| They already do according to the Google Wallet FAQ: "Google Wallet stores your credit and debit cards on secure servers and encrypts your payment information with industry-standard SSL (secure socket layer) technology. Your full credit and debit card information is never shown in the app and won't be shared with the merchant. In addition, access to Google Wallet is protected by password or PIN. We also recommend locking your phone with a passcode for additional security." "Your actual credit card number is not stored. Only the Google Wallet Virtual Card is stored, and Android's native access policies prevent malicious applications from obtaining the data. Even if the data is compromised, Wallet uses dynamically rotating credentials that change with each transaction and are usable for a single payment only. Finally, all transactions are monitored in real-time with Google’s risk and fraud detection systems." https://www.google.com/wallet/faq.html#tab=faq-security Keep in mind "Tokenization" has existed in the NFC industry for years, the only thing which changed last year is that the EMV standards body agreed and released a standardized way to do it in March 2014. Apple Pay is a branded solution over that. So what it really boils down to is whether or not you take Google's word for it that their independent solution is secure. If not, you owe it to yourself to not be using a Google Android phone in the first place. |
1) rotation of tokens/virtual card numbers
2) giving the transaction data to merchants
From what you copied here it seems that Google is rotating the virtual numbers - however, there's no way of knowing if Google isn't still tracking all of those numbers through your account and linking them back together for data mining. I think there's a high probability Google is doing that. Google only says it's rotating the numbers.
And that leads us to #2, which remains completely unanswered. Google says it doesn't give the credit card information to merchants (as in your real credit card number). However it could still give the transaction data.