Somebody asked me at BugCON: how a token differs from Samsung Pay(Android) wallet to Apple Pay(iOS) and vice versa. To explain that tricky question, I made this post.

A tokenization process is a difficult topic to explain or to understand it. According to Visa, [it is] a new security technology from Visa, replaces sensitive account information, such as the 16-digit account number, with a unique digital identifier called a token. The token allows payments to be processed without exposing actual account details that could potentially be compromised. It is kind of similar to the payment network: we know that there it is; but without any clear idea how is protected it, how is maintained it or how is updated it.

For this post, I will use two applications to talk about tokenization process, and how it works. Specifically, I will use Samsung Pay and Apple Pay.


Apple Pay implements NFC(Near Field Communication) protocol and Samsung Pay, MST(Magnetic Secure Transmission) and NFC protocols respectively. The main point of this post is not to talk about the protocols or the issues on those payment wallets, but to understand how the “same” tokenization framework is applied in these systems. I am going to narrow my post to the Visa cards, and I will use a Chase prepaid card to make some examples. Devices: Samsung Galaxy S6 edge and iPhone 6.


Initially I added the card to Apple Pay, however I already had the same card in Samsung Pay, so I decided to deleted it from Samsung Pay, and add it again just to see the difference between each other with fresh tokens.


Before I deleted the prepaid card from Samsung Pay, I captured a token:


So what is the token of Apple Pay:

4059557240085507D23052010000097699995F (NFC)

The new token of Samsung Pay:

%4059557240085515^23051018236000001359? (MST)

If we compare the new tokens, we can see some facts:

  • The virtual credit cards are incremental in both wallets.
  • Not matter which system or device you are using, they implement the same framework with some specific parameters for each wallet.
  • The new virtual credit card could be guessable if an attacker knew the previous one in any device.

Hope this post clarify how the framework is implemented to generate new virtual credit cards(tokens) sharing the core of its process.