Each payment contains a unique 7-digit ID representing the current session between the device and the merchant. Even if a payment is generated but not submitted, its 7-digit ID will not match the next session, and so the token cannot be stolen and used by anyone else.

This is an important security feature because other methods of generating one-time credit card numbers can typically be stolen at any point until the merchant completes the payment approval.