How device tokens keep your payment cards safe in Google Wallet
-
Device tokens are virtual account numbers that replace your real card number when you pay with Google Wallet.
- Tokens are linked to your bank account, not your card, so your FPAN stays safe.
- Each token has built-in Android device authentication for extra security.
- If you lose your card, you can still use your device token to pay while you wait for a replacement.
Basic explainer
When you pay with Google Wallet, a special code called a device token is used instead of your real card number.
This token keeps your card info safe because it's not shared with merchants or stored on your device.
Device tokens are linked to your bank account, not your card, so you can still pay even if you lose your card.
Google Wallet uses extra security features like fingerprint or face ID to make sure only you can use your cards.
Explore other styles:
Whether you purchase an item like an energizing latte or a service like a much-needed haircut, a lot happens behind the scenes to complete your transaction. If you're using Google Wallet, that process includes protecting your payment information using device tokens.
Here’s what to know about what device tokens are and how exactly they keep your payment information safe.
What device tokens are
When you pay for something with a physical card — credit, debit or prepaid — the merchant usually charges you through the printed number on the front of your card, known as the Funding Primary Account Number (FPAN). Every time this happens, you provide that number to the merchant, and that number is then sent along to a handful of other parties like the merchant’s bank, the card network (an organization that facilitates transactions between banks and merchants), the payment service provider and more.
In contrast, Google Wallet creates a device-specific virtual account number, or device token, for each payment method you add, so your real card number isn’t stored on your device or shared with merchants. Thanks to this tokenization, the only parties who have your actual FPAN when you make a purchase are the bank that issued the card and the card network.
What’s more, your device token functions independently from your physical card. It’s linked to your bank account or line of credit, not the card itself. So you can think of a device token as a super-safe messenger between your bank account or line of credit and whoever you’re buying something from.
The difference between who receives your FPAN when you pay with a physical card versus a digital wallet. (Note: This is a simplification of the process.)
How device tokens work
A new device token is created every time you add a card to your Google Wallet. Then, when it's time to make a payment, it's your device token's time to shine.
Many steps happen as a device token completes your payment while keeping your FPAN secure, all in a few seconds. This includes an encrypted packet containing the device token going to the merchant’s bank; the Token Service Provider (usually the card network) “detokenizing” the token to retrieve the physical card number once it’s safe; and the card issuer running risk checks and verifying the transaction should be allowed.
Outside of this process, device tokens have another safety feature physical cards lack: built-in Android device authentication. With a physical card, you may need to punch your PIN number into the terminal, or provide your signature. But you can only use the cards in your digital wallet after getting through your phone or smartwatch’s usual authentication, like a face ID, fingerprint or PIN. Even if someone steals your phone, they won’t be able to complete a transaction without this authentication.
Finally, since losing your credit card can be an unfortunate reality, it’s worth noting: Because your device token is linked to your bank account or line of credit (and not your card itself), you can keep paying from the same account even if you have to replace the physical card. With many banks, you can still use the device token in Google Wallet for payments, even as you wait for the new card to come in the mail.
Next time you tap to pay with Google Pay, know that the security benefits of tokenization are at play. Whether you’re looking for added convenience or additional security, digital wallets can help make sure your information doesn’t end up in the wrong hands.
