With mobile payments popular around the world, payers can conduct a payment anytime and anywhere. While providing great convenience, mobile payment also brings many payment security issues. This paper is the first comprehensive review of secure mobile payment. We classify the mobile payment into TPC(third-party payment company)-led mobile payment and Bank-led mobile payment, and based on this, summarize the system structure of mobile payment. Then we discuss the mobile payment security technology framework from Tokenization, PAN(bank card primary account number) binding, and Secure Payment Authentication, respectively. Besides, this paper introduces secure technologies(hardware and software) used in these procedures, discusses and analyzes the security issues that they have been encountered, summarise open issues, and proposes future development directions. In the end, we give the discussion and comparison of popular and representative mobile payment applications, including Alipay, Wechat Pay, Apple Pay, Samsung Pay, and Google Pay. INDEX TERMS Tokenization, symmetric cryptosystem, hybrid cryptosystem, PAN binding, TOTP, remote payment, near-field payment.