Posted by Dominik Mengelt, Developer Relations Engineer, Google Pay and Nick Alteen, Technical Author, Engineering, Pockets
What’s step-up authentication?
When processing funds, step-up authentication (or just “step-up”) is the observe of requiring further authentication measures based mostly on consumer exercise and sure danger indicators. For instance, redirecting the consumer to 3D Safe to authenticate a transaction. This may help to cut back potential fraud and chargebacks. The next graphic reveals the high-level move of a transaction to find out what’s to be performed if step-up is required.
 |
| Determine 1: Set off your Threat Engine earlier than sending the transaction to authorization if step-up is required |
It relies upon! When making a transaction, the Google Pay API response will return one of many following:
- An authenticated payload that may be processed with none additional step-up or problem. For instance, when a consumer provides a fee card to Google Pockets. On this case, the consumer has already accomplished identification verification with their issuing financial institution.
- A main account quantity (PAN) that requires further authentication measures, akin to 3D Safe. For instance, a consumer making a purchase order with a fee card beforehand saved by means of Chrome Autofill.
You need to use the allowedAuthMethods parameter to point which authentication strategies you wish to help for Google Pay transactions:
On this case, you’re asking Google Pay to show the fee sheet for each sorts. For instance, if the consumer selects a PAN_ONLY card (a card not tokenized, not enabled for contactless) from the fee sheet throughout checkout, step-up is required. Let’s take a look at two concrete eventualities:
Within the first situation, the Google Pay sheet reveals a card beforehand added to Google Pockets. The cardboard artwork and identify of the consumer’s issuing financial institution are displayed. If the consumer selects this card throughout the checkout course of, no step-up is required as a result of it could fall underneath the CRYPTOGRAM_3DS authentication technique.
Alternatively, the sheet within the second situation reveals a generic card community icon. This means a PAN_ONLY authentication technique and subsequently wants step-up.
PAN_ONLY vs. CRYPTOGRAM_3DS
Whether or not or not you determine to just accept each types of funds is your resolution. For CRYPTOGRAM_3DS, the Google Pay API moreover returns a cryptogram and, relying on the community, an eciIndicator. Be sure to make use of these properties when persevering with with authorization.
When do you have to step-up Google Pay transactions?
When calling the loadPaymentData technique, the Google Pay API will return an encrypted fee token (paymentData.paymentMethodData.tokenizationData.token). After decryption, the paymentMethodDetails object incorporates a property, assuranceDetails, which has the next format:
Relying on the values of cardHolderAuthenticated and accountVerified, step-up authentication could also be required. The next desk signifies the doable eventualities and when Google recommends step-up authentication for a transaction:
Step-up will be skipped solely when each cardHolderAuthenticated and accountVerified return true.
Subsequent steps
In case you are not utilizing assuranceDetails but, take into account doing so now and ensure to step-uptransactions if wanted. Additionally, be sure that to take a look at our information on Robust Buyer Authentication (SCA) in case you are processing funds throughout the European Financial Space (EEA). Observe @GooglePayDevs on Twitter for future updates. If in case you have questions, point out @GooglePayDevs and embrace #AskGooglePayDevs in your tweets.
