Posted by Dominik Mengelt, Developer Relations Engineer, Google Pay and Nick Alteen, Technical Author, Engineering, Pockets
What’s step-up authentication?
When processing funds, step-up authentication (or just “step-up”) is the follow of requiring further authentication measures based mostly on person exercise and sure threat indicators. For instance, redirecting the person to 3D Safe to authenticate a transaction. This might help to scale back potential fraud and chargebacks. The next graphic exhibits the high-level circulate of a transaction to find out what’s to be completed if step-up is required.
 |
| Determine 1: Set off your Danger Engine earlier than sending the transaction to authorization if step-up is required |
It relies upon! When making a transaction, the Google Pay API response will return one of many following:
- An authenticated payload that may be processed with none additional step-up or problem. For instance, when a person provides a fee card to Google Pockets. On this case, the person has already accomplished id verification with their issuing financial institution.
- A main account quantity (PAN) that requires further authentication measures, akin to 3D Safe. For instance, a person making a purchase order with a fee card beforehand saved by Chrome Autofill.
You need to use the allowedAuthMethods parameter to point which authentication strategies you wish to assist for Google Pay transactions:
On this case, you’re asking Google Pay to show the fee sheet for each varieties. For instance, if the person selects a PAN_ONLY card (a card not tokenized, not enabled for contactless) from the fee sheet throughout checkout, step-up is required. Let’s take a look at two concrete eventualities:
Within the first state of affairs, the Google Pay sheet exhibits a card beforehand added to Google Pockets. The cardboard artwork and title of the person’s issuing financial institution are displayed. If the person selects this card throughout the checkout course of, no step-up is required as a result of it might fall underneath the CRYPTOGRAM_3DS authentication technique.
Then again, the sheet within the second state of affairs exhibits a generic card community icon. This means a PAN_ONLY authentication technique and subsequently wants step-up.
PAN_ONLY vs. CRYPTOGRAM_3DS
Whether or not or not you resolve to just accept each types of funds is your resolution. For CRYPTOGRAM_3DS, the Google Pay API moreover returns a cryptogram and, relying on the community, an eciIndicator. Ensure that to make use of these properties when persevering with with authorization.
When must you step-up Google Pay transactions?
When calling the loadPaymentData technique, the Google Pay API will return an encrypted fee token (paymentData.paymentMethodData.tokenizationData.token). After decryption, the paymentMethodDetails object comprises a property, assuranceDetails, which has the next format:
Relying on the values of cardHolderAuthenticated and accountVerified, step-up authentication could also be required. The next desk signifies the potential eventualities and when Google recommends step-up authentication for a transaction:
Step-up might be skipped solely when each cardHolderAuthenticated and accountVerified return true.
Subsequent steps
In case you are not utilizing assuranceDetails but, take into account doing so now and ensure to step-uptransactions if wanted. Additionally, be certain that to take a look at our information on Sturdy Buyer Authentication (SCA) in case you are processing funds throughout the European Financial Space (EEA). Comply with @GooglePayDevs on Twitter for future updates. If in case you have questions, point out @GooglePayDevs and embrace #AskGooglePayDevs in your tweets.
