Payment-method icon

Decrypt Google Pay tokens