Posted by Dominik Mengelt, Developer Relations Engineer, Google Pay and Nick Alteen, Technical Author, Engineering, Pockets
What’s step-up authentication?
When processing funds, step-up authentication (or just “step-up”) is the apply of requiring extra authentication measures based mostly on person exercise and sure threat indicators. For instance, redirecting the person to 3D Safe to authenticate a transaction. This may help to scale back potential fraud and chargebacks. The next graphic exhibits the high-level circulate of a transaction to find out what’s to be performed if step-up is required.
 |
| Determine 1: Set off your Danger Engine earlier than sending the transaction to authorization if step-up is required |
It relies upon! When making a transaction, the Google Pay API response will return one of many following:
- An authenticated payload that may be processed with none additional step-up or problem. For instance, when a person provides a cost card to Google Pockets. On this case, the person has already accomplished identification verification with their issuing financial institution.
- A major account quantity (PAN) that requires extra authentication measures, akin to 3D Safe. For instance, a person making a purchase order with a cost card beforehand saved by means of Chrome Autofill.
You should use the allowedAuthMethods parameter to point which authentication strategies you wish to assist for Google Pay transactions:
On this case, you’re asking Google Pay to show the cost sheet for each varieties. For instance, if the person selects a PAN_ONLY card (a card not tokenized, not enabled for contactless) from the cost sheet throughout checkout, step-up is required. Let’s take a look at two concrete situations:
Within the first situation, the Google Pay sheet exhibits a card beforehand added to Google Pockets. The cardboard artwork and identify of the person’s issuing financial institution are displayed. If the person selects this card in the course of the checkout course of, no step-up is required as a result of it will fall beneath the CRYPTOGRAM_3DS authentication technique.
However, the sheet within the second situation exhibits a generic card community icon. This means a PAN_ONLY authentication technique and subsequently wants step-up.
PAN_ONLY vs. CRYPTOGRAM_3DS
Whether or not or not you resolve to just accept each types of funds is your resolution. For CRYPTOGRAM_3DS, the Google Pay API moreover returns a cryptogram and, relying on the community, an eciIndicator. Be sure to make use of these properties when persevering with with authorization.
When must you step-up Google Pay transactions?
When calling the loadPaymentData technique, the Google Pay API will return an encrypted cost token (paymentData.paymentMethodData.tokenizationData.token). After decryption, the paymentMethodDetails object accommodates a property, assuranceDetails, which has the next format:
Relying on the values of cardHolderAuthenticated and accountVerified, step-up authentication could also be required. The next desk signifies the potential situations and when Google recommends step-up authentication for a transaction:
Step-up might be skipped solely when each cardHolderAuthenticated and accountVerified return true.
Subsequent steps
In case you are not utilizing assuranceDetails but, take into account doing so now and ensure to step-uptransactions if wanted. Additionally, make certain to take a look at our information on Robust Buyer Authentication (SCA) if you’re processing funds throughout the European Financial Space (EEA). Observe @GooglePayDevs on Twitter for future updates. When you have questions, point out @GooglePayDevs and embrace #AskGooglePayDevs in your tweets.
