DSRP
What is DSRP?
Digital Secure Remote Payment (DSRP) is a Mastercard specification that secures remote card payments by replacing real card details with a unique digital token during the transaction. Rather than sending the actual card number, the payment carries a token that is useless to an attacker even if it's intercepted.
The method keeps the customer's payment credentials protected in storage and in transit. It's widely used in and , where a card is provisioned into a mobile wallet and used to pay without exposing the underlying account number. This lets a shopper check out inside an app or browser while the merchant receives only the token, not the real card details.
Key facts
- Type: -based security specification for card-not-present and contactless transactions
- Developed by: Mastercard, as part of the Mastercard Digital Enablement Service (MDES)
- Core mechanism: a device-specific token plus a single-use cryptogram generated for each payment
- Applies to: in-app, in-browser, and contactless wallet payments made from a mobile device
- Protects: the real card number, which is never shared with the merchant
How it works
- Provisioning. The cardholder adds a card to a . The real card number is replaced with a device-specific token that stands in for it on that device.
- Cryptogram generation. For each payment, the wallet generates a one-time cryptogram tied to that specific transaction, so the same data can't be reused.
- Transaction submission. The token and cryptogram travel through the merchant and acquirer instead of the real card number.
- Validation and authorization. The card network maps the token back to the underlying account and validates the cryptogram, then the issuer approves or declines the payment.
Why it matters
DSRP removes the real card number from the parts of the flow an attacker can reach. A token captured in transit can't be replayed on another channel, and because each cryptogram is single-use, a stolen one won't authorize a second payment. That closes the door on the reuse of intercepted card data, which is one of the main goals of tokenizing remote transactions. Because the cryptogram proves the payment originated from a provisioned device, the issuer can weigh it as a stronger authorization signal than a card number typed in by hand.
For merchants, handling a token instead of raw card data narrows the systems that touch sensitive information, which reduces the surface area subject to obligations.
Common issues
- Provisioning failures: a card can't be tokenized into the wallet, often due to issuer support or verification gaps, so DSRP never activates for that card.
- Device or wallet incompatibility: older devices or unsupported wallets fall back to standard card entry rather than a tokenized flow.
- Cryptogram validation errors: a malformed or expired cryptogram is rejected by the network, producing a decline even when the account itself is valid.


