Security

Page Summary

outlined_flag

• Google Pay is built on an open platform with security measures protecting all parties involved in a transaction, including the cardholder, merchant, and financial institutions.

• Google Pay utilizes tokenization, secure key storage, and device unlock authorization to enhance transaction security and protect sensitive card information.

• The platform leverages Android's security features such as Play Integrity API, OS security model, and application permissions for robust protection.

• Google Pay replicates the security of a PIN entry through its Cardholder Verification Method (CVM) during payment authorization.

Google Pay was designed to provide the flexibility required for an open platform and protection for all users: the cardholder, merchant, network, the merchant’s acquiring bank, and the card issuing bank.

Highlights of Google Pay’s security features include:

• Network tokenization standards:When a cardholder makes a purchase using a device token, Google Pay sends the token's DPAN rather than the FPAN of the card. This “tokenization” provides your cardholders with an extra layer of security.
• Secure in-memory storage of limited-use keys (LUKs):Your cardholder’s mobile device stores the primary key that generates transaction cryptograms for contactless transactions. No other primary key data is stored on the device.
• Cardholders authorize payments:When ready to make a purchase, we use device unlock to enforce network rules for transactions in your country. This process serves as the Cardholder Verification Method (CVM) and replicates the security of entering a server-verified PIN entry.
• Device integrityis validated through Android's Play Integrity API .
• The Android OS security model which protects system resources, isolates application data, and verifies app signatures.
• Application-defined and user-granted permissions

For more details on Android's security model, read the Android Security Reports .

Google Pay Security Whitepapers