问题
My app using one thing to sale and Using Payment is Google Pay. There is Two type of Tokenization method in Google Pay. I refer google pay document. But it's very difficult to understand.
There is Direct Tokenization Method.
1) How to Integrate Direct Tokenization?.
2) What is PCI DSS compliance?
3) What is public key and how to encryption and Decryption Process?
回答1:
For context, there are two ways to integrate with Google Pay:
- Through a supported Payment Service Provider (PSP) - recommended, and
- Through DIRECT integration - not recommended
The PSP method is recommended because the partner PSPs are responsible for managing the user's payment credentials and are on the hook for PCI and DSS compliance.
With the DIRECT integration method, you have to take on the PCI compliance obligations and need to provide evidence to Google that you are PCI compliant:
If completing a DIRECT
tokenizationSpecification
type integration, you must annually rotate your public encryption key through the Google Pay Developer Profile and provide PCI Attestation to Google. PCI Attestation can be submitted by a third-party or Qualified Security Assessor certified by the PCI Security Standards Council, and approved by an Approved Vendor or Qualified Assessor.
Back to the actual questions:
With DIRECT integration, Google Pay will encrypt the user's payment details using the public key that you provide in the Google Pay developer console (must be signed up as a merchant to access this page) and the payment request. You would then take the encrypted payload and decrypt it using your private key.
Information on how to manage encryption and decryption can be found here: https://developers.google.com/pay/api/android/guides/resources/payment-data-cryptography#using-openssl
Important bits:
# generate private key openssl ecparam -name prime256v1 -genkey -noout -out key.pem # generate a base64-encoded public key openssl ec -in key.pem -pubout -text -noout 2> /dev/null | grep "pub:" -A5 | sed 1d | xxd -r -p | base64 | paste -sd "\0" -
A good source for PCI compliance related information can be found here: https://www.pcicomplianceguide.org/faq/
FYI, I've provided a similar answer with a bit more detail on the overall process here: Where is Google pay Developer account and how to generate public key to upload in it?
来源:https://stackoverflow.com/questions/57390443/google-pay-payment-integration-with-using-direct-tokenization