Sixteen digits that unlock your money, typed into a stranger's website — and yet it mostly works. The trick: modern payments are built so the merchant never touches the secret at all. Here's the machinery.
You're buying $100 of sneakers. Watch where the real card number (the PAN) goes — and more importantly, where it doesn't.
Tokenization is a coat-check: hand over the valuable thing, get back a claim ticket that's worthless to anyone else.
Any system that touches a raw PAN falls under PCI-DSS — an audit regime so heavy it can cost more than the engineering team. Tokenize at the edge and your servers never enter scope. Half of what gateways sell isn't payments; it's audit avoidance.
Visa and Mastercard now issue their own tokens (your card in Apple Pay is one). When your physical card expires or gets stolen, the network re-maps the token to the new card — subscriptions keep working. Card-on-file breakage quietly disappears.
That OTP or Face ID prompt is 3DS: the issuer verifying its own customer directly, mid-checkout. The 2.0 version scores ~100 data points and challenges only risky ones — most payments pass silently ("frictionless flow"). India runs mandatory challenges; the US mostly trusts the model.
Pass a 3DS challenge and fraud liability shifts from merchant to issuer. That's the deal: add a step, lose some conversions, but stolen-card chargebacks become the bank's problem. Every fraud tool in payments is really a liability negotiation.
Same card, totally different risk worlds — and the fees prove it:
The mechanics under the liability bargain: 3DS2's real flow, Europe's SCA rulebook with numbers, AVS/CVV, and PCI in practice.