Google & Samsung Pay in-app ID&V
In this flow, Google Pay launches the issuer application for step-up authentication.
Step 1: Choose in-app ID&V. The End User selects Sign in to the bank app.
Step 2: Authenticate. The End User signs in to the issuer application.
Step 3: Confirm the card. Show the last four digits of the PAN. The End User confirms activation.
Step 4: Return to Google Pay. Show success and redirect back.
Configure your payment network TSP
For the full guidance from Google, refer to Google Pay's TSP Settings.
Provide these parameters to your payment network TSP. Google Pay reads them during Tokenization and uses them to call your issuer application.
Package name (applicationId). Identifies the issuer application that Google Pay calls. If the app is not installed, the End User is prompted to install it from Google Play.
Action (fully qualified). Used by Google Pay to create an explicit Android
Intent. Keep it specific to token activation.Extra text. Base64-encoded data passed in
EXTRA_TEXT. It is typically JSON and treated as opaque by Google Pay.
Implement the issuer application handler
When an End User selects app-to-app ID&V, your issuer application must:
Receive the Intent
The issuer application is called using the package name, action, and EXTRA_TEXT provided through the payment network TSP.
Authenticate the End User
Perform your standard authentication inside the issuer application.
Activate the digital card
Decode EXTRA_TEXT to identify and activate the digital card.
Return to Google Wallet
Call activity.setResult(RESULT_OK, ...) to return the result to Google Wallet.
Receiving the Intent
To receive the Intent from Google Pay, update the Android manifest file and create an activity context to activate the token.
Example manifest entry:
Validate requests from Google Pay
After receiving the Intent, the issuer application must use the Activity.getCallingPackage() API to validate that the request is coming from Google Pay:
Identify the digital card
When Google Pay triggers the issuer application, it provides a Base64 string called EXTRA_TEXT, as described in Google Pay’s TSP Settings.
The issuer application must decode this Base64 string to retrieve the details of the digital card to activate. The format depends on the payment network.
Below are example JSON objects encapsulated in EXTRA_TEXT for Visa and Mastercard.
These sample JSON objects are provided as-is. You are responsible for using the latest payment network specifications. Thales is not responsible for any changes that payment networks might make to these JSON objects.
Visa example:
Mastercard example:
The tokenReferenceID and tokenUniqueReference correspond to the digitalCardId in D1 and to virtualCardId on TSH.
You can use them to activate the digital card.
The panLast4 and accountPanSuffix are the last four digits of the PAN that was tokenized.
Use them to retrieve and display the card art to the End User during authentication.
Last updated
Was this helpful?