How payments work
Google Pay gives customers fast, hassle-free checkouts and, at the same time, peace of mind that their data is kept secure through enhanced security. Google Pay passes customer information like their phone number and credit card network from the app to the merchant and credit card networks. Google Pay never passes card numbers from the app; instead, Google Pay facilitates a process called tokenization in which a token stands in for a customer’s actual credit and debit card numbers.
In order to complete the tokenization process, Google Pay works with:
- Mobile device manufacturers
- Payment terminal providers
- Payment networks
- Token Service Providers (TSPs)
- Card issuing banks
Together, Google Pay and these organizations work to build the tokenization infrastructure so that the:
- Customer verifies their identity when adding a card to Google Pay (ID&V)
- Customer’s mobile device securely stores their tokens
- Google Pay app transmits tokens to the payment terminal during in-store transactions
- NFC hardware follows industry standard specifications
Security benefitsGoogle Pay’s tokenization process offers notable security benefits to both merchants and customers:
- Device lock screens and tokenized card numbers: Customers are protected from fraud and data breaches, including in the case of their mobile device being lost or stolen.
- Easy integrations: TSPs and Google Pay do the heavy lifting when it comes to tokenization, making the integration with Google Pay simple for merchants.
- Reduced merchant risk: The tokenization process means less sensitive customer information for merchants to have to store, reducing your exposure and worries about data breaches.
- A Google Pay user adds a credit or debit card to their Google Pay app. Google Pay requests a token to represent the card they’re trying to add from the bank that issued that card. Once the token is issued, this card is now “tokenized,” meaning it has a unique identification number associated with it. Google Pay encrypts the newly tokenized card and it is ready to be used for payments.
- To make a purchase, a customer taps their mobile device on a point-of-sale terminal or chooses to pay in your mobile app. Google Pay responds with the customer's tokenized card and a cryptogram which acts as a one-time-use password. The card network validates the cryptogram and matches the token with the customer’s actual card number.
- Your acquiring bank and your customer's card issuing bank use existing customer information and decrypted customer billing information to complete the transaction.
Things to keep in mind
- Google Pay doesn't process or authorize transactions, it merely facilitates secure and speedy transactions by tokenizing cards and passing this tokenized card and other customer information to credit card networks
- Merchants are the seller of record and should keep your own records and withhold taxes appropriately
- Merchants continue to manage orders through your current payment processing system
Figure 1: The flow of an NFC payment
- Customer tokenizes card: A customer adds their card to Google Pay. Then, their mobile device stores a payment token that is encrypted using a limited / single-use key.
- Merchant receives token: When the customer taps their device on an NFC-enabled terminal at the store’s point-of-sale, the device sends the token, token expiry date, and cryptogram to the terminal via the NFC protocol.
- Merchant processes payment: The merchant uses the card data to process the payment through the acquiring bank. Note: You must flag the payment as a contactless transaction, either via the point-of-sale system or via the payment terminal.
- Acquirer processes payment: Acquirer processes card data captured via NFC using the appropriate payment network.
- TSP translates token: The TSP validates the cryptogram, then translates the token into the customer's actual card number.
- Card issuing bank receives cardholder info: The network sends the card issuing bank the customer's card number, expiration date, and an indicator that an on-behalf-of validation has been completed by the TSP.
- Network receives authorization response: The card issuing bank completes account-level validation and authorization checks and sends the authorization response to the network.
- Terminal notifies of transaction authorization success or failure: The network passes the authorization response through the acquirer to your point-of-sale, and finally to the customer. The payment terminal shows the customer and cashier a success or failure message.
The Google Pay transaction process in apps is similar though slightly more streamlined than the process in stores. Here’s an overview of typical in-app transactions:
- Customer tokenizes card: A customer adds their credit or debit card to Google Pay. Their device stores a payment token that stands in for the actual card number that is encrypted using a limited / single use storage key. The tokenization process happens when a card is added to Google Pay. A one-time-use cryptogram is consumed each time a transaction is made with the tokenized card.
- Merchant receives token: When a customer chooses to pay in a merchant app integrated with the Google Payment API, the app begins the payment process by requesting a token.
- Merchant requests payment from acquirer: The merchant uses the card data to request a payment transaction from the merchant’s acquirer.
- Acquirer processes payment: The acquirer uses the card token and cryptogram to authorize the payment with the card networks.
- Card network authorizes payment: The card network looks up the backing card for the card token via its Token Service Provider (TSP) and validates the one-time-use cryptogram. The card network and / or card issuing bank authorize payment based on the availability of credit on the user’s backing card.
Developers can see the entire Google Payment API integration instructions for Android merchant apps.