Google & Samsung Pay in-app ID&V

In this flow, Google Pay launches the issuer application for step-up authentication.

Step 1: Choose in-app ID&V. The End User selects Sign in to the bank app.
Step 2: Authenticate. The End User signs in to the issuer application.
Step 3: Confirm the card. Show the last four digits of the PAN. The End User confirms activation.
Step 4: Return to Google Pay. Show success and redirect back.

Configure your payment network TSP

For the full guidance from Google, refer to Google Pay's TSP Settings.

Provide these parameters to your payment network TSP. Google Pay reads them during Tokenization and uses them to call your issuer application.

Package name (applicationId). Identifies the issuer application that Google Pay calls. If the app is not installed, the End User is prompted to install it from Google Play.
Action (fully qualified). Used by Google Pay to create an explicit Android Intent. Keep it specific to token activation.
Extra text. Base64-encoded data passed in EXTRA_TEXT. It is typically JSON and treated as opaque by Google Pay.

Implement the issuer application handler

When an End User selects app-to-app ID&V, your issuer application must:

Receive the Intent

The issuer application is called using the package name, action, and EXTRA_TEXT provided through the payment network TSP.

Authenticate the End User

Perform your standard authentication inside the issuer application.

Activate the digital card

Decode EXTRA_TEXT to identify and activate the digital card.

Return to Google Wallet

Call activity.setResult(RESULT_OK, ...) to return the result to Google Wallet.

Receiving the Intent

To receive the Intent from Google Pay, update the Android manifest file and create an activity context to activate the token.

Example manifest entry:

<activity android:name=".CardActivationActivity">
    <!-- This activity handles App To App ACTIVATE_CARD action -->
    <intent-filter>
        <action android:name="com.example.mybank.action.ACTIVATE_CARD"/>
        <category android:name="android.intent.category.DEFAULT"/>
    </intent-filter>
</activity>

Validate requests from Google Pay

After receiving the Intent, the issuer application must use the Activity.getCallingPackage() API to validate that the request is coming from Google Pay:

// Validate caller is Google Pay (Google Play Services)
if ("com.google.android.gms".equals(getCallingPackage())) {
    // Proceed with activation
} else {
    // Abort operation: handle error
}

Identify the digital card

When Google Pay triggers the issuer application, it provides a Base64 string called EXTRA_TEXT, as described in Google Pay’s TSP Settings.

The issuer application must decode this Base64 string to retrieve the details of the digital card to activate. The format depends on the payment network.

Below are example JSON objects encapsulated in EXTRA_TEXT for Visa and Mastercard.

These sample JSON objects are provided as-is. You are responsible for using the latest payment network specifications. Thales is not responsible for any changes that payment networks might make to these JSON objects.

Visa example:

{
  "panReferenceID":"V-3815023863409817870482",
  "tokenRequestorID":"42301999123",
  "tokenReferenceID":"DNITHE381502386342002358",
  "panLast4":"1234",
  "deviceID":"DEiOiJBMjU2R_0NNS1-ciLCJiI",
  "walletAccountID":"AiOiJBMjU-2_R0NNS1ciLCJiI6"
}

Mastercard example:

{
  "paymentAppProviderId": "123456789",
  "paymentAppInstanceId": "123456789",
  "tokenUniqueReference": "DWSPMC000000000fcb2f4136b2f4136a0532d2f4136a0532",
  "accountPanSuffix": "6789",
  "accountExpiry": "1018"
}

The tokenReferenceID and tokenUniqueReference correspond to the digitalCardId in D1 and to virtualCardId on TSH.

You can use them to activate the digital card.

The panLast4 and accountPanSuffix are the last four digits of the PAN that was tokenized.

Use them to retrieve and display the card art to the End User during authentication.

PreviousApple Pay in-app ID&V NextIntegrate batch files

Last updated 4 months ago

Was this helpful?