Google Pay Integration
Merchants can implement both In-App and On The Web solutions for Google Pay. These integrations share steps between them.
1. Getting Started
Merchant Decryption & PCI DSS Level 1
Merchants choosing to decrypt the payload locally must adhere to Google’s requirements. Merchant servers must be Payments Card Industry (PCI) Data Security Standard (DSS) Level 1 compliant and meet standards for handling card data in a secure manner. The solution will require registration with Google to obtain keys for decryption.
The Moneris API offers two integration methods for Google Pay wallets. Both methods involve use of the Google Pay Framework to build a button for customers paying with Google Pay:
In-Application (In-App) solutions allow merchants to build mobile apps with embedded Google Pay payment options for their customers on smartphones or tablets. In the background, the application sends encrypted payment data to the merchant server to complete transactions with the Moneris API
On The Web solutions allow merchants to offer Google Pay payment options to customers within a web browser. The merchant’s website will route the encrypted payment data to the merchant server to complete transactions with the Moneris API
Merchants can implement both In-App and On The Web solutions for Google Pay. These integrations share steps between them.
In addition, merchants must decide on whether to have Moneris handle decryption of the Google Pay wallet or decrypt it locally on their own merchant server:
Google Pay Encrypted allows merchants to send their Google Pay encypted payload to the Moneris API. Moneris decrypts on your behalf to store the payment method for you.
Google Pay Decrypted involves merchants decrypting the Google Pay payload themselves and submitting the card data to the Moneris API directly.
2. Building a Google Pay Integration
for Mobile Applications (In-App only)
Before moving on...
At the end of either Google Pay integration step, you should have generated a successful PaymentData
response from Google Pay containing a UTF-8 encoded, serialized JSON object inside the token
string of the PaymentMethodTokenizationData
object. You can obtain the protocolVersion
, signature, and signedMessage
from that encoded string.
Use DIRECT for Google Pay’s Payment Method Tokenization Data
For either Google Pay decrypted or encrypted flows, you must use the DIRECT type of PaymentMethodTokenizationData
. DIRECT generates an encrypted payload in the response PaymentData
object consisting of a protocolVersion
, signature, and signedMessage
used in either flow.
The alternate type PAYMENT_GATEWAY is used for building the payment connection from within Google Pay itself. Currently the Moneris API does not support this feature.
Google provides demo code to make the process of building a mobile application easier.
Go to Google's Google Pay™ quick start page on Github at https://github.com/googlepay/android-quickstart
Git clone the Android-Quickstart library to your computer
Unzip the project library
Open Android Studio and import this project as a gradle project
Sync the gradle
You may also visit Google’s developer site for In-App (Android) at https://developers.google.com/pay/api/android/ and consult their documentation.
You may need this information while building a demo application for the Google Pay In-App SDK.
3. Building a Google Pay Integration
for Websites (On The Web only)
Use the Web Merchant Key that corresponds to whichever stage of development you are in (testing vs. production). If you do not have a production account yet but want to continue with development, you will need to return to this step later when moving to the production environment.
Google provides demo code to make the processing of building a demo checkout page easier.
Go to Google's developer tutorial page for Google Pay Web at https://developers.google.com/pay/api/web/guides/tutorial
Copy the code shown under the subheading "Put it all together" and paste it into your code editor
In addition, you will need a Web Merchant Key. You can find your Google Pay™ Web Merchant Key in the Moneris Merchant Resource Center under Admin > Google Pay at:
Testing: https://esqa.moneris.com/mpg
Production: https://www3.moneris.com/mpg
4. Creating Payment Method
Finally, the merchant can store the Google Pay wallet as a payment method via a POST Create Payment Method with the /payment-methods endpoint and the Wallet schema.
When sending Moneris the encrypted payload, use the Google Pay Encrypted schema and include the following:
network is set to match Google’s cardNetwork
protocolVersion, signature, and signedMessage map to Google Pay’s protocolVersion, signature, and signedMessage used
When decrypting the payload locally, use the Google Pay Decrypted schema and include the following:
walletSource is set to match whether your decrypted card data revealed a funding PAN (FPAN) or device PAN (DPAN):
Google’s authMethod = “PAN_ONLY” indicates a FPAN. You should set the walletSource to “CARD”
Google’s paymentMethod = “TOKENIZED_CARD” indicates a DPAN. You should set the walletSource to “TOKENIZED_CARD”[
cardDetails object contains the payment data from Google’s paymentMethodDetails.
For the eciIndicator, merchants are mandated to pass-through any ECI they receive from the wallet decryption. However, if you later perform 3DS using the paymentMethodID received at this step, you may upgrade the ECI on subsequent financial transactions with the ECI received from 3DS authentication.
Storing Payment Methods :
On The Fly or Separate API Call?
You can use the Moneris API to create a stored payment method (POST Create Payment Method) or supply the payment details “on the fly” in a POST Create Payment via the paymentMethod object. In both cases, Moneris returns a paymentMethodID safe for you to keep within your systems. When creating Payment Methods via its own endpoint, you must use it within 15 minutes within a successful Payment or Validation to store card data permanently; otherwise, it is deleted. When storing Payment Methods on the fly in a successful transaction.
Requesting Production Access from Google
Once you have completed testing your Google Pay™ integration, you must request production access from Google. Google will evaluate your integration against their integration checklist. Both the integration checklist and the production access request are found on Google's developer site at:
Additional Information
Learn more with the API Definitions
Peruse the endpoints, request/response formats, and authentication methods covered in this scenario.