facebook noscript

Apple Pay is rolling out Merchant Tokens (MPANs)

March 21, 2024

What are these, and what does this mean for the payments ecosystem?

Ever wondered how your Apple Pay transactions happen smoothly without your card number ever leaving your phone?

It's all thanks to tokenization. Think of it as a secret code that replaces your card number to keep sensitive payment information (PCI data) safe.

The Situation Today: Device PANs (DPANs)

Behind the scenes, adding your card to Apple has some hidden magic. Instead of your actual card number (FPAN), a unique network token called a DPAN is created and stored on your phone. This token acts as your stand-in for purchases and keeps the raw card number safe. Even if someone steals your phone, the DPAN is useless on another device.


Losing your phone means getting a new DPAN, and using the same card on multiple devices creates different tokens for each, multiplying your token management needs.

In the past, Apple Pay relied on DPANs to ensure secure transactions. Although effective for security purposes, DPANs presented challenges when it came to using the same card across multiple devices or replacing a phone, especially in subscription scenarios. The complexity often led to confusion for merchants and created headaches for users.

Presently, Apple lacks a mechanism for merchants to update credentials. So when a card changes due to loss, theft, or routine updates, your Apple Wallet reflects the update, but any card-on-file arrangements with merchants, such as a recurring subscription to Wall Street Journal (WSJ), may encounter transaction failures. This occurs because the actual card number (FPAN) associated with the device PAN (DPAN) has changed, but the merchant (WSJ) isn't aware of it. So, when WSJ submits the payment authorization with outdated credentials, it potentially leads to transaction failure.

The Fix: Merchant PANs (MPANs)

To fix this, Apple is introducing MPANs (Merchant PANs) - see an excellent summary from Marcel Van Oost at this link here.

With MPANs, you will have a unique DPAN assigned to each merchant to make secure transactions with ease. DPANs and MPANs have domain restrictions, but MPANs have more granularity as they are specific to a merchant, whereas DPAN is unique to a device. This means your Apple DPAN will work across multiple merchants, whereas an Apple MPAN will only work for a specific merchant.

If this sounds familiar, it is. Similar tokenization already exists in the e-commerce world, where merchants register with networks through their Token Service Providers, such as VGS or their Acquirers/PSPs. The MPAN setup is similar to Apple becoming a "Token Service Provider" (TSP) - similar to VGS or an Acquirer/PSP - by registering merchants and issuing MPANs (Merchant PANs) instead of DPANs.

Apple's implementation of MPAN marks a positive step towards broader adoption of network tokens. This move raises awareness among merchants and issuers and holds the potential to address existing concerns and propel the tokenization movement forward.

Online (e-commerce)

PAN - ****4657

PAN - ****4657


Digital wallets:

  • Apple Pay network token (DPAN) - ****9865

Digital wallets:

  • Apple Pay network token (DPAN) - ****9865

TSP (VGS) / Acquirer:

  • Merchant network token - ****5674

Digital wallets:

  • Apple Pay network token (DPAN) - ****9865

Digital wallets:

  • Apple Pay network token (MPAN) - ****6432

TSP (VGS) / Acquirer:

  • Merchant network token - ****5674

Ecosystem Impact

  • Merchants:
    • Effortless Adoption: Many merchants might not even realize they already possess Apple MPANs, making the transition to network tokens seamless.
    • New Benefits: By maintaining MPANs, merchants can unlock the benefits of tokenization, like:
      • Enhanced Security: Network tokens offer robust protection against fraud compared to traditional card numbers.
      • Reduced Risk of Stale Cards: Tokens remain valid even when physical cards expire, minimizing disruptions.
      • Simplifying Operations: Merchants will see one unique identifier for their card, reducing confusion and improving customer service.
  • Issuers:
    • Improved Visibility: MPAN provides valuable insights into merchants they collaborate with, enabling stronger business relationships.
    • Increased Authentication: The MPAN framework fosters an environment with more authenticated credentials, boosting security and trust.
  • Payment Acceptance Ecosystem:
    • Enhanced Security: As tokens become more widely adopted, the overall security of the payment landscape strengthens.
    • Long-Term Growth: Increased token awareness paves the way for broader adoption and future iterations of even more secure tokens, as the Digital Authentication Framework (DAF) envisioned.
  • Users:
    • Working across devices: Use the same card seamlessly on all your Apple devices with one MPAN.
    • Surviving phone replacements: No need for new tokens when you upgrade your phone, making things smoother.

"Securing Payments: Card Numbers (PAN) to Digital Wallets (DPAN) and onto Merchant Tokens (MPAN)"

Note: All the tokens are different types of network tokens.

The VGS Vault secures all token types across PII and PCI, and offers VGS Network Tokens to unlock enhanced security, mitigate fraud, and achieve cost savings. Tokens continue to get more popular across a variety of payment use cases, and we talk every day to multiple organizations in the payment acceptance ecosystem who are figuring this out. Let us know if we can be a sounding board for you.

Contact Us

Senior Director of Product Marketing Khyati Srivastava

Sr Director, Marketing

arvind-headshot-blog Arvind Santhanaraman

Head of Payment Products


You Might also be interested in...


VGS Successfully Completes SOC 2 Type II Report

Stu Cianos
Jennifer Marshall
April 15, 2024


Java Evolution: Unlocking Performance and Efficiency from Java 8 to 17

Oleksandr Ahitoliev March 18, 2024


PCI DSS v.4.0 is here. Are you ready?

Khyati Srivastava
Stu Cianos
March 14, 2024