Google Pay Transacting on Old Card

A while ago I had to freeze my card and request a new one because both the chip and pin and contactless features stopped working, for whatever reason. My new card arrived shortly after and I’ve been updating websites and services with my new card details as and when I come across one that has my old details.

Come to today, I was about to purchase a movie on YouTube when I noticed my old card was still present there. So I started the usual process of adding my new card and removing the old when I had a sudden realisation:

“If my new card isn’t in my Google Pay account, how have I been using Google Pay / Contactless everyday to process transactions?”

I had a look at Google Pay on my mobile and to no surprise, it was still setup to use my old card. It’s been working fine, no issues whatsoever, processing daily transactions as normal for over a month on my old frozen and replaced card. The transactions have been coming through to Monzo perfectly fine and as I’ve never had a payment decline I’ve not thought to change the card on my Google Pay account to the new one.

So that begs me to ask the question, how is Google Pay processing legitimate transactions on my old frozen and replaced card and what stops someone from obtaining my card and using it through Google Pay even if I freeze / replace it?

I am a little concerned.

You haven’t got this turned on in labs by any chance?

E1C67FC5-2107-43DB-B385-47588E9BE873.jpeg1125×1430 504 KB

It’s not necessarily related to Automatic Billing Updater, although Google Pay may choose to process the ABU messages.

We can switch out the card that the MDES token is associated with

Hey Hugh, what does this mean exactly, sorry?

Is this a legitimate thing then? And if so, how would this work with fraudulent transactions?

Yep, I do have this enabled!

Yup - so we would have told Mastercard you had changed your card, and Google Pay seems to read these messages and correctly swap the card you are being billed to.

For fraud replacements, we don’t sent the ABU message with your new card details.

We can also just switch the card the MDES (Google/Apple Pay) token is associated with although we haven’t built that yet.

Ah, okay, that makes sense.

So, how does Monzo know when we’re requesting a new card as a replacement and when we’re requesting a new card due to fraud on the account? The process seems to be same (as far as I know).

You get 3 options when replacing it in the app - lost & stolen, damaged or asked to by CS. I’m not exactly sure what these map to on our end but lost and stolen wouldn’t go through ABU I don’t think.

We have more granular options when we replace cards, one of which is explicitly fraud.

This feature also isn’t totally complete yet, hence why it is still in labs

Amazing, thanks for the explanation. Answers the question perfectly and puts my mind at ease