THE GUIDE

The online store never sees your card number.

Sixteen digits that unlock your money, typed into a stranger's website — and yet it mostly works. The trick: modern payments are built so the merchant never touches the secret at all. Here's the machinery.

SCROLL ↓
PART 01

An online payment, frame by frame.

You're buying $100 of sneakers. Watch where the real card number (the PAN) goes — and more importantly, where it doesn't.

PART 02

Anatomy of a token.

Tokenization is a coat-check: hand over the valuable thing, get back a claim ticket that's worthless to anyone else.

// what you type
PAN     4242 4242 4242 4242  ← the secret. radioactive.
// what the gateway's vault returns
TOKEN   tok_8f3a2c  ← useless outside this merchant
// what the merchant's database stores
STORED  tok_8f3a2c + last4 4242  ← breach this, steal nothing
WHY MERCHANTS WANT THIS

PCI scope is the real product

Any system that touches a raw PAN falls under PCI-DSS — an audit regime so heavy it can cost more than the engineering team. Tokenize at the edge and your servers never enter scope. Half of what gateways sell isn't payments; it's audit avoidance.

NETWORK TOKENS

The card that updates itself

Visa and Mastercard now issue their own tokens (your card in Apple Pay is one). When your physical card expires or gets stolen, the network re-maps the token to the new card — subscriptions keep working. Card-on-file breakage quietly disappears.

3-D SECURE 2

The bank challenges you, not the store

That OTP or Face ID prompt is 3DS: the issuer verifying its own customer directly, mid-checkout. The 2.0 version scores ~100 data points and challenges only risky ones — most payments pass silently ("frictionless flow"). India runs mandatory challenges; the US mostly trusts the model.

THE LIABILITY BARGAIN

Why merchants tolerate the friction

Pass a 3DS challenge and fraud liability shifts from merchant to issuer. That's the deal: add a step, lose some conversions, but stolen-card chargebacks become the bank's problem. Every fraud tool in payments is really a liability negotiation.

PART 03

Card-present vs card-not-present.

Same card, totally different risk worlds — and the fees prove it:

FIELD NOTES — THE PRO LAYER

For the professionals.

The mechanics under the liability bargain: 3DS2's real flow, Europe's SCA rulebook with numbers, AVS/CVV, and PCI in practice.

3DS2 — WHAT HAPPENS IN THOSE TWO SECONDS
3-D Secure 2 sends the issuer 100+ data elements (device fingerprint, addresses, order details, merchant risk inputs) in an authentication request before authorization. The issuer's risk engine picks a lane: frictionless (the large majority of EU traffic — authenticated invisibly, cardholder sees nothing) or challenge (OTP, banking-app push, biometric). The merchant's prize: authenticated transactions carry the liability shift — fraud chargebacks move to the issuer. The costs: challenges add measurable checkout abandonment, and 3DS itself has a small approval-rate tax. So sophisticated merchants run a 3DS strategy, not blanket 3DS: authenticate risky traffic, claim exemptions elsewhere, and tune by issuer behavior. India's analogue is RBI-mandated two-factor authentication — same idea, regulator-imposed, no exemption game.
PSD2 SCA — EUROPE'S RULEBOOK, WITH NUMBERS
In the EEA/UK, Strong Customer Authentication is law for customer-initiated electronic payments: two of knowledge / possession / inherence. The craft is in the exemptions (requested by the acquirer, granted or refused by the issuer):
LOW VALUE — ≤€30, until 5 consecutive tx or €100 cumulative
CONTACTLESS — ≤€50 in-store, similar cumulative logic
TRA — up to €100 / €250 / €500 by the PSP's audited fraud rate (EBA tiers)
PLUS — trusted beneficiaries (whitelisting), corporate cards, recurring after setup
Merchant-initiated transactions (subscriptions, usage billing) sit outside SCA after an SCA-authenticated setup — the most load-bearing acronym in European subscription commerce. Exemption strategy is a revenue lever: every skipped challenge is recovered conversion, priced against the fraud-rate thresholds you must stay under to keep using TRA.
AVS & CVV — THE VETERAN CHECKS
Two 1990s-era checks still doing quiet work. AVS matches the numeric parts of the billing address and postal code against the issuer's file — full match / partial / no-match results feed decline rules, and missing AVS can downgrade interchange. It's US/UK/Canada-centric; much of the world doesn't support it. CVV2 (the 3–4 printed digits) proves possession-ish at order time; merchants are forbidden from storing it after authorization under PCI — which is exactly why database thieves pivoted to enumeration attacks that guess CVVs at scale (see the card-testing anatomy in fraud). Neither check shifts liability; both feed the issuer's risk score and your own decline strategy.
PCI DSS IN PRACTICE — SCOPE IS THE WHOLE GAME
PCI DSS is the card industry's contractual security standard — 12 requirement families covering network security, encryption, access control, logging, testing and policy. What practitioners actually manage is scope: which systems touch account data. The self-assessment tiers tell the story:
SAQ A — fully outsourced (hosted fields / redirect): ~30 questions
SAQ D — you store or process PANs yourself: 200+ controls, scans, audits
That gap is why tokenization and hosted checkout won: they move the card data — and with it most of PCI — onto the PSP. The largest merchants (Level 1, over ~6M transactions/yr) need annual on-site assessments by a qualified assessor. The current major version is v4.x; specific control deadlines phase in over years — re-verify before quoting them.
THE ENCRYPTION STACK — PROTECTING THE NUMBER IN FLIGHT
Tokenization replaces stored PANs; encryption protects moving ones. At the terminal: P2PE — the PAN is encrypted inside the tamper-resistant device and decrypted only inside the processor's HSM (hardware security module — a safe that does math; try to extract the key and it zeroizes). In transit: TLS everywhere. Where PANs must exist in storage: field-level or format-preserving encryption (the ciphertext still looks like a 16-digit number, so legacy systems don't break). Architect's rule of thumb: encryption for transit, tokenization for rest, HSMs for keys — and every system that can decrypt is in PCI scope, which is why the best architecture is the one where almost nothing can.
PART 04

Remember three things.

1
The PAN is radioactive — so the system quarantines it. Tokenize at the browser, vault at the gateway, store only claim tickets. Modern payment security is mostly about making sure nobody has to hold the secret.
2
Security features are priced, not just engineered. Card-present is cheaper than online because the fraud risk is lower; 3DS exists because of a liability shift. Follow the liability and you'll understand every security mandate.
3
Friction is a dial, not a switch. 3DS2's frictionless flow, network tokens, one-click wallets — twenty years of work to make security invisible for the 95% and hard for the 5%. Conversion rate is the metric everything bends to.