Token Handling by Samsung Pay

Leveraging the Samsung KNOX security framework [1]

Samsung Pay’s deep integration with the Samsung KNOX platform for device-side security is the architectural attribute that immediately differentiates it from every other mobile wallet app. Pivotal to Samsung KNOX security is its TEE, ensuring that the user’s personal identity is safe while reliably providing issuers with the information necessary to make accurate risk assessments.

All Samsung Pay tokens and keys are stored within the TEE in encrypted form using a hardware-based device key that is unique to each device. Device tampering or the introduction of malware invoke preventive safeguards that include disabling the app and even shutting down the device.


All cryptographic methods and handling performed by Samsung Pay are implemented in accordance with the specifications provided by the respective card network and the designated TSP.

During card provisioning, the TSP replaces the 16-digit PAN on the credit or debit card with a 16-digit substitute (DPAN) and relays it through the TR to the user’s device. Then, whenever the device is used to make a purchase, Samsung Pay generates a cryptogram from the applicable card network algorithm and transmits it to the merchant’s POS upon cardholder authentication, either by fingerprint scan or by entering the correct Samsung account PIN.

Remember, tokens can only be tied back to sensitive cardholder information kept in the “vault” maintained by the TSP. In the event of a breach — because the true PAN is not stored on the device and therefore is never passed to the POS — tokens are of no use to thieves and payment data is kept secure from hackers and other threats.

When Samsung Pay transactions are processed through a payment network, the TSP is called to convert tokens back into a PAN to allow the issuer to process the transaction in the normal way.

Four primary processes involve Samsung Pay: card enrollment/token provisioning, transaction processing, token replacement/replenishment, and token suspension/resumption/deletion. The participating parties are cardholder, merchant, acquirer, payment network, TSP, and issuer. Samsung Pay’s token request (TR) service has an active role in the token provision/replace/replenish and suspend/resume/delete workflows.

Samsung Pay currently supports two types of token provisioning/replenishment models or methods: cloud-based and TEE-based.

Cloud-based key management

As discussed previously, cloud-based token management employs dynamic keys called limited use keys (LUK) or limited use payment credentials (LUPC), of which a fixed number are initially generated at provisioning (for example, 5 or 20). For card brands employing a cloud-based mobile payment (CBMP) system, a provisioned key is consumed each time the corresponding card enrolled in Samsung Pay is used to make a purchase, or a provisioned key is used for a limited number of transactions. Keys are replenished by the TSP based on the number of keys already used, the number remaining, and time to live, but this can only occur when the device is online — connected to the Internet via Wi-Fi or wireless carrier. If all available use keys on the device are consumed while the device is offline —and consequently unable to communicate with the TR server and, by extension, the TSP — subsequent transactions are not recognized. However, once the device comes back online and connectivity is restored, keys are replenished and normal transaction processing resumes.

TEE-based key management

By contrast, the TEE-based key management model employs a static key and is used for multiple transactions, as many as the issuer authorizes based on the account’s available credit/funds until suspended or deleted, either by the cardholder or the issuer. Like dynamic keys, this static type of key is securely stored in the TEE of Samsung devices supporting Samsung Pay. During transaction processing, it is used to generate the cryptogram containing the token on file with the TSP.

And, because this type of key is stored in the TEE, cryptograms can be generated on demand so users can make purchases whether the device is online or offline. There is no need for key replenishment. As necessary, TEE-based keys are replaced (rather than replenished), and they can be suspended and/or deleted just like their cloud-based counterparts.

As a value proposition, this translates to lower cost and greater end-to-end flexibility for integrating a wider variety of use cases—loyalty cards, coupons, gift cards, and the like—in addition to credit and debit cards because specific transactions can be mapped to the cardholder.

1. See White Paper: Samsung KNOX Security Solution for a look at the full array of Samsung KNOX security features.