What is Google Pay?
Google Pay is Google's digital wallet for paying with a saved card on Android phones, Wear OS watches, and the Chrome browser. It uses tokenisation — a Device Account Number replaces the real card number — so the merchant never sees your actual PAN. Payments are authorised by fingerprint, face, or device PIN, which means Google Pay also satisfies Strong Customer Authentication under PSD2.
Google Pay is Google's digital wallet, used to pay with a saved bank card on Android phones, Wear OS watches and inside Chrome on the web. It started life as Android Pay in 2015, became Google Pay in 2018, and merged with Google Wallet in 2022 — in the United States the brand is now Google Wallet, while in the UK and most other markets the wallet itself is still called Google Pay. Behind the scenes it uses tokenisation: the real card number is swapped for a Device Account Number, so what the merchant receives can't be reused by anyone else. Authentication is handled on-device by fingerprint, face, or PIN, which means Google Pay satisfies Strong Customer Authentication under PSD2.
Google Pay (sometimes still called Android Pay by older docs, and rebranded to Google Wallet in the US) does two distinct jobs that often get muddled. In a shop, it's an NFC contactless wallet — you unlock the phone, tap the terminal, and the card emulation chip sends a tokenised payment exactly the way a contactless card would. On the web and in apps, it's a one-tap checkout button that pulls a saved card out of your Google account and feeds it through the Payment Request API or the Google Pay JavaScript SDK. The customer-facing experience looks the same; the plumbing underneath is completely different.
How Google Pay actually works
When you add a card to Google Pay, Google doesn't store the card number on your phone. It hands the number to the card scheme — Visa, Mastercard, Amex — which issues back a Device Account Number, sometimes called a Device PAN. That token is what lives on your phone. Every time you tap to pay, your device sends the Device PAN plus a one-time cryptogram that's unique to that transaction. The acquiring bank routes the cryptogram back to the scheme, which de-tokenises it and tells the issuing bank to authorise the payment against your real card.
If your phone gets stolen, the Device PAN can be killed without cancelling your real card. That's why most banks treat Google Pay as a lower fraud risk than a manually-keyed card — the merchant never sees the real PAN, and the cryptogram can't be replayed.
Google Pay on the web
Web Google Pay works through a JavaScript API and the standard Payment Request API in the browser. The merchant adds the Google Pay button to their checkout, and when the customer taps it, the browser shows a sheet listing the cards saved to that customer's Google account. The customer picks one, and Google returns a tokenised payment payload to the merchant's payment processor. The processor unwraps the token and runs the transaction.
Most major UK acquirers — Stripe, Adyen, Worldpay, Braintree, Checkout.com — support Google Pay natively, so for a merchant integrating into one of those gateways, turning it on is usually a config flag rather than a build project. The harder part is the merchant requirements: a verified domain, a payment processor that has Google Pay enabled, and a checkout that calls the Google Pay API correctly.
Where Google Pay sits with PCI DSS
Because Google Pay payloads are tokenised before they reach the merchant, accepting Google Pay reduces the amount of card data that touches your systems. That doesn't make you PCI-exempt — the token is still treated as account data and the surrounding integration still needs PCI controls — but it does narrow the cardholder data environment compared to taking a manually keyed card number. For a merchant on SAQ A who already takes only tokenised payments through a hosted page, adding Google Pay generally fits inside the existing scope.
What Google Pay won't do
Google Pay is a wallet, not a payment processor. It doesn't acquire transactions, it doesn't settle funds, and it doesn't underwrite fraud. All it does is present a saved card to a merchant in a tokenised, SCA-authenticated form — every other part of the payment journey runs through the same banks and schemes as a normal card payment. There's also no issuer fee in the UK or most other markets. The customer pays the same as they would with the underlying card, and the merchant pays the same interchange and scheme fees they'd pay for a contactless or CNP card transaction respectively.
One real limitation: Google Pay only works for cards from supported issuers. Most UK high-street banks and challenger banks support it, but a handful of corporate cards and prepaid cards still don't. If you're rolling out Google Pay as a checkout option, the practical answer is to leave card-not-present card entry as a fallback for customers whose card isn't enrolled.
Paytia's secure telephone payment platform runs in the channel where Google Pay can't reach — agent-assisted phone calls and IVR — so the two sit side by side rather than competing. A customer who calls in to pay over the phone enters their card number through the keypad, and our DTMF masking keeps the digits out of the agent's headset, the call recording, and your CRM. The card data is tokenised on capture, the same way Google Pay tokenises a card on enrolment.
That means the same card-on-file token can be reused for a follow-up charge, a refund, or a recurring debit, without the agent ever seeing the real PAN. If a merchant takes web traffic too, we'd actively recommend Google Pay on the checkout — it's a one-tap experience, it satisfies SCA, and it cuts cart abandonment. Phone payments cover the channel Google Pay can't.
Frequently Asked Questions
Is Google Pay the same as Google Wallet?
In the US, yes — Google merged the two in 2022 and the wallet is now branded Google Wallet. In the UK and most other markets the payment wallet is still called Google Pay, even though the underlying app is Google Wallet on newer Android versions. The technology is identical.
Does accepting Google Pay reduce PCI DSS scope?
It narrows it, but it doesn't remove the obligation. Google Pay sends a tokenised payment to your processor, so the real card number never reaches your systems. The token is still account data under PCI DSS, so you still need the controls that come with your SAQ — but you're not handling raw PANs.
Does Google Pay satisfy Strong Customer Authentication?
Yes. The customer authenticates on the device with biometrics or a PIN before each payment, which counts as the inherence or knowledge factor under PSD2 SCA. The device itself counts as the possession factor. So a Google Pay transaction is two-factor authenticated by default.
Can a merchant see my real card number when I pay with Google Pay?
No. The merchant only ever receives a Device Account Number — a token issued by the card scheme — plus a one-time cryptogram for that transaction. The real card number stays with your bank and Google, and never touches the merchant's systems.
Why doesn't my card work with Google Pay?
Google Pay only supports cards from issuers that have signed up to the scheme. Most UK high-street banks and challenger banks are supported. Some corporate cards, virtual cards, and prepaid cards aren't — usually because the issuing bank hasn't enrolled them. Your card issuer's app or website is the quickest way to check.
See how Paytia handles google pay
Book a personalised demo and we'll show you how our platform works with your setup.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia