I've definitely had the last 4 digits printed out on a receipt. While it is conceivable that those were transmitted separately I find that somewhat unlikely.
I believe tokenization is a feature that is ultimately coming, but not quite there yet (and can also be supported by normal cards).
Disclaimer: I take interest in the payment-world, but am by no means an expert and have made the above claims only to the best of my knowledge.
EDIT: It appears the process of generating the device specific card number is already tokenization.
> After the validation, the card network acting as a TSP (Token Service Provider) creates a token (which is called a DAN or a Device Account Number in the context of Apple Pay) and a token key. This DAN is generated using tokenization and is not the actual card number.
[1] suggests that while some cryptography is done for each transaction, the token is the card number and still only unique to the device, not the transaction.
Said cryptography should be according to the EMV standard [2] and is also performed by a normal card (potentially minus the tokenization).
> I've definitely had the last 4 digits printed out on a receipt. While it is conceivable that those were transmitted separately I find that somewhat unlikely.
I noticed this too. Some merchants print the last four of the device account number (DAN) and some print the last four of the actual primary account number (PAN).
I asked about it on /r/ApplePay [1]. /u/martialplum provided this explanation:
> Although the card number sent to the reader from in the transaction is the device account number, this gets de-tokenized along the way to your bank (either by the payment network or some third party) and the actual card number is the one used for authorization. Some issuers use the actual card number in the response they send back to the merchant (data element 2 in ISO 8583). Depending on how the card reader formats the receipt, it's not uncommon for merchant copies of the receipt to show the full device account number (expected), but show the last 4 of the actual card number for convenience when someone shows them the card on their device, which will show the same numbers.
The "ISO 8583" text in that was a link to this [2].
I believe tokenization is a feature that is ultimately coming, but not quite there yet (and can also be supported by normal cards).
Disclaimer: I take interest in the payment-world, but am by no means an expert and have made the above claims only to the best of my knowledge.
EDIT: It appears the process of generating the device specific card number is already tokenization.
> After the validation, the card network acting as a TSP (Token Service Provider) creates a token (which is called a DAN or a Device Account Number in the context of Apple Pay) and a token key. This DAN is generated using tokenization and is not the actual card number.
[1] suggests that while some cryptography is done for each transaction, the token is the card number and still only unique to the device, not the transaction.
Said cryptography should be according to the EMV standard [2] and is also performed by a normal card (potentially minus the tokenization).
[1] https://www.freecodecamp.org/news/how-apple-pay-works-under-...
[2] https://en.m.wikipedia.org/wiki/EMV