Posted by Dominik Mengelt, Developer Relations Engineer, Google Pay and Nick Alteen, Technical Writer, Engineering, Wallet
What is step-up authentication?
When processing payments, step-up authentication (or simply “step-up”) is the practice of requiring additional authentication measures based on user activity and certain risk signals. For example, redirecting the user to 3D Secure to authenticate a transaction. This can help to reduce potential fraud and chargebacks. The following graphic shows the high-level flow of a transaction to determine what’s to be done if step-up is needed.
Figure 1: Trigger your Risk Engine before sending the transaction to authorization if step-up is needed
It depends! When making a transaction, the Google Pay API response will return one of the following:
An authenticated payload that can be processed without any further step-up or challenge. For example, when a user adds a payment card to Google Wallet. In this case, the user has already completed identity verification with their issuing bank.
A primary account number (PAN) that requires additional authentication measures, such as 3D Secure. For example, a user making a purchase with a payment card previously stored through Chrome Autofill.
You can use the allowedAuthMethods parameter to indicate which authentication methods you want to support for Google Pay transactions:
In this case, you’re asking Google Pay to display the payment sheet for both types. For example, if the user selects a PAN_ONLY card (a card not tokenized, not enabled for contactless) from the payment sheet during checkout, step-up is needed. Let’s have a look at two concrete scenarios:
In the first scenario, the Google Pay sheet shows a card previously added to Google Wallet. The card art and name of the user’s issuing bank are displayed. If the user selects this card during the checkout process, no step-up is required because it would fall under the CRYPTOGRAM_3DS authentication method.
On the other hand, the sheet in the second scenario shows a generic card network icon. This indicates a PAN_ONLY authentication method and therefore needs step-up.
PAN_ONLY vs. CRYPTOGRAM_3DS
Whether or not you decide to accept both forms of payments is your decision. For CRYPTOGRAM_3DS, the Google Pay API additionally returns a cryptogram and, depending on the network, an eciIndicator. Make sure to use those properties when continuing with authorization.
This authentication method is associated with payment cards from a user’s Google Account. Returned payment data includes the PAN with the expiration month and year.
This authentication method is associated with cards stored as Android device tokens provided by the issuers. Returned payment data includes a cryptogram generated on the device.
When should you step-up Google Pay transactions?
When calling the loadPaymentData method, the Google Pay API will return an encrypted payment token (paymentData.paymentMethodData.tokenizationData.token). After decryption, the paymentMethodDetailsobject contains a property, assuranceDetails, which has the following format:
Depending on the values of cardHolderAuthenticated and accountVerified, step-up authentication may be required. The following table indicates the possible scenarios and when Google recommends step-up authentication for a transaction:
Step-up can be skipped only when both cardHolderAuthenticated and accountVerified return true.
If you are not using assuranceDetails yet, consider doing so now and make sure to step-uptransactions if needed. Also, make sure to check out our guide on Strong Customer Authentication (SCA) if you are processing payments within the European Economic Area (EEA). Follow @GooglePayDevs on Twitter for future updates. If you have questions, mention @GooglePayDevs and include #AskGooglePayDevs in your tweets.
A recent study by 451 Research showed that for merchants with over 50% of sales occurring online, 69% of them used multiple PSPs. We first demonstrated with the aforementioned samples how you can implement a consistent interface to multiple PSPs, streamlining your codebase while also providing more flexibility for the future. We’ve now taken this one step further and brought this unified PSP interface to the Firebase platform, by way of a Firebase Extension for Google Pay, making it easier than ever to integrate Google Pay with one or more PSPs.
Google Pay Firebase Extension
Firebase Extensions are open source pre-packaged bundles of code that developers can easily pull into their apps, and are designed to increase productivity, and provide extended functionality to your apps without the need to research, write, or debug code on your own. Following this line, the Google Pay Firebase Extension brings the unified PSP interface to developers’ Firebase apps.
With the Google Pay Firebase Extension installed, you can pass a payment token from the Google Pay API to your Cloud Firestore database. The extension will listen for a request written to the path defined during installation, and then send the request to the PSP’s API. It will then write the response back to the same Firestore node.
