Google Pay Payment Integration With Using Direct Tokenization

后端 未结 1 415
天命终不由人
天命终不由人 2021-01-27 12:14

My app using one thing to sale and Using Payment is Google Pay. There is Two type of Tokenization method in Google Pay. I refer google pay document. But it\'s very difficult to

1条回答
  •  孤独总比滥情好
    2021-01-27 12:39

    For context, there are two ways to integrate with Google Pay:

    1. Through a supported Payment Service Provider (PSP) - recommended, and
    2. Through DIRECT integration - not recommended

    The PSP method is recommended because the partner PSPs are responsible for managing the user's payment credentials and are on the hook for PCI and DSS compliance.

    With the DIRECT integration method, you have to take on the PCI compliance obligations and need to provide evidence to Google that you are PCI compliant:

    If completing a DIRECT tokenizationSpecification type integration, you must annually rotate your public encryption key through the Google Pay Developer Profile and provide PCI Attestation to Google. PCI Attestation can be submitted by a third-party or Qualified Security Assessor certified by the PCI Security Standards Council, and approved by an Approved Vendor or Qualified Assessor.


    Back to the actual questions:

    With DIRECT integration, Google Pay will encrypt the user's payment details using the public key that you provide in the Google Pay developer console (must be signed up as a merchant to access this page) and the payment request. You would then take the encrypted payload and decrypt it using your private key.

    Information on how to manage encryption and decryption can be found here: https://developers.google.com/pay/api/android/guides/resources/payment-data-cryptography#using-openssl

    Important bits:

    # generate private key
    openssl ecparam -name prime256v1 -genkey -noout -out key.pem
    
    # generate a base64-encoded public key
    openssl ec -in key.pem -pubout -text -noout 2> /dev/null | grep "pub:" -A5 | sed 1d | xxd -r -p | base64 | paste -sd "\0" -
    

    A good source for PCI compliance related information can be found here: https://www.pcicomplianceguide.org/faq/

    FYI, I've provided a similar answer with a bit more detail on the overall process here: Where is Google pay Developer account and how to generate public key to upload in it?

    0 讨论(0)
提交回复
热议问题