Google Pay Payment Integration With Using Direct T

2020-05-04 13:51发布

问题:

My app using one thing to sale and Using Payment is Google Pay. There is Two type of Tokenization method in Google Pay. I refer google pay document. But it's very difficult to understand.

There is Direct Tokenization Method.

1) How to Integrate Direct Tokenization?.

2) What is PCI DSS compliance?

3) What is public key and how to encryption and Decryption Process?

回答1:

For context, there are two ways to integrate with Google Pay:

  1. Through a supported Payment Service Provider (PSP) - recommended, and
  2. Through DIRECT integration - not recommended

The PSP method is recommended because the partner PSPs are responsible for managing the user's payment credentials and are on the hook for PCI and DSS compliance.

With the DIRECT integration method, you have to take on the PCI compliance obligations and need to provide evidence to Google that you are PCI compliant:

If completing a DIRECT tokenizationSpecification type integration, you must annually rotate your public encryption key through the Google Pay Developer Profile and provide PCI Attestation to Google. PCI Attestation can be submitted by a third-party or Qualified Security Assessor certified by the PCI Security Standards Council, and approved by an Approved Vendor or Qualified Assessor.


Back to the actual questions:

With DIRECT integration, Google Pay will encrypt the user's payment details using the public key that you provide in the Google Pay developer console (must be signed up as a merchant to access this page) and the payment request. You would then take the encrypted payload and decrypt it using your private key.

Information on how to manage encryption and decryption can be found here: https://developers.google.com/pay/api/android/guides/resources/payment-data-cryptography#using-openssl

Important bits:

# generate private key
openssl ecparam -name prime256v1 -genkey -noout -out key.pem

# generate a base64-encoded public key
openssl ec -in key.pem -pubout -text -noout 2> /dev/null | grep "pub:" -A5 | sed 1d | xxd -r -p | base64 | paste -sd "\0" -

A good source for PCI compliance related information can be found here: https://www.pcicomplianceguide.org/faq/

FYI, I've provided a similar answer with a bit more detail on the overall process here: Where is Google pay Developer account and how to generate public key to upload in it?