Digital Wallets Explained: How Apple Pay, Google Pay, and Samsung Pay Work
You tap your phone at the coffee shop terminal, hear a cheerful ding, and walk away with your latte — no card, no PIN, no signature. In under 500 milliseconds, your phone just orchestrated a cryptographic handshake involving your bank, the card network, a hardware security chip, and a one-time-use payment credential that will never work again. That’s a digital wallet in action, and the engineering behind that half-second tap is astonishingly elegant.
What is a Digital Wallet?
A digital wallet (also called a mobile wallet) is a software application — typically on a smartphone, smartwatch, or tablet — that stores virtualized versions of your payment cards and uses them to make contactless transactions at physical terminals or online checkouts. Instead of carrying a plastic card, your device becomes the card.
But here’s the critical engineering detail: your digital wallet does not store your actual card number. When you add a card to Apple Pay or Google Pay, the real Primary Account Number (PAN) is replaced with a Device PAN (DPAN) — a network token issued by the card network’s Token Service Provider. Your real card number never touches the merchant’s terminal.
Deep dive: Our Payment Tokenization Guide explains the full lifecycle of network tokens and DPANs — the same technology that powers every digital wallet transaction.
Also Known As
Digital wallets go by many names across different contexts:
| Name | Context |
|---|---|
| Digital wallet | Industry standard term |
| Mobile wallet | When running on a smartphone |
| E-wallet / electronic wallet | General digital payments context |
| Contactless wallet | Emphasizing NFC tap-to-pay |
| NFC wallet | Technical shorthand |
| Pass-through wallet | Architecture term (wallet passes credentials to network) |
| OEM wallet | Referring to device-manufacturer wallets (Apple, Google, Samsung) |
| Device payment | Card network terminology |
How Digital Wallets Work
Every digital wallet transaction follows two major phases: enrollment (adding the card) and payment (tapping to pay). Understanding both is essential for payment engineers.
Phase 1: Card Enrollment (Provisioning)
When you add a credit card to a digital wallet, a multi-party provisioning flow occurs:
┌──────────┐ PAN ┌──────────┐ Verify ┌──────────┐
│ User │ ───────→ │ Wallet │ ───────→ │ Card │
│ (Phone) │ │ App │ │ Network │
└──────────┘ └────┬─────┘ └────┬─────┘
│ │
│ ↓
│ ┌──────────┐
│ │ Token │
│ │ Service │
│ │ Provider │
│ └────┬─────┘
│ │ DPAN
↓ ↓
┌──────────────────────────┐
│ Secure Element / HCE │
│ (stores DPAN + keys) │
└──────────────────────────┘
- User enters card details — PAN, expiry, CVV2 (or scans the card with camera)
- Wallet contacts the card network — The PAN is sent to the network’s Token Service Provider (Visa Token Service, Mastercard Digital Enablement Service, etc.)
- Issuer verifies identity — The issuing bank may require additional verification (SMS OTP, in-app approval, call to bank)
- Network issues a DPAN — A format-preserving token bound to this specific device
- DPAN stored securely — In the phone’s Secure Element (Apple Pay) or Host Card Emulation environment (Google Pay)
- Card is “provisioned” — Ready for contactless payments
Phase 2: Making a Payment (Tap-to-Pay)
When you hold your phone near a contactless terminal:
- NFC field activates — The terminal’s NFC reader powers the communication
- Wallet presents the DPAN — Along with a one-time dynamic cryptogram (similar to an ARQC in chip transactions)
- Terminal sends authorization — An ISO 8583
0100message is sent through the acquirer to the card network - Network de-tokenizes — The Token Service Provider maps the DPAN back to the real PAN
- Issuer authorizes — The issuer approves the transaction against the real card account
- Response flows back — Approval reaches the terminal in under 500ms
The merchant never sees your real PAN. The terminal receives a token and a cryptogram — nothing reusable.
Try it yourself: Use our ISO 8583 Studio to parse an authorization message from a contactless transaction — Field 22 will show entry mode
07(contactless chip) or91(contactless DPAN).