Like all Firebase Extensions, the Google Pay Firebase Extension is entirely open source, so you can modify the code yourself to change the functionality as you see fit, or even contribute your changes back via pull requests – the sky’s the limit.
Furthermore, as the extension is backed by the aforementioned PSP samples project, the same set of PSPs are supported. Want to see your favorite PSP supported? Head on over to the PSP samples project which contains instructions for adding it.
Summing it up
Whether you’re new to Google Pay or Firebase, or an existing user of either, the new Google Pay extension is designed to save you even more time and effort when integrating Google Pay and any number of Payment Service Providers with your application.
Posted by Stephen McDonald, Developer Relations Engineer, Google Pay
Easily connect Google Pay with your preferred payment processor
Adding Google Pay as a payment method to your website or Android application provides a secure and fast checkout option for your users. To enable Google Pay, you will first need a Payment Service Provider (PSP). For the integration this means understanding how your payments processing stack works with Google Pay APIs.
End-to-end PSP samples
A recent study by 451 Research showed that for merchants with over 50% of sales occurring online, 69% of merchants used multiple PSPs. With these new samples, we demonstrate how you can implement an entirely consistent interface to multiple PSPs, streamlining your codebase while also providing more flexibility for the future.
Lastly, we’ve also added support to both the Web and Android Google Pay sample applications, making it easy to demonstrate the new PSP samples. Simply run the PSP samples project, and configure the Web or Android samples to send their cart information and Google Pay token to the PSP samples app, which will then send the relevant data to the PSP’s API and return the PSP’s response back.
To start with, we’ve included support for 6 popular PSPs: Adyen, Braintree, Checkout.com, Cybersource, Square, and Stripe. But that’s just the beginning. If you’re involved with a PSP that isn’t yet included, we’ve made adding new PSPs to the open source project as simple as possible. Just head on over to the GitHub repository which contains instructions on contributing your preferred PSP to the project.
Launching Google Pay for your website
When you’ve completed your testing, submit your website integration in the Google Pay Business Console. You will need to provide your website’s URL and screenshots to complete the submission.
Summing it up
Integrating Google Pay into your website is a great way to increase conversions and to improve the purchasing experience for your customers, and with these new open source samples, the process is even easier.
What do you think? Follow us on Twitter for the latest updates @GooglePayDevs
Do you have any questions? Let us know in the comments below or tweet using #AskGooglePayDevs.
Google has updated its Passes API to enable a simple and secure way to store and access COVID vaccination and test cards on Android devices. Starting today, developers from healthcare organizations, government agencies and organizations authorized by public health authorities to distribute COVID vaccines and/or tests will have access to these APIs to create a digital version of COVID vaccination or test information. This will roll out initially in the United States followed by other countries.
Example COVID Cards from Healthvana, a company serving Los Angeles County
Once a user stores the digital version of the COVID Card to their device, they will be able to access it via a shortcut on their device home screen, even when they are offline or in areas that have weak internet service. To use this feature, the device needs to run Android 5 or later and be Play Protect certified. Installing the Google Pay app is not a requirement to access COVID Cards.
The COVID Card has been designed with privacy and security at its core.
Storing information: The user’s COVID vaccination and test information is stored on their Android device. If a user wants to access this information on multiple devices, the user will need to manually store it on each device. Google does not retain a copy of the user’s COVID vaccination or test information.
Sharing information: Users can choose to show their COVID Card to others. The information in the user’s COVID Card is not shared by Google with its various services or third parties and it is not used for targeting ads.
Securing information: A lock screen is required in order to store a COVID Card on a device. This is for added security and to protect the user’s personal information. When a user wants to access their COVID Card, they will be asked for the password, pin or biometric method set up for their Android device.
If you are a qualified provider, please sign up to share your interest here. And, for more information about COVID cards and their privacy and security features, please see the help center.
What do you think?
Do you have any questions? Let us know in the comments below or tweet using #AskGooglePayDevs and follow us @GooglePayDevs.
Posted by Soc Sieng, Developer Advocate, Payments & Ola Ben Har, Payments DevRel Lead
We redesigned the Google Pay app to boost user engagement with your business.
