Skip to main content
The Keyword

How device tokens keep your payment cards safe in Google Wallet

An illustration of a credit card that then transitions into coins, a lock and a fingerprint

Whether you purchase an item like an energizing latte or a service like a much-needed haircut, a lot happens behind the scenes to complete your transaction. If you're using Google Wallet, that process includes protecting your payment information using device tokens.

Here’s what to know about what device tokens are and how exactly they keep your payment information safe.

What device tokens are

When you pay for something with a physical card — credit, debit or prepaid — the merchant usually charges you through the printed number on the front of your card, known as the Funding Primary Account Number (FPAN). Every time this happens, you provide that number to the merchant, and that number is then sent along to a handful of other parties like the merchant’s bank, the card network (an organization that facilitates transactions between banks and merchants), the payment service provider and more.

In contrast, Google Wallet creates a device-specific virtual account number, or device token, for each payment method you add, so your real card number isn’t stored on your device or shared with merchants. Thanks to this tokenization, the only parties who have your actual FPAN when you make a purchase are the bank that issued the card and the card network.

What’s more, your device token functions independently from your physical card. It’s linked to your bank account or line of credit, not the card itself. So you can think of a device token as a super-safe messenger between your bank account or line of credit and whoever you’re buying something from.

An animation of two simplified payment flows. The top flow shows that the FPAN from a physical card is sent to the merchant and to other parties (network, merchant’s bank and more). The bottom flow shows a device token replacing the card number. That device token is then sent through to the merchant and other parties.

The difference between who receives your FPAN when you pay with a physical card versus a digital wallet. (Note: This is a simplification of the process.)

How device tokens work

A new device token is created every time you add a card to your Google Wallet. Then, when it's time to make a payment, it's your device token's time to shine.

Many steps happen as a device token completes your payment while keeping your FPAN secure, all in a few seconds. This includes an encrypted packet containing the device token going to the merchant’s bank; the Token Service Provider (usually the card network) “detokenizing” the token to retrieve the physical card number once it’s safe; and the card issuer running risk checks and verifying the transaction should be allowed.

Outside of this process, device tokens have another safety feature physical cards lack: built-in Android device authentication. With a physical card, you may need to punch your PIN number into the terminal, or provide your signature. But you can only use the cards in your digital wallet after getting through your phone or smartwatch’s usual authentication, like a face ID, fingerprint or PIN. Even if someone steals your phone, they won’t be able to complete a transaction without this authentication.

Finally, since losing your credit card can be an unfortunate reality, it’s worth noting: Because your device token is linked to your bank account or line of credit (and not your card itself), you can keep paying from the same account even if you have to replace the physical card. With many banks, you can still use the device token in Google Wallet for payments, even as you wait for the new card to come in the mail.

Next time you tap to pay with Google Pay, know that the security benefits of tokenization are at play. Whether you’re looking for added convenience or additional security, digital wallets can help make sure your information doesn’t end up in the wrong hands.

Let’s stay in touch. Get the latest news from Google in your inbox.