Apple Pay, Google Pay, and Samsung Pay Compared
While all three wallets achieve the same goal — tap-to-pay without a physical card — they differ significantly in architecture, security model, and capabilities:
| Feature | Apple Pay | Google Pay | Samsung Pay |
|---|---|---|---|
| Launch year | 2014 | 2015 (as Android Pay) | 2015 |
| Supported devices | iPhone, Apple Watch, iPad, Mac | Android phones, Wear OS | Samsung Galaxy phones, watches |
| NFC support | Yes | Yes | Yes |
| MST support | No | No | Yes (legacy — discontinued on newer models) |
| Token storage | Secure Element (hardware) | Host Card Emulation (cloud) | Secure Element (hardware) |
| Authentication | Face ID, Touch ID, passcode | Fingerprint, PIN, pattern | Fingerprint, iris, PIN |
| In-app payments | Yes | Yes | Yes |
| Web payments | Safari only | Chrome + other browsers | Samsung Internet + Chrome |
| Transit / express mode | Yes (without auth) | Yes (in supported cities) | Limited |
| Card network support | Visa, MC, Amex, Discover, JCB | Visa, MC, Amex, Discover | Visa, MC, Amex, Discover |
| Token type | DPAN (network token) | DPAN (network token) | DPAN (network token) |
Samsung Pay’s MST: The Magnetic Trick
Samsung Pay originally included a unique technology called Magnetic Secure Transmission (MST) that could mimic a magnetic stripe swipe. The phone’s MST coil generated a magnetic field that legacy terminals interpreted as a card swipe — allowing Samsung Pay to work at terminals without NFC.
NFC Payment: Phone ←─── NFC field ───→ Contactless Reader
MST Payment: Phone ───→ Magnetic field ───→ Mag Stripe Reader
| MST Detail | Value |
|---|---|
| Technology | Electromagnetic signal mimicking Track 2 data |
| Range | ~3 inches from reader head |
| Security | Still uses tokenized DPAN + cryptogram |
| Current status | Discontinued on Galaxy S21+ and newer models |
Related: Learn how magnetic stripe data is structured in our Magnetic Stripe Track Data Guide — MST transmits tokenized equivalents of this format.
The Security Architecture
Digital wallets are often more secure than physical cards. Here’s why:
Secure Element vs Host Card Emulation
The core architectural decision for any digital wallet is where to store the sensitive DPAN and cryptographic keys:
| Approach | Used By | How It Works | Security Level |
|---|---|---|---|
| Secure Element (SE) | Apple Pay, Samsung Pay | Dedicated tamper-resistant hardware chip on the device | Highest — hardware-isolated |
| Host Card Emulation (HCE) | Google Pay | Token and keys stored in a cloud-backed software environment | High — cloud-managed with limited-use keys |
| Trusted Execution Environment (TEE) | Some Android wallets | Isolated area within the main processor | Medium-high |
Secure Element is a tiny, tamper-proof chip (similar to what’s inside your EMV card) embedded in the phone. It runs its own operating system and stores the DPAN and private keys in hardware that resists physical extraction — even if the phone is jailbroken.
Host Card Emulation avoids the need for a hardware SE by storing tokenized credentials in a cloud environment. Google Pay downloads a set of limited-use keys to the device. Each key can only be used for a small number of transactions before new keys must be fetched from the cloud.
The Dynamic Cryptogram
Every digital wallet transaction generates a unique, one-time cryptogram — a cryptographic value computed from the DPAN, transaction data, and a key stored in the SE or HCE environment. This is conceptually identical to the ARQC (Application Request Cryptogram) generated by EMV chip cards.
| Element | EMV Chip Card | Digital Wallet |
|---|---|---|
| Account identifier | PAN on the chip | DPAN in SE/HCE |
| Cryptogram | ARQC (tag 9F26) | Dynamic cryptogram |
| Key storage | Chip’s secure memory | Secure Element or HCE |
| Counter | ATC (tag 9F36) | Transaction counter |
| One-time use | Yes | Yes |
The cryptogram ensures that even if someone intercepts the NFC transaction data, they cannot replay it — the cryptogram is bound to that specific transaction amount, date, and counter value.
