1

My app using one thing to sale and Using Payment is Google Pay. There is Two type of Tokenization method in Google Pay. I refer google pay document. But it's very difficult to understand.

There is Direct Tokenization Method.

1) How to Integrate Direct Tokenization?.

2) What is PCI DSS compliance?

3) What is public key and how to encryption and Decryption Process?

Arti
  • 672
  • 7
  • 19

1 Answers1

4

For context, there are two ways to integrate with Google Pay:

  1. Through a supported Payment Service Provider (PSP) - recommended, and
  2. Through DIRECT integration - not recommended

The PSP method is recommended because the partner PSPs are responsible for managing the user's payment credentials and are on the hook for PCI and DSS compliance.

With the DIRECT integration method, you have to take on the PCI compliance obligations and need to provide evidence to Google that you are PCI compliant:

If completing a DIRECT tokenizationSpecification type integration, you must annually rotate your public encryption key through the Google Pay Developer Profile and provide PCI Attestation to Google. PCI Attestation can be submitted by a third-party or Qualified Security Assessor certified by the PCI Security Standards Council, and approved by an Approved Vendor or Qualified Assessor.

Back to the actual questions:

With DIRECT integration, Google Pay will encrypt the user's payment details using the public key that you provide in the Google Pay developer console (must be signed up as a merchant to access this page) and the payment request. You would then take the encrypted payload and decrypt it using your private key.

Information on how to manage encryption and decryption can be found here: https://developers.google.com/pay/api/android/guides/resources/payment-data-cryptography#using-openssl

Important bits:

# generate private key
openssl ecparam -name prime256v1 -genkey -noout -out key.pem

# generate a base64-encoded public key
openssl ec -in key.pem -pubout -text -noout 2> /dev/null | grep "pub:" -A5 | sed 1d | xxd -r -p | base64 | paste -sd "\0" -

A good source for PCI compliance related information can be found here: https://www.pcicomplianceguide.org/faq/

FYI, I've provided a similar answer with a bit more detail on the overall process here: Where is Google pay Developer account and how to generate public key to upload in it?

Soc
  • 7,425
  • 4
  • 13
  • 30
  • Thanks, actually after use of Stripe, I am upset because their 1% dispute limit is insane. Once you reach, they keep your money. So the Direct integration is NOT a unsuggested way as I experienced. Thanks for the answer, but do you know a reference to check for direct integration script(s) ? – user3304007 Jan 23 '21 at 17:21
  • @user3304007 can you please tell my what is the PCI compliance ? and how to get to upload to the google pay console Thanks in advance – Abdelrahman ELgamal Feb 03 '23 at 17:16