Google Pay was designed to provide the flexibility required for an open platform and protection for all users: the cardholder, merchant, network, the merchant’s acquiring bank, and the card issuing bank.
Highlights of Google Pay’s security features include:
- Network tokenization standards:When a cardholder makes a purchase using a device token, Google Pay sends the token's DPAN rather than the FPAN of the card. This “tokenization” provides your cardholders with an extra layer of security.
- Secure in-memory storage of limited-use keys (LUKs):Your cardholder’s mobile device stores the primary key that generates transaction cryptograms for contactless transactions. No other primary key data is stored on the device.
- Cardholders authorize payments:When ready to make a purchase, we use device unlock to enforce network rules for high-value and low-value transactions in your country. This process serves as the Cardholder Verification Method (CVM) and replicates the security of entering a server-verified PIN entry. You can view payments limits on locked devices at this page
- Device integrityis validated through Android's Play Integrity API .
- The Android OS security model which protects system resources, isolates application data, and verifies app signatures.
- Application-defined and user-granted permissions
For more details on Android's security model, read the Android Security Reports .
Google Pay Security Whitepapers
If you have been granted access to this content, make sure you are signed in with your authorized Google account. If you are a partner who needs access, use the button below for instructions on how to request access.
