Here’s how payments work when customers use Google Pay in stores and online.
Payments in stores
Google Pay gives customers fast, hassle-free checkouts and, at the same time, peace of mind that Google stores their data with multiple layers of security. Also, Google Pay does not send merchants their customers' actual card numbers when they pay in stores; instead, Google Pay facilitates a process called tokenization in which a token stands in for a customer’s actual credit and debit card numbers.
In order to complete the tokenization process, Google Pay works with:
- Mobile device manufacturers
- Payment terminal providers
- Payment networks
- Token Service Providers (TSPs)
Together, Google Pay and these organizations work to build the tokenization infrastructure so that the:
- Customer verifies their identity when adding a card to Google Pay (ID&V)
- Customer’s mobile device securely stores their tokens
- Google Pay app transmits tokens to the payment terminal during in-store transactions
- NFC hardware follows industry standard specifications
Security benefitsGoogle Pay’s tokenization process offers notable security benefits to both merchants and customers:
- Device lock screens, remote device wiping, and tokenized card numbers: Customers enjoy protections from loss or theft of devices containing token information.
- Easy integrations: TSPs and Google Pay do the heavy lifting when it comes to tokenization, making the integration with Google Pay simple for merchants.
- Reduced merchant risk: The tokenization process means less sensitive customer information for merchants to have to store, reducing your exposure and worries about data breaches.
- A Google Pay user adds a credit or debit card to their Google Pay app. Google Pay requests a token to represent the card they’re trying to add from the bank that issued that card. Once the token is issued, this card is now “tokenized,” meaning it has a unique identification number associated with it. Google Pay encrypts the newly tokenized card and it is ready to be used for payments.
- To make a purchase, a customer taps their mobile device on a point-of-sale terminal or chooses to pay in your mobile app. Google Pay responds with the customer's tokenized card and a cryptogram which acts as a one-time-use password. The card network validates the cryptogram and matches the token with the customer’s actual card number.
- Your acquiring bank and your customer's card issuing bank use existing customer information and decrypted customer billing information to complete the transaction.
Things to keep in mind
- Google Pay doesn't process or authorize transactions, it merely helps enable secure and speedy transactions by tokenizing cards and passing this tokenized card and other customer information to credit card networks
- Merchants are the seller of record and should keep your own records and withhold taxes appropriately
- Merchants continue to manage orders through your current payment processing system
Figure 1: The flow of an NFC payment
- Customer tokenizes card: A customer adds their card to Google Pay. Then, their mobile device stores a payment token that is encrypted using a limited / single-use key.
- Merchant receives token: When the customer taps their device on an NFC-enabled terminal at the store’s point-of-sale, the device sends the token, token expiry date, and cryptogram to the terminal via the NFC protocol.
- Merchant processes payment: The merchant uses the card data to process the payment through the acquiring bank. Note: You must flag the payment as a contactless transaction, either via the point-of-sale system or via the payment terminal.
- Acquirer processes payment: Acquirer processes card data captured via NFC using the appropriate payment network.
- TSP translates token: The TSP validates the cryptogram, then translates the token into the customer's actual card number.
- Card issuing bank receives cardholder info: The network sends the card issuing bank the customer's card number, expiration date, and an indicator that an on-behalf-of validation has been completed by the TSP.
- Network receives authorization response: The card issuing bank completes account-level validation and authorization checks and sends the authorization response to the network.
- Terminal notifies of transaction authorization success or failure: The network passes the authorization response through the acquirer to your point-of-sale, and finally to the customer. The payment terminal shows the customer and cashier a success or failure message.
When you integrate with the Google Pay API, customers can make faster and easier online purchases because they don’t have to enter their payment and shipping information. You can even use the Google Pay API to offer one-touch checkout experiences for hundreds of millions of Google users and request any credit or debit card stored in your customer’s Google Account.
Learn more about how integrating with the Google Pay API lets customers make transactions with payment tokens from their Google Pay app and payment cards from their Google Account.