What's Actually Living Inside Your Apple Wallet and Google Pay?
Card tokenization explained — from the 16-digit number in your pocket to the token on your phone.
Every time you tap your phone at a checkout, no one in that transaction — not the terminal, not the merchant, not even Google or Apple — ever sees your actual card number. That's not marketing. It's a deliberate engineering decision called tokenization, and it's the backbone of modern card payments.
The problem with card numbers
Your card number — the 16-digit string on the front — is called a PAN (Primary Account Number). It’s your identity in the card network. Present it with an expiry date and CVV, and in most cases that’s enough to charge your account.
That’s the problem. It’s a static credential. If it leaks — from a merchant database, a data breach, a skimmer — it’s immediately usable by anyone who gets it. Merchants have historically needed to store PANs to support recurring payments, saved cards, and subscription billing. Storing millions of PANs made them high-value targets.
Tokenization solves this by replacing the PAN with a token: a surrogate value that looks like a card number but means nothing on its own. The real PAN lives in a token vault — a locked mapping table. The merchant never touches the actual PAN again. The diagram below explains this in a high level manner.
Hight level flow of a merchant when storing and charging a card
Two kinds of tokens — and they're very different
This is where most explanations stop, but there’s a critical split you need to understand: gateway tokens and network tokens. They solve the same surface problem, but they live at completely different layers of the payments stack.
First, some context: gateways vs. networks
A payment gateway is the service that sits between a merchant and the card networks. When you check out on a website, the gateway handles the connection: it encrypts your card details, routes the transaction, and returns an approval or decline. Merchants don't connect directly to Mastercard or Visa — the gateway is the middleman. Examples: MPGS (Mastercard Payment Gateway Services) and Cybersource (owned by Visa/TSYS).
A card network (also called a scheme) is the rails the transaction actually travels on: Mastercard, Visa, Amex. They set the rules, connect issuing banks to acquiring banks, and move money between them. They also operate their own tokenization services.
Gateway tokens
A gateway token is created and managed entirely by the payment gateway. When a customer enters their card on checkout, the gateway intercepts it, generates a token, stores the PAN in its own vault, and hands the merchant a token string. From that point on, the merchant only ever stores and sends the token — the gateway does the vault lookup to retrieve the real PAN whenever a charge is needed.
The important limitation: gateway tokens are scoped to that gateway. If a merchant migrates to a different payment processor, every stored token becomes worthless. They'd need to run a card migration project to re-tokenize their customer base.
Network tokens
A network token is created and managed by the card network itself — Mastercard’s service is called MDES (Mastercard Digital Enablement Service), and Visa’s is VTS (Visa Token Service).
Unlike gateway tokens, network tokens are portable. They’re not tied to any single gateway — any processor that understands the network’s token format can work with them. The token maps back to the underlying PAN at the network level, not at a gateway’s vault.
There’s another powerful benefit: automatic lifecycle management. When a card expires, gets reissued after fraud, or changes numbers, the network can automatically update the token mapping. Merchants and wallets holding that token don’t need to do anything — it just keeps working. That’s not possible with gateway tokens.
Why bother with gateway tokens? (Yes, it’s about PCI)
If your business stores, processes, or transmits cardholder data — including PANs — you’re subject to PCI DSS (Payment Card Industry Data Security Standard). Compliance isn’t optional. It means quarterly vulnerability scans, annual audits, strict network segmentation, encryption requirements, access controls, and more. Scope scales with how much card data you touch.
Here’s the key: tokens are not cardholder data. A gateway token stored in your database doesn’t count as a PAN under PCI DSS. You’re still in scope, but your scope shrinks dramatically. No PAN, no breach risk, no multi-million dollar liability exposure if your database leaks.
Apple Pay and Google Pay
When you add your Mastercard to Apple Wallet, here’s what actually happens behind the scenes:
Apple sends your card details to Mastercard’s MDES (or Visa’s VTS for Visa cards)
The network verifies the card and issues a DPAN — a Device PAN — a network token tied specifically to your device
That DPAN is stored in your iPhone’s Secure Element (a dedicated hardware chip, isolated from the main processor) — or in Google’s cloud-based Host Card Emulation system for Android
Your real PAN is never stored on the device
When you tap to pay:
Your device generates a cryptogram — a one-time cryptographic code tied to that specific transaction
The terminal receives your DPAN + the cryptogram
That goes to the acquiring bank → card network → MDES/VTS validates the cryptogram and maps the DPAN back to your actual card → routes to your issuing bank
Your bank approves or declines
The cryptogram is the critical piece. As the name suggests, it uses asymmetric cryptography under the hood that has been exchanged between the scheme and the device. I won’t go into too technical but so you know, the cryptogram is single-use, bounded by the transaction details (amount, timestamp, ..etc).
This is why Apple Pay and Google Pay are considered more secure than tapping a physical card — your actual PAN never leaves your bank, and every tap generates a unique proof of authorization.
Putting it all together
The mental model: gateway tokens protect merchants from storing PANs. Network tokens give those protections portability and lifecycle management. Device tokens take it further — the PAN never touches the payment terminal at all, and every transaction requires fresh cryptographic proof from your device.
Conclusion
Thank you for reading all the way to this point, it has always at the back of my mind the question on how my card got stored on my phone, hopefully after this article, we roughly understand it. I will see you guys in the next article, bye for now!