The redesigned app makes it easy for users to find your business and provides you with a branded surface that lets you build relationships with your customers at scale.
The app is available in the App Store and Google Play Store in the US, India, and Singapore with availability in more markets on the way. In this blog post, we focus on features available in the US version of the app.
New in Google Pay
The Google Pay app focuses on users’ relationships with people, businesses, and other everyday essentials.
The app lets users send money, save money, and see spending insights.
It makes it easy for users to save money at their favorite businesses and discover new ones.
It also provides your brand with another surface to initiate meaningful reengagement with your customers. The branded experience is automatically created when customers check out with Google Pay or a Google Pay-enrolled card in the app, in stores, or online. This dedicated space for your business is also where customers can redeem offers, sign up for loyalty rewards, and view their transaction histories.
How it works
Google Pay’s new features are only part of the story.
Behind the scenes, we worked on the Google Pay APIs and developer tools to enable those experiences, help you acquire new customers, and better serve existing ones.
Google Pay APIs for Web and Android
Google Pay APIs for Web and Android enable your transaction history within your branded experience on Google Pay in addition to contactless payments in store. After a user makes a purchase with Google Pay or a Google Pay-enrolled card, they can search for your brand and view their transaction history in Google Pay.
When you integrate with the Google Pay APIs, you’re not only providing a convenient and secure checkout option in your app or on your website, but you also let your users track their transactions, independent of the channel, in one central place. Your brand becomes searchable for millions of active Google Pay users, which provides you with more reengagement opportunities.
Loyalty Enrollment and Sign-in API
The Loyalty Enrollment and Sign-in API lets users discover, and sign up or sign in to your loyalty program from your branded experience with a few taps in Google Pay.
When users sign up, they provide their consent and Google Pay securely shares sign-up details with your loyalty program’s sign-up process. They can use information that they already saved to their Google Accounts, which makes the sign-up process a snap. Afterward, users can easily access their loyalty passes at checkout.
That does it for now, but these updates are only the beginning, so stay tuned for more news in this space!
Want to learn more about Google Pay? Here’s what you can do:
Posted by Jose Ugia, Developer Programs Engineer, Google Pay and Anthony Panissidi, Technical Writer, Google Developer Studio
We made it easier than ever to integrate Google Pay in Flutter apps!
Our open source Flutter plugin simplifies the addition of payments to Flutter apps on iOS and Android.
The plugin gives you the ability to add functionality to your apps across platforms with a single and familiar codebase written in Dart.
It adapts common steps required to facilitate payments that adhere to how Flutter constructs components, works with the user interface of the app, and exchanges information between the native and Dart ends.
Now, as a Flutter developer, you can easily reap the benefits of Google Pay, which lets you provide users with a secure and fast checkout experience that increases conversions, and frees you from the need to manage credit cards and payments.
To configure a payment, load a payment profile with the desired configuration, either with a local file or one retrieved from a remote server. For a complete list of all configuration options, see the PaymentDataRequest object.
Here’s an example of a JSON file that defines payment options:
Posted by Soc Sieng, Developer Advocate, Google Pay
An improved Google Pay button works wonders for click-through rates and the checkout experience.
The updated Google Pay button displays a user’s card information, which makes the user 30% more likely to use it and increases conversions by 3.6%.
The display of the card’s type and last four digits reminds the user that they already saved a payment card to their Google Account, which makes them more likely to opt for the quick and easy checkout process that Google Pay provides.
How it works
If a user configured an eligible payment method in their Google Account at the time of purchase, the Google Pay button displays the type and last four digits of their most-recently used card.
Figure 1. An example of the Google Pay button with the additional information.
Figure 2. An example of the Google Pay button without the additional information.
How to enable card information
If you use the createButton API with default button options, your Google Pay button is automatically updated to include the user’s card network and last four digits.
If you customized the createButton API and set buttonType to plain or short, set it to buy to make your Google Pay button display the user’s card information.
If you haven’t integrated with the createButton API yet, consider doing so now so that the user knows that their payment details are a click away.
