How payments work

Here’s how payments work when customers use Google Pay in stores and online.

Payments in stores

Google Pay gives customers fast, hassle-free checkouts and, at the same time, peace of mind that Google stores their data with multiple layers of security. Also, Google Pay does not send merchants their customers' actual card numbers when they pay in stores; instead, Google Pay facilitates a process called tokenization in which a token stands in for a customer’s actual credit and debit card numbers.

In order to complete the tokenization process, Google Pay works with:

Together, Google Pay and these organizations work to build the tokenization infrastructure so that the:

  • Customer verifies their identity when adding a card to Google Pay (ID&V)
  • Customer’s mobile device securely stores their tokens
  • Google Pay app transmits tokens to the payment terminal during in-store transactions
  • NFC hardware follows industry standard specifications

Security benefits 

Google Pay’s tokenization process offers notable security benefits to both merchants and customers:
  • Device lock screens, remote device wiping, and tokenized card numbers: Customers enjoy protections from loss or theft of devices containing token information.
  • Easy integrations: TSPs and Google Pay do the heavy lifting when it comes to tokenization, making the integration with Google Pay simple for merchants.
  • Reduced merchant risk: The tokenization process means less sensitive customer information for merchants to have to store, reducing your exposure and worries about data breaches.   


Tokenization works slightly differently when Google Pay is facilitating in-store or online payments. However, here’s basically how payments work:  

  1. A Google Pay user adds a credit or debit card to their Google Pay app. Google Pay requests a token to represent the card they’re trying to add from the bank that issued that card. Once the token is issued, this card is now “tokenized,” meaning it has a unique identification number associated with it. Google Pay encrypts the newly tokenized card and it is ready to be used for payments. 
  2. To make a purchase, a customer taps their mobile device on a point-of-sale terminal or chooses to pay in your mobile app. Google Pay responds with the customer's tokenized card and a cryptogram which acts as a one-time-use password. The card network validates the cryptogram and matches the token with the customer’s actual card number. 
  3. Your acquiring bank and your customer's card issuing bank use existing customer information and decrypted customer billing information to complete the transaction. 

Things to keep in mind

  • Google Pay doesn't process or authorize transactions, it merely helps enable secure and speedy transactions by tokenizing cards and passing this tokenized card and other customer information to credit card networks
  • Merchants are the seller of record and should keep your own records and withhold taxes appropriately
  • Merchants continue to manage orders through your current payment processing system

Detailed Google Pay transaction process in stores

Google Pay NFC payment flow

Figure 1: The flow of an NFC payment


  1. Customer tokenizes card: A customer adds their card to Google Pay. Then, their mobile device stores a payment token that is encrypted using a limited / single-use key
  2. Merchant receives token: When the customer taps their device on an NFC-enabled terminal at the store’s point-of-sale, the device sends the token, token expiry date, and cryptogram to the terminal via the NFC protocol.
  3. Merchant processes payment: The merchant uses the card data to process the payment through the acquiring bank. Note: You must flag the payment as a contactless transaction, either via the point-of-sale system or via the payment terminal.  
  4. Acquirer processes payment: Acquirer processes card data captured via NFC using the appropriate payment network.
  5. TSP translates token: The TSP validates the cryptogram, then translates the token into the customer's actual card number. 
  6. Card issuing bank receives cardholder info: The network sends the card issuing bank the customer's card number, expiration date, and an indicator that an on-behalf-of validation has been completed by the TSP.
  7. Network receives authorization response: The card issuing bank completes account-level validation and authorization checks and sends the authorization response to the network. 
  8. Terminal notifies of transaction authorization success or failure: The network passes the authorization response through the acquirer to your point-of-sale, and finally to the customer. The payment terminal shows the customer and cashier a success or failure message.


 Icons by Freepik, Yannick and Icon Works from are licensed under Creative Commons BY 3.0.

Payments online

When you integrate with the Google Pay API, customers can make faster and easier online purchases because they don’t have to enter their payment and shipping information. You can even use the Google Pay API to offer one-touch checkout experiences for hundreds of millions of Google users and request any credit or debit card stored in your customer’s Google Account.  

Learn more about how integrating with the Google Pay API lets customers make transactions with payment tokens from their Google Pay app and payment cards from their Google Account.

Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center