Mobile Payment Security: The Role of Tokenization

Mobile Payment Security: The Role of Tokenization

Since Google Wallets launched in 2011, society has slowly been closing in on the day where wallets will no longer be necessary. During the last seven years, the mobile payment sector has become increasingly fragmented, more and more solutions are entering the market. Naturally, as mobile payments become more popular, mobile fraud also increases. The number of US merchants who said they experienced mobile fraud last year grew by 50 percent.

According to a recent Kount survey, 38.9 percent of US merchants say security and fraud risk is the number one priority when it comes to their mobile commerce and almost half say it’s their biggest challenge in the mobile channel. However, mobile payments are typically more secure than traditional payment methods—cardholder data is tokenized or encrypted.

What is Tokenization?

Tokenization is the process of protecting credit card information by replacing it with an algorithmically generated number or series of numbers and letters called a token. This means the actual credit card information is never saved on the mobile device or saved by the mobile payment service (in most cases). During online and in-store transactions, the consumer’s card details are concealed from the merchant or the mobile payment provider.

Tokenization is mathematically irreversible, making it one of the safest options for protecting cardholder data against hackers. If your ecommerce site is hacked, your consumers’ information is safe—all the criminal will see is a bunch of randomized numbers that are useless.

The tokenization process is the same regardless if the consumer is paying on the ecommerce site or through mobile apps.

Which Mobile Payment Providers Use Tokenization?

Apple Pay

Apple Pay does not retain or store any original credit or debit card information that the customer would use with the mobile payment solution. As soon as the user adds a new card to the mobile wallet, Apple immediately encrypts the card details and sends the information to the card’s issuing bank or network (Visa, American Express, Discover, etc.). The card network validates the card information with the issuing bank and sends Apple a Device Account Number (a token unique to the device). Apple stores the token in a secure element (a chip on the phone), and then programs the card to the mobile device.

Google Pay

Google follows a similar process to Apple Pay, never saving the user’s credit card information. Google Pay creates a token in place of the actual credit card information, making it near impossible for anyone to steal.

Before Google allows the user to add a card to their mobile wallet, they must set up a screen lock. Unlike the other mobile payment solutions, Google does not always require the customer to unlock their phone for small purchases.

Samsung Pay

In addition to the tokenization process, Samsung Pay has a service called KNOX. The technology is embedded into Samsung devices and monitors mobile devices for any malicious activity and vulnerabilities.


Unlike the other three mobile payment services mentioned above, PayPal does not use tokenization for transactions. Because the company is also a payment platform and stores cardholder data, it encrypts the card information. The service monitors every transaction 24/7 to help against fraud, email phishing, and identity theft. Additional security measures include firewalls, physical access to PayPal data centers, and information access authorization controls.

Similar to the other mobile payment services, the retailers never see the card information as long as the retailer is using PayPal’s Vault API—every transaction is encrypted. The Vault API securely stores customer cards so you, the retailer, don’t have to save it on your servers.

Over the years, PayPal’s name has become synonymous with trust and reliability. When consumers see its logo on your ecommerce site, they know their information will be safe. PayPal does share personal data with its subsidiaries, which include Braintree and Venmo.

Click here for a side-by-side comparison of mobile payment options.

Do mobile payment services comply with PCI standards?

Apple Pay, Google Pay, and Samsung Pay do not adhere to Payment Card Industry Data Security Standards (PCI DSS) mandated and administered by the Security Standards Council (SSC). They do state on their sites that in order to use their mobile payment services, your ecommerce site or payment platform, like Stripe or Braintree, and the issuing bank needs to be PCI compliant. Because these mobile payment providers do not store any of the actual card information, it narrows the scope of the PCI compliance guidelines. However, they do conform to the EMV standards—the tokenization guidelines for debit and credit card transactions.

Unlike Apple Pay, Google Pay, and Samsung Pay, PayPal is PCI DSS compliant. The PayPal team handles the security on the retailer’s behalf as long as they use their Payflow solution.

If a consumer loses their phone, what’s the risk of a fraudulent purchase?

Most mobile phones require a two-factor authentication in order to use the payment service. One, you need to have a device with a payment solution and insert the required card data. And two, you need to either enter a passcode or use biometrics, such as face or fingerprint validation, to authorize each transaction.

As another precaution, most mobile devices enable you to remotely erase the information on your phone or freeze the mobile payment service. This way, you don’t have to cancel your cards saved on the phone.

As a retailer, the tokenization and multi-factor authentication act as an extra security blanket for your ecommerce site. The more secure the mobile payment provider, the less chance you will face fraudulent purchases or hackers. Unfortunately, in most cases, the responsibility will usually fall on the retailer if there is a hack.

The Bottom Line

If you decide to employ a mobile payment solution on your ecommerce site, security will not be a major issue as long as you follow the solution’s recommended best practices for integrating to your ecommerce platform. You never have to save card information to your server. So, even in the event you get hacked, the cardholder information the criminals see will be useless.

If you’d like to discuss mobile payment strategies, you can contact us here. We’ve helped several ecommerce sites integrate new mobile payment solutions.

Subscribe to Our Newsletter

Get the latest insights from Blue Acorn iCi