See it in action
To test the Google Pay button with other button options, check out this button-customization tool:
To get started with Google Pay, visit Google Pay’s Business Console. Make sure to use the createButton API to benefit from the new features. If you have any questions, tweet @GooglePayDevs on Twitter and use #AskGooglePayDevs.
Steve Klebe forms partnerships that drive adoption of Google Pay. He’s spent the last 9 years working for the Google Payments Business Development team, and possesses more than 40 years of experience with products and services related to payment processing, data security, and authentication.
Recently, Steve sat down for an interview with Jose Ugia, a Developer Relations Engineer on the Google Pay team.
Read the interview transcript for a deep overview of online payments.
Jose Ugia: Let’s get started with the basics. What is the typical sequence of events in processing an online credit-card payment?
Steve Klebe: This can happen in a few different ways, but let’s talk about the typical series of events:
A consumer visits the merchant’s website or application, and they need to pay for the items that they want to purchase.
The merchant then presents an order form to the consumer with a variety of payment options, including Google Pay. The consumer presses the Google Pay button, and the information that’s associated with the card that the consumer chooses to pay with is securely sent to the merchant.
The merchant calls the payment processor. The processor receives the request from the merchant and uses a shared key to decrypt the information in it in the payment service provider’s secure environment.
The payment processor interacts with the network that’s associated with that particular card, such as Visa, Mastercard, American Express, or Discover. Although, there are variations of networks around the world.
The network consults the issuing bank, and the issuing bank checks the account to verify that it’s active and valid. If there are funds available to cover the transaction, then the transaction is approved.
The approval triggers a response chain. The network responds to the payment processor, the payment processor responds to the merchant, and the merchant responds to the consumer with something like, “Your payment has been accepted!”
This sequence of events happens in approximately 2 seconds, during which the transaction passes through multiple different systems in order to deliver a response to the consumer.
Jose Ugia: Most developers and businesses don’t think about these steps. When you think about chargebacks and fraud, this information is especially useful.
The next question is related to a concept that goes by many names in the industry. It’s what we call a PSP or payment service provider, but others refer to it as a payment processor, payment provider, or payment gateway. What is this concept and why are there so many different terms for it?
Steve Klebe: Things evolve and sometimes different entities in the ecosystem create their own terms to differentiate themselves. It’s a big challenge in the payments industry; there are many terms for the same concepts.
The term PSP has an official meaning in the ecosystem, and it can represent companies that take on different roles in the payment sequence, which I outlined in the first question. However, we kept things simple for our merchant and developer partners. PSP defines the initial link between the merchant and the network, regardless of their roles. The role of the PSP is to make sure the merchant is legitimate and categorize the merchant as a retail store, restaurant, or something else.
The PSP is the entity through which the money flows, from the card issuer through the networks to the PSP. They provide consolidated reporting to the merchant and—most people don’t realize this—they also often hold the financial responsibility. If the merchant is fraudulent or goes out of business and there are lingering transactions, the PSP assumes financial responsibility for the merchants.
Jose: So, if I’m planning to accept payments online, do I need a PSP?
Steve Klebe: Yes, you absolutely need to have a PSP, but it doesn’t matter to you as a merchant if the PSP is an official processor or a licensed agent of a processor.
Jose: Are there specific considerations that I have to account for as a merchant or developer when I choose a PSP to process credit-card payments?
Steve Klebe: Sometimes it’s tied to the shopping cart of your e-commerce platform, most of which embed one or more PSPs into their systems. Sometimes, the decision has been made for you. Other times, you have flexibility to choose whatever you want. Different PSPs have different expertise in different types of payments. For example, if you’re a merchant who focuses on a subscription model, there are certain PSPs who handle these types of payments better than others. If you’re going to sell globally, you need to pick a PSP with the maximum ability to support alternative payment methods from other countries. If you’re a restaurant and you need to do in-store and online payment processing, not all PSPs are equal in their ability to support different types of channels.
So, do some research, talk to peers in your industry to find out who they use and whether they’re satisfied, and make an intelligent choice. It can have fairly significant consequences if you need to do online ordering, but you picked a PSP who is competent at in-store purchases and doesn’t take e-commerce seriously.
