Wallet Payment Flow: Mermaid Sequence Diagram

About Source

A digital wallet payment (Apple Pay, Google Pay, Samsung Pay) replaces the traditional card entry experience with a biometric-authenticated, tokenized transaction that is more secure and faster for the cardholder. The underlying card charge still traverses the same payment network, but the card number is never exposed to the merchant.

When a customer taps their phone or clicks "Pay with Apple Pay," the device presents the Wallet SDK with the transaction amount. The wallet app requests user authentication: Face ID, Touch ID, or PIN. If authentication succeeds, the wallet generates a payment token — a cryptogram specific to this transaction that includes a device account number (a network token replacing the real card PAN), transaction counter, and a cryptographic signature. This token cannot be replayed.

The payment token is returned to the merchant's web or app client, which forwards it to the merchant's payment gateway or backend. The gateway decrypts and validates the cryptogram using the card network's key (for Apple Pay, this is PKI-based; for Google Pay, it uses a symmetric encryption scheme). The decrypted payload contains the real card credentials needed to proceed with standard authorization.

From this point, the flow merges with the standard card authorization path: the gateway submits an authorization request to the acquirer and card network, and the issuing bank processes it. The issuer is aware the transaction used a device token (wallet payment) and applies lower fraud risk to it — improving approval rates compared to manually entered card numbers.

The merchant never sees the underlying card PAN. Even if the merchant's systems are breached, the stolen tokens are single-use and tied to specific transaction amounts, making them worthless to attackers. For the broader tokenization architecture see Payment Tokenization.

Frequently asked questions

A digital wallet payment (Apple Pay, Google Pay, Samsung Pay) replaces manual card entry with a biometric-authenticated transaction using a device-specific network token. The real card PAN is never sent to the merchant; instead, a single-use cryptogram is generated per transaction.

The device wallet SDK generates a payment token containing a device account number (network token), a transaction counter, and a cryptographic signature tied to the specific amount. The gateway decrypts the cryptogram using the card network's public key to recover the credentials needed for standard authorization.

Enable wallet payments whenever checkout conversion is a priority. They eliminate manual card entry for mobile users, carry lower fraud risk (improving issuer approval rates), and often take fewer steps to complete than traditional card forms.

mermaid

sequenceDiagram
    participant Customer
    participant WalletApp as Digital Wallet (Apple/Google Pay)
    participant Merchant as Merchant App/Website
    participant Gateway as Payment Gateway
    participant Network as Card Network
    participant Issuer as Issuing Bank

    Customer->&gt;Merchant: Tap "Pay with Wallet"
    Merchant->&gt;WalletApp: Request payment token (amount, merchant ID)
    WalletApp->&gt;Customer: Prompt biometric authentication
    Customer->&gt;WalletApp: Face ID / Touch ID / PIN
    WalletApp->&gt;WalletApp: Generate one-time cryptogram with device token
    WalletApp-->&gt;Merchant: Payment token (encrypted cryptogram)
    Merchant->&gt;Gateway: Forward payment token
    Gateway->&gt;Gateway: Decrypt and validate cryptogram
    Gateway->&gt;Network: Authorization request with device account number
    Network->&gt;Issuer: Route authorization (marked as wallet payment)
    Issuer->&gt;Issuer: Validate token, apply lower fraud risk score
    Issuer-->&gt;Network: Approval + authorization code
    Network-->&gt;Gateway: Authorization response
    Gateway-->&gt;Merchant: Payment approved
    Merchant-->&gt;Customer: Order confirmation