Verify cryptograms: Use our ARQC Calculator to understand how transaction cryptograms are generated — the same HSM-based principles apply to digital wallet cryptograms.
Why Wallets Beat Physical Cards on Security
| Threat | Physical Card | Digital Wallet |
|---|---|---|
| Card skimming | Vulnerable (mag stripe) | Immune — no mag stripe data |
| Lost/stolen card | Usable until reported | Requires biometric to use |
| Card number theft | PAN printed on card | PAN never stored or transmitted |
| Transaction replay | Possible (mag stripe) | Impossible — one-time cryptogram |
| Counterfeit card | Possible (cloned stripe) | Cannot clone Secure Element |
| Remote compromise | Card number can be used online | DPAN is domain-restricted |
Digital Wallets in ISO 8583
For payment engineers, digital wallet transactions appear as standard contactless chip transactions in ISO 8583 messages, with a few important distinctions:
Key Fields
| ISO 8583 Field | Content | Digital Wallet Specifics |
|---|---|---|
| Field 2 (PAN) | DPAN (network token) | Looks like a real PAN but is a token |
| Field 22 (POS Entry Mode) | 07x, 91x | Contactless chip or DPAN-specific codes |
| Field 55 (ICC/EMV Data) | DSRP cryptogram data | Contains the wallet’s dynamic cryptogram |
| DE 48 (Additional Data) | Wallet identifier | Indicates Apple Pay, Google Pay, etc. |
| Private fields | Token metadata | Token Assurance Level, Token Requestor ID |
POS Entry Mode Codes for Digital Wallets
The Field 22 POS Entry Mode tells the issuer exactly how the cardholder credential was presented:
| Entry Mode | Meaning | Wallet Context |
|---|---|---|
| 07 | Contactless EMV chip | NFC tap with DPAN + cryptogram |
| 91 | Contactless DPAN (network token) | Explicit token-based contactless |
| 81 | E-commerce, DPAN | In-app or web payment using wallet |
| 09 | E-commerce | Online wallet checkout via browser |
Look up codes: Our POS Entry Mode Guide has the complete Field 22 breakdown — modes
07and91are the ones you’ll see in wallet transactions.
DSRP: Digital Secure Remote Payment
When digital wallets are used for online (card-not-present) transactions, the card networks use a protocol called DSRP (Digital Secure Remote Payment). DSRP generates a chip-like cryptogram for e-commerce transactions, giving them the same security benefits as in-store contactless taps.
| DSRP Element | Description | EMV Tag |
|---|---|---|
| DSRP Cryptogram | One-time payment cryptogram | 9F26 |
| Cryptogram Type | ARQC indicator | 9F27 |
| DPAN | Tokenized card number | 5A |
| ATC | Application Transaction Counter | 9F36 |
| Unpredictable Number | Random anti-replay value | 9F37 |
Decode DSRP data: Use the EMV Tag Inspector to parse the Field 55 data from wallet transactions — you’ll see the same EMV tags as chip card transactions.
Other Digital Wallets in the Ecosystem
Beyond the big three OEM wallets, the digital wallet landscape includes several other important players:
| Wallet | Type | How It Works |
|---|---|---|
| PayPal | Stored credentials | PAN stored in PayPal’s vault; PayPal acts as payment intermediary |
| Venmo | P2P + payments | Social payments app; now supports in-store tap-to-pay via network tokens |
| Cash App | P2P + card | Square’s ecosystem; issues virtual Visa card backed by account balance |
| Alipay | Super app | QR-code based payments dominant in China; moving to NFC in some regions |
| WeChat Pay | Super app | QR-code based, similar to Alipay; 1B+ users |
| Garmin Pay / Fitbit Pay | Wearable | Network tokenization on wearable devices |
These wallets use varying architectures — some use network tokenization (like OEM wallets), while others act as intermediaries that process payments through their own acquiring relationships.
