How payments work
Here's how payments work when customers use Google Pay in shops and online.
Payments in shops
Google Pay gives customers fast, hassle-free checkouts and, at the same time, peace of mind that Google stores their data with multiple layers of security. Also, Google Pay does not send merchants their customers' actual card numbers when they pay in shops; instead, Google Pay facilitates a process called tokenisation, in which a token stands in for a customer's actual credit and debit card numbers.
In order to complete the tokenisation process, Google Pay works with:
- Mobile device manufacturers
- Payment terminal providers
- Payment networks
- Token Service Providers (TSPs)
Together, Google Pay and these organisations work to build the tokenisation infrastructure so that the:
- Customer verifies their identity when adding a card to Google Pay (ID&V)
- Customer's mobile device securely stores their tokens
- Google Pay app transmits tokens to the payment terminal during in-store transactions
- NFC hardware follows industry-standard specifications
Security benefitsGoogle Pay's tokenisation process offers notable security benefits to both merchants and customers:
- Device lock screens, remote device wiping and tokenised card numbers: Customers enjoy protections from loss or theft of devices containing token information.
- Easy integrations: TSPs and Google Pay do the heavy lifting when it comes to tokenisation, making the integration with Google Pay simple for merchants.
- Reduced merchant risk: The tokenisation process means less sensitive customer information for merchants to have to store, reducing your exposure and worries about data breaches.
- A Google Pay user adds a credit or debit card to their Google Pay app. Google Pay requests a token to represent the card they're trying to add from the bank that issued that card. Once the token is issued, this card is now 'tokenised', meaning that it has a unique identification number associated with it. Google Pay encrypts the newly tokenised card and it is ready to be used for payments.
- To make a purchase, a customer taps their mobile device on a point-of-sale terminal or chooses to pay in your mobile app. Google Pay responds with the customer's tokenised card and a cryptogram which acts as a one-time-use password. The card network validates the cryptogram and matches the token with the customer's actual card number.
- Your acquiring bank and your customer's card-issuing bank use existing customer information and decrypted customer-billing information to complete the transaction.
Things to bear in mind
- Google Pay doesn't process or authorise transactions, it merely helps enable secure and speedy transactions by tokenising cards and passing this tokenised card and other customer information to credit card networks
- Merchants are the seller of record and should keep your own records and withhold taxes appropriately
- Merchants continue to manage orders through your current payment processing system
Figure 1: The flow of an NFC payment
- Customer tokenises card: A customer adds their card to Google Pay. Then their mobile device stores a payment token that is encrypted using a limited/single-use key.
- Merchant receives token: When the customer taps their device on an NFC-enabled terminal at the shop's point-of-sale, the device sends the token, token expiry date and cryptogram to the terminal via the NFC protocol.
- Merchant processes payment: The merchant uses the card data to process the payment through the acquiring bank. Note: You must flag the payment as a contactless transaction, either via the point-of-sale system or via the payment terminal.
- Acquirer processes payment: Acquirer processes card data captured via NFC using the appropriate payment network.
- TSP translates token: The TSP validates the cryptogram, then translates the token into the customer's actual card number.
- Card-issuing bank receives cardholder info: The network sends the card-issuing bank the customer's card number, expiry date and an indicator that an on-behalf-of validation has been completed by the TSP.
- Network receives authorisation response: The card-issuing bank completes account-level validation and authorisation checks and sends the authorisation response to the network.
- Terminal notifies of transaction authorisation success or failure: The network passes the authorisation response through the acquirer to your point-of-sale, and finally to the customer. The payment terminal shows the cardholder and cashier a success or failure message.
When you integrate with the Google Pay API, customers can make faster and easier online purchases because they don't have to enter their payment and delivery information. You can even use the Google Pay API to offer one-touch checkout experiences for hundreds of millions of Google users and request any credit or debit card stored in your customer's Google Account.
Learn more about how integrating with the Google Pay API lets customers make transactions with payment tokens from their Google Pay app and payment cards from their Google Account.