Jose: Are you suggesting that I might need to integrate multiple PSPs to cover different scenarios?
Steve: Yes. Using multiple PSPs is not unusual. If you need to cover different scenarios, such as subscription payments, in-person payments, or online payments then this can be very common. If you need to change your PSP, it can affect you later. Your PSP choice becomes intertwined with your back-office operations and fulfillment. It’s not just an API; it becomes integrated into all aspects of the business supply chain, including customer servicing, revenue recognition, etc. and switching isn’t easy.
Jose: I’ve seen some PSPs offering something called “hosted checkout”. How does that differ from a regular integration in my website or application?
Steve Klebe: There are typically two approaches: you integrate your PSP’s API and you as the merchant typically control the checkout process directly with the consumer. In the case of Google Pay, you can add the Google Pay button to your checkout pages. That’s typically used by medium-to-large merchants, while smaller merchants tend to gravitate towards this concept called a hosted order page, which has some limitations because the checkout occurs on a page that the PSP hosts and different PSPs have different hosted-order-page capabilities.
If you’re an API merchant, for your non-Google Pay transactions you have a responsibility to protect the card information of your customers. With a hosted order page, all the sensitive information is being hosted on a page from the PSP. The penalties for having card information stolen from your servers are very severe, so hosted order pages are popular, flexible, and customizable.
In Europe, hosted checkouts are popular because commerce is complicated with more than 20 countries, different currencies, and payment methods. A US merchant could survive with a much simpler array of payment options if the merchant plans to only sell within US borders.
We work with most major PSPs globally and have them implement Google Pay as a default option for hosted checkouts. Usually, this is enabled by default but the PSP gives the merchant a choice to opt out.
Jose: What are e-wallets, digital wallets, and other payment facilitators, and how do they differ from a PSP.
Steve Klebe: There are a lot of acronyms, and they can start blending together and sounding the same to someone new to the space. The metaphor for a digital wallet was originally developed to represent that whatever is in your physical wallet would ultimately be in your digital wallet. While PSPs facilitate online transactions, digital wallets are a form of payment. There are many benefits to offering a digital wallet like Google Pay. One of the most obvious being the ability for customers to checkout quickly, without needing to re-enter credit card and billing information for every single transaction .
In the case of Google Pay, you can store loyalty cards, boarding passes, payment cards, and receipts in your digital wallet and use it to transact in physical stores, online websites and applications alike. The metaphor has played out, but there are a lot of differences within the broad category of alternative payment methods and digital wallets.
Those differences are evolving. Today, we have Google Pay, Apple Pay, PayPal, Samsung Pay, WeChatPay, Alipay and others. In some cases, the app or the account is only a container for credentials. In other cases, it’s the account of record for your money. For example, in Asia, you see the popularity of Alipay and WeChat Pay, which are actually like bank accounts. In India, the Google Pay for India app connects directly to the consumer’s bank account, and initiates the movement of money to the merchant’s bank account.
Jose: What is a tokenized card and how does it affect online transactions?
Steve Klebe: The word tokenization is a loaded word in our industry and it creates a bunch of confusion. Tokenization and encryption (which are sometimes confused) came about because of the growing popularity of cards, and the growing use and misuse of cards by people with good and bad intentions.
The concept of exchanging a card number with a token is applied by various parties at different stages of an online transaction:
Tokenization, at the network level, came about after the industry established a standard for protecting card data that’s now referred to as PCI, which is an industry consortium funded by the major card brands that established a single standard for security.
Similarly, to assist merchants with complying with PCI, most PSPs came up with a proprietary scheme to take the card number from the merchant and give the merchant a token or reference number. The PSP, within its secure environment, would hold the card and the merchant wouldn’t need to handle it anymore. This became a dominant approach after PCI took effect.
In addition, there are two types of tokens that are used at the network level:
Device-based tokens or DPAN
When you want to use an existing card on your phone as a payment method, the call gets made to the associated network, which then calls the bank that issued the card. A call then comes back to authenticate the consumer and the most common step is the consumer is asked to enter a one time passcode they received through text. After the bank confirms your identity, it sends a signal to the network and approves your card for digital payments. The network then takes the account number, converts it to a token, and returns it to your wallet provider who securely stores it on the phone.
