THE GUIDE

Your phone taps the terminal. Your card number stays home.

Digital wallets carried 56% of global e-commerce value in 2025 — yet most people, including plenty in fintech, can't say what a wallet actually does. Short answer: it's a token vault with a fingerprint reader.

SCROLL ↓
PART 01

The tap, frame by frame.

Two journeys: first the one-time setup when you add a card, then what happens at every tap. Watch which parties never see the real card number.

PART 02

FPAN vs DPAN — the two-number trick.

// the card in your drawer
FPAN   4242 4242 4242 4242  ← the funding account. never leaves the vault.
// the card in your iPhone (Secure Element chip)
DPAN   4818 22•• •••• 9034  ← device-specific network token
// the card in your Apple Watch — different token, same card
DPAN   4818 22•• •••• 5512  ← lose the watch, kill this one only
// what travels at each tap
NFC    DPAN + one-time cryptogram  ← replay it tomorrow: worthless
WHY MERCHANTS LOVE IT

A breach steals nothing

The terminal and merchant only ever see the DPAN and a single-use cryptogram. Steal the database and you hold tokens that only work from the original device. Wallet transactions also tend to get favorable fraud treatment — the biometric counts as strong verification.

WHY ISSUERS PAY FOR IT

The ~0.15% toll

Apple reportedly charges US issuers ~0.15% of credit transactions (publicly confirmed in Switzerland at 0.12%, with similar deals elsewhere) for the privilege of being in the wallet. Banks pay it because top-of-phone is the new top-of-wallet — and because Apple controlled iPhone NFC access. EU regulators forced that open in 2024.

THE SELF-HEALING CARD

Tokens survive plastic

Card expired? Reissued after fraud? The network's token vault re-maps your DPAN to the new card automatically — your transit card, subscriptions, and saved checkouts keep working. Network tokens quietly fixed card-on-file breakage, one of e-commerce's oldest leaks.

SECURE ELEMENT VS HCE

Two ways to hide a token

Apple stores tokens in a dedicated tamper-resistant chip (Secure Element). Google Pay historically used Host Card Emulation — tokens in the cloud with limited-use keys on the phone. Different engineering, same principle: the real PAN is never on the device at all.

PART 03

Not all "wallets" are wallets.

Three species share the name — their economics have nothing in common:

SPECIES 1 · PASS-THROUGH

Apple Pay · Google Pay · Samsung Pay

A secure skin over your existing card — the card rails do everything; the wallet just tokenizes and authenticates. Earns a sliver from issuers. The money never touches Apple.

SPECIES 2 · STAGED

PayPal · Venmo · Cash App

A two-stage system: it pulls funds from your card or bank into its own account, then pays the merchant from there. The wallet sits in the middle of the money, sees both sides, and monetizes the float, FX, and merchant fees.

SPECIES 3 · STORED-VALUE SUPER-APPS

Alipay · WeChat Pay · Paytm · GrabPay

Money lives inside the wallet itself as a balance, moving on internal ledgers — cards and banks only matter for top-ups. At Alipay/WeChat scale this becomes a parallel payment system, which is why China's central bank stepped in to regulate them like infrastructure.

THE SCOREBOARD

56% of e-commerce, 33% of POS

Worldpay's 2026 Global Payments Report: wallets carried 56% of global e-commerce value and 33% in-store in 2025 — versus 39% / 17% in the US. The wallet layer increasingly owns the customer moment on every continent, whatever rails run underneath.

FIELD NOTES — THE PRO LAYER

For the professionals.

The specification under the tap: EMVCo tokens, 3DS interplay, the EU forcing the NFC door open, and wallet disputes.

THE EMVCo TOKEN FRAMEWORK — WHO'S WHO IN A DPAN
Wallet tokenization isn't an Apple invention. It's the EMVCo Payment Tokenisation specification, the same rulebook behind network tokens everywhere. The cast: the Token Service Provider (usually Visa VTS / Mastercard MDES) mints and vaults tokens; the Token Requestor (Apple Pay, Google Pay, a merchant, a PSP) gets a registered Token Requestor ID (TRID); every token carries domain restrictions — this token works only from this device, or only at this merchant, or only for e-commerce. Domain restriction is the quietly brilliant part: a Netflix card-on-file token stolen in a breach can't buy anything anywhere else. When you debug why a wallet transaction declined somewhere a card works, token domain controls are suspect number one.
WALLETS × 3DS — TWO CRYPTOGRAMS, ONE QUESTION
A wallet tap already carries a cryptogram proving device possession and biometric unlock — so does it also need 3DS? Mostly no: under PSD2, a wallet payment with biometric confirmation generally satisfies SCA through delegated authentication (the phone did the two factors: possession + inherence), so in-app and in-store wallet payments usually skip the 3DS challenge entirely. E-commerce wallet buttons ride the same logic — which is why Apple Pay checkout converts better than typed cards in Europe: the SCA friction is pre-paid at Face ID time. For risk teams, wallet transactions arrive with device-level authentication signals cards never had; treat 'wallet vs typed PAN' as a first-class feature in your fraud models.
THE EU KICKED THE NFC DOOR OPEN
For a decade, iPhone NFC payments meant Apple Pay — the secure element was Apple's alone, and the ~0.15%-style issuer toll was the rent. EU competition enforcement changed that: Apple's commitments (2024) require free HCE access to the NFC antenna in the EEA, letting banks and wallets tap-to-pay without Apple Pay, choosable as default. The Digital Markets Act keeps the pressure on. Watch what it tests: whether Apple Pay's position was convenience (users stay anyway) or gatekeeping (banks route around the toll). Early European bank wallets are the experiment running live. For issuers everywhere else, the EEA is the free preview of a post-toll world.
WALLET DISPUTES & LIABILITY — WHO EATS WALLET FRAUD
A wallet transaction is still a card transaction underneath — chargeback rights and reason codes apply unchanged. What shifts is where fraud can enter. The tap itself is nearly unforgeable (cryptogram + biometric), so wallet fraud concentrated upstream in provisioning: steal card details, add them to your phone, pass the issuer's ID&V, and every subsequent 'secure' tap is the fraudster's. That made issuer provisioning controls (in-app verification instead of SMS OTP) the real battlefield — details in tokenization's field notes. Liability follows the auth data: an issuer that approved provisioning on weak ID&V owns the mess it created, and network rules have tightened accordingly.
STAGED & STORED-VALUE ECONOMICS — THE OTHER BUSINESS MODELS
Pass-through wallets earn tolls; the other two species earn differently. Staged wallets (PayPal-style) fund from a card once, then move money on their own internal ledger — earning the merchant fee while paying card economics only on the funding leg, and increasingly steering users toward ACH/bank funding to fatten the spread. Stored-value super-apps (Alipay, Paytm, GrabPay) hold balances — which makes them regulated money holders (e-money/PPI licenses, safeguarding rules, sometimes reserve requirements at the central bank) and turns float into a revenue line where permitted. The regulatory gradient is the story: the closer a wallet gets to holding your money, the closer it gets to being a bank — with the compliance bill to match (see the fintech-illusion note in what money is).
PART 04

Remember three things.

1
A pass-through wallet is tokenization with a fingerprint. Same card, same rails, same interchange — just a DPAN and a one-time cryptogram instead of a swipe-able secret.
2
Follow the money to classify the wallet. Pass-through never touches it, staged routes it, stored-value holds it. Their regulation, risk, and revenue all follow from that one question.
3
The wallet war is a distribution war. Whoever owns the screen at the moment of payment taxes the flow — issuers pay Apple's toll, merchants pay PayPal's, and super-apps simply become the system.