Security

Google Pay was designed to provide the flexibility required for an open platform and protection for all users: the cardholder, merchant, network, the merchant’s acquiring bank, and the card issuing bank.

Highlights of Google Pay’s security features include:

  • Network tokenization standards: When a cardholder makes a purchase using a device token, Google Pay sends the token's DPAN rather than the FPAN of the card. This “tokenization” provides your cardholders with an extra layer of security.
  • Secure in-memory storage of limited-use keys (LUKs): Your cardholder’s mobile device stores the primary key that generates transaction cryptograms for contactless transactions. No other primary key data is stored on the device.
  • Cardholders authorize payments: When ready to make a purchase, we use device unlock to enforce network rules for high-value and low-value transactions in your country. This process serves as the Cardholder Verification Method (CVM) and replicates the security of entering a server-verified PIN entry. You can view payments limits on locked devices at this page
  • Device integrity is validated through Android's Play Integrity API.
  • The Android OS security model which protects system resources, isolates application data, and verifies app signatures.
  • Application-defined and user-granted permissions

For more details on Android's security model, read the Android Security Reports.

Google Pay Security Whitepapers

If you have been granted access to this content, make sure you are signed in with your authorized Google account. If you are a partner who needs access, use the button below for instructions on how to request access.

Sign in Request access