What is DPAN and Card Info? These are two payment card properties introduced by Google Pay and Apple Pay almost in the same way. See details below.
Whereas Primary Account Number (PAN) is the real card number, usually depicted on the card, the Device PAN (DPAN) is assigned to the card as a pseudonym. It looks like a PAN but it is not. It is associated with a particular device (e.g. a smartphone) which emulates the card virtually stored in the Google Pay or Apple Pay wallet.
If the same card is virtually stored in another wallet, it will have DPAN different from the one associated with the first wallet.
DPAN is a unique card number alias. Only one real card is associated with a given DPAN. The opposite is not true. One real card may have several DPANs, different in each device.
The card issuer assigns DPAN at the time of adding the virtual card to the wallet (Google Pay or Apple Pay one). This is done via so called card tokenization process.
The process of adding a card to a wallet and assigning a DPAN to it is pretty complex. From the Cardholder’s standpoint it is rather simple and described in Google and Apple documentation. There are the following agents or services participating in this process at the same time:
- Google Pay or Apple Pay service
- Android or Apple (iOS or MAC) operating system
- Tokenization infrastructure
The good news is that the cardholder does not need to know anything about the above. The cardholder simply follows instructions on the device, to complete the process within a minute or so.
DPAN cannot be used to create a fraudulent transaction at e-merchant website because the real card PAN must be used there.
The real card PAN is not stored in Google Pay or Apple Pay wallets and does not participate in transactions originated via these wallets.
Google Pay wallet shows the DPAN “tail”, or masked DPAN, as virtual account number, e.g. “**** 1355” to the the smartphone holder. The masked DPAN is depicted in the card details in the wallet application.
Apple Pay does practically the same but calls the masked DPAN device account number.
About Card Info
The last 4 digits of PAN along with the card schemes IDs such as “Visa” or “Mastercard” comprises so called Card Info. Card Info is available to e-merchants participating in payment transactions originated via Google Pay or Apple Pay wallets. It is used for transaction tracking and resolving issues with cardholders.
Remarkably, Card Info is not available for brick-and-mortar merchants engaging Google Pay and Apple Pay wallets via NFC-capable Point of Sales (PoS) terminals when they read virtual cards data in these wallets. NFC PoS terminals operate with DPAN.
DPAN and PAN Tracking Examples
PAN and DPANs are provided below for the matter of examples. They are accidental, invalid, and do not pass Luhn checks.
Let’s suppose, for the matter of example, that you have Visa card with PAN 4000000000004321. In most cases, you can see the PAN depicted on your card plastic. Respectively, Card Info digits will be depicted at your card image in your Google Pay and Apple Pay wallets in a form of
Let’s suppose that the same (virtual) card in your Google Pay wallet has DPAN 4111111111115876. You can see the masked DPAN in your Google Pay wallet as
virtual account number **** 5876
Let’s suppose that the same (virtual) card in your Apple Pay wallet has DPAN 42222222222223545. You can see the masked DPAN in your Apple Pay wallet as
device account number **** 3545
Your payments receipts, printed by an NFC PoS terminal at a brick-and-mortar merchant, depicts the following:
- **** 4321, if you tapped your real card
- **** 5876, if you tapped your smartphone with Google Pay
- **** 3545, if you tapped your smartphone with Apple Pay
If you use your card directly (not Apple Pay or google Pay) for online payments at an e-merchant, your receipt from the merchant will depict card info: something like **** 4321 or Visa 4321.
If you use Google Pay or Apple Pay for online payments or for in-app payments, your receipts will display the same.
Please note that if you have more than one smartphone (or smartwatch) with Google Pay (or Apple Pay to that matter) DPANs of the same card will be different in each of them.
Unfortunately, there are some issues with DPAN and PAN creating poor user experience in some use cases and limiting usage of Google Pay and Apple Pay. The devil is, as always, is in the details.
DPAN is Hidden in E-commerce
DPAN (as a method of card tokenization) was introduced to make PAN “secret”. Hence, there is no need to hide DPAN because it cannot be used outside its wallet. From the merchant standpoint, having DPAN can be useful because it is unique and can allow to associate a given card with certain business processes within the merchant.
Both Apple Pay and Google Pay hide DPAN from “simple” e-merchants (non-PCI-DSS compliant ones). They hide DPAN within an encrypted payment token associated with a given transaction.
E-merchants, may have access to DPAN if they are PCI DSS-compliant but this is costly.
The whole idea of card tokenization was to make the merchants’ life easy, and give them a unique and safe card pseudonyms without requesting from merchants PCI-DSS compliance.
DPAN is Readable at Brick-and-Mortar Merchant
Despite Google Pay and Apple Pay effort to hide DPAN from e-merchants, they cannot hide it from brick-and mortar-merchants. Technically, this would have been possible but extremely expensive because it would require changing EMV standard and reprogramming all NFC-capable PoS terminals.
Public Transit Use Case
Some account-based public transit fare collection systems use online card payment transactions to prepay transit services and register your card as a transit pass. This allows you, later, to tap the same card at the transit validation device and get access to the transit service you already purchased online. Of course, your card PAN participates in such registration.
It such cases, you better not tap your smartphone with Google Pay or Apple Pay at the validation device because the DPAN is not equal to PAN. Transit gates will not open.
The similar is applicable to transits that cap or discount your fares post-factum, aggregating your rides during a certain period of time. Do not tap different devices and cards if you want to get your discount because the PAN and all your DPANs are different. See, for example, Transport for London instructions to that matter.
Loyalty Use Case, Across Web and NFC Transactions
Suppose, you used your real card PAN to buy something online at FloorMart website and you got some loyalty points associated with your card PAN.
Later, you decide to visit a brick-and-mortar FloorMart store in person, and use your loyalty to get a discount.
Make sure that you tap your real card, not your smartphone, at their PoS terminal. Otherwise, you will not get your discount because DPAN is not equal to PAN.