This is a brand new concept where a product like Google Pay, which helps to securely store millions of cards in its cloud, delivers them to the network for conversion to a token. The network validates the status of the card with the issuing bank, turns them into e-commerce tokens, and returns the tokens to Google. Now, when you shop on any device, Google can use one of these e-commerce tokens because the network and issuer authenticated them. Even if the underlying card changes completely or the expiration date gets updated, this all happens behind the scenes. This is not only convenient for customers, but it also helps protect their card and transaction information by keeping the actual credit card number unexposed and including a dynamic element that is different for every transaction.
Jose: What is the future of payments going to bring? What are you most excited about?
Steve Klebe: I would say, due to the changes our world is going through, we are rethinking how payments are changing. It’s hard to know what the ultimate impact will be, but it’s been about mobile optimization during the last couple years. Every merchant and PSP realizes that they have to enhance their digital offerings, but it’s not going to be any one individual thing. I think it’s the entire holistic experience, whether it’s web, mobile, or in-store. All of a sudden, every merchant realizes that they need to be prepared to do payments contactlessly. Even if the consumer is standing in front of you, you have to be prepared to handle the payment without contact.
There is a clear divide between card present and card not present, and those areas are now blending together. The card industry doesn’t care whether the person is in front of you. If a payment is made digitally, there are alternative rules that apply to the merchant. Merchants need to be extremely cognizant of these rules and they need to do everything they can to optimize how they accept payments.
An exception would be where you can start shopping with a merchant on your desktop and complete transactions elsewhere while your goods remain in your shopping cart. Their systems have to be capable of multiplatform payments and that requires a fresh look at who your PSPs are because not all PSPs provide such capabilities.
Device-bound tokens are very 1990ish. The whole world is moving to the cloud. A device bound token needs to be reprovisioned every time I get a new phone, which is typically every 1-2 years, and that has to change. We live in a cloud-based world and people expect to authenticate themselves and start doing business, and payments have to work this way, too.
Jose: Thank you for the chat, Steve. It sounds like payments are changing a lot, adapting to the evolution of technology and we’re excited to see where these changes take us.
Interested in learning more about Google Pay APIs or have questions? Follow us @GooglePayDevs and let us know in the comments or tweet using #AskGooglePayDev! For any other Google Pay-related requests and questions, or to start your Google Pay integration, visit Google Pay Business Console.
Posted by Cole Stuart, Google Pay Product Marketing
Digital wallets are rapidly growing in popularity, as adoption from users and acceptance from businesses has expanded significantly over recent years. As we have seen in recent months, this trend towards digital payments over traditional card or cash transactions has only accelerated during the COVID-19 pandemic. Over 40% of global ecommerce spending in 2019 came from a digital wallet like Google Pay, Apple Pay, or Alipay according to the FIS Global Payments Report1. This year, over one billion shoppers are expected to make a digital wallet transaction.
We believe this is just the beginning. In the next five years, digital wallet adoption is expected to increase dramatically. Worldpay’s white paper explores how adopting digital wallets can benefit businesses like yours. Some of the key takeaways are highlighted below.
What digital wallets have to offer
Digital wallets, such as Google Pay, have the ability to not only improve your business outcomes, but also provide unique value to everyday consumers. Benefits include:
Digital wallet transactions showed significantly higher acceptance rates and significantly lower chargeback rates for businesses compared with ordinary card transactions2.
Even though transaction volumes for digital wallets were lower than cards in most markets, the value of US digital wallet transactions were on average 25% greater than ordinary card transactions in 20192.
How to bring Google Pay into your business
Ready to adopt a digital wallet and give your customers a seamless transaction experience in just 4 easy steps? Sign up with the Business Console here and visit our developer’s site for more information. You can also find the full whitepaper here, alongside previous case studies that prove how Google Pay has helped drive lasting impact for other businesses.
Liked our whitepaper? Reach out directly to the contacts below.