What Is a Device Account Number & How Does It Work?
Understand the secure technology behind modern digital payments. Learn how your card information is protected in online and mobile transactions.
Digital payments have become an integral part of daily life, offering speed and convenience for various transactions. Protecting sensitive financial information in this evolving digital landscape is paramount for consumers and financial institutions alike.
Understanding Device Account Numbers
A Device Account Number (DAN) serves as a unique, encrypted, and device-specific substitute for a consumer’s actual credit or debit card number, also known as the Primary Account Number (PAN). It acts as an alias, ensuring the original card details are not directly exposed.
The DAN is generated specifically for use within digital payment platforms such as mobile wallets like Apple Pay, Google Pay, and Samsung Pay, as well as various online payment services. Unlike a physical card number, a DAN is uniquely tied to a specific device and the payment method registered on that device. This means that if you add the same card to multiple devices, each device will receive a different Device Account Number.
The primary purpose of a DAN is to enhance security by preventing the transmission of your actual card number during a transaction. This abstraction layer ensures that even if a merchant’s system is compromised, your original card number remains protected.
The Tokenization Process
Device Account Numbers are created and utilized through a sophisticated process known as tokenization. This security protocol converts sensitive payment data, specifically the actual Primary Account Number (PAN), into a non-sensitive, unique token, which is the DAN.
When a user adds their payment card to a digital wallet on a device, this initiates the enrollment phase. During enrollment, the digital wallet securely sends the PAN to the card’s issuing bank or the relevant payment network, such as Visa or Mastercard. Subsequently, the payment network, acting as a Token Service Provider (TSP), or the issuing bank generates a unique DAN specifically for that card and device combination. This newly generated DAN is then securely transmitted back to the device’s digital wallet and stored within a dedicated hardware component known as the Secure Element.
During a transaction, when a purchase is made using the digital wallet, the merchant receives and transmits only the DAN, not the sensitive PAN. The payment network receives this DAN and then securely “de-tokenizes” it, converting it back to the original PAN. The actual PAN is then sent to the issuing bank for transaction authorization. Finally, the issuing bank approves or declines the transaction, and the authorization status is relayed back through the network to the merchant and subsequently to the user’s device.
Security and Privacy Advantages
Device Account Numbers offer significant benefits in terms of payment security and user privacy. A primary advantage is the substantial reduction in data breach risk. If a merchant’s system is ever compromised, only the non-sensitive DANs are exposed, not actual Primary Account Numbers.
Each Device Account Number is unique to a specific device and card, meaning that even if a DAN were somehow stolen, it would be far less useful to fraudsters than a traditional card number. Furthermore, transactions often incorporate dynamic cryptograms or security codes that change with each purchase, adding another robust layer of security. This ensures that even if a single transaction’s data is intercepted, it cannot be reused for subsequent fraudulent activities.
The storage of DANs in a Secure Element, an industry-standard, certified chip embedded in the device, further enhances security by isolating payment information from the device’s main operating system. These DANs are typically not stored on cloud servers or backed up, providing additional protection. Should a device be lost or stolen, the associated DAN can be quickly de-provisioned from the digital wallet without requiring the user to cancel their physical card. From a privacy standpoint, merchants never see or store the actual card number, which significantly enhances consumer privacy and reduces the potential for internal fraud at the merchant’s location.