What Digital Wallets Do NOT Do
Understanding the boundaries prevents over-reliance:
Not a Bank Account
Digital wallets are pass-through mechanisms. They don’t hold money (unlike prepaid wallets like PayPal balance). The actual funds come from the linked card’s issuing bank.
Not Universal (Yet)
| Limitation | Detail |
|---|---|
| Terminal compatibility | Requires NFC-capable terminal (though adoption is now 80%+ in developed markets) |
| Card support | Not all issuers support all wallets; some regional banks lag behind |
| Country availability | OEM wallets are not available in every market |
| Transaction limits | Some countries impose contactless transaction caps (e.g., €50 in some EU markets without CVM) |
| Offline payments | Most wallets require network connectivity for HCE key refresh |
Not Immune to All Fraud
- Social engineering — Fraudsters can still trick users into adding stolen cards to their wallet
- Account takeover — If someone compromises your Apple/Google account, they may access your wallet
- Provisioning fraud — Stolen card details can be provisioned into a wallet if issuer verification is weak
- Friendly fraud — Wallet payments can still be disputed just like card payments
Understand authentication: Our 3D Secure / SCA Guide covers how Strong Customer Authentication protects digital wallet provisioning and online wallet payments.
Quick Reference: Digital Wallet Terminology
| Term | Definition |
|---|---|
| DPAN | Device PAN — a network token provisioned to a specific device |
| SE | Secure Element — tamper-resistant hardware chip storing tokens and keys |
| HCE | Host Card Emulation — cloud-backed software approach to NFC payments |
| TEE | Trusted Execution Environment — isolated processing area on the main chip |
| NFC | Near Field Communication — short-range wireless protocol (13.56 MHz) |
| MST | Magnetic Secure Transmission — Samsung’s legacy mag stripe emulation |
| DSRP | Digital Secure Remote Payment — chip-like cryptograms for online wallet payments |
| TSP | Token Service Provider — card network service that issues and manages DPANs |
| CVM | Cardholder Verification Method — biometric, PIN, or passcode used to authenticate |
| TAL | Token Assurance Level — confidence score for the DPAN-to-PAN mapping |
| OEM | Original Equipment Manufacturer — Apple, Google, Samsung in the wallet context |
| Provisioning | The process of adding a card to a digital wallet and obtaining a DPAN |
Next Steps
Now that you understand how digital wallets process payments:
- Decode wallet transactions with the EMV Tag Inspector — parse DSRP cryptograms in Field 55
- Parse authorization messages with the ISO 8583 Studio — see DPANs in Field 2 and contactless entry modes in Field 22
- Understand tokenization in our Payment Tokenization Guide — the network token infrastructure behind every wallet transaction
- Learn POS entry modes in our POS Entry Mode Guide — entry modes
07and91identify wallet taps - Review 3D Secure in our 3D Secure / SCA Guide — how SCA applies to digital wallet enrollment and online payments
- Look up response codes in the Reference Database — debug wallet transaction declines
- Explore biometric payments in our Biometric Payments Guide — how FIDO2 and palm/face recognition power the next generation of contactless payments
This post is part of the ISO 8583 Mastery series. Follow along as we explore payment messaging in depth.
Related Posts
💬 Discussion
Have a question or feedback? Leave a comment below — powered by GitHub Discussions.
How do digital wallets like Apple Pay and Google Pay work?
They use Network Tokenization and device-bound cryptography. When you add a card, a Device Account Number (token) is stored safely in the device’s Secure Element. During payment, it generates a unique cryptogram for that specific transaction.
Does Apple Pay send my actual credit card number to the merchant?
No. The merchant receives the tokenized Device Account Number and a one-time dynamic security code (cryptogram), ensuring your real PAN is never exposed to the point-of-sale system.
Why do digital wallets decline less frequently?
Because digital wallet transactions require biometric authentication (FaceID/TouchID) and use dynamic cryptograms, issuing banks recognize them as highly secure, resulting in near-zero fraud and significantly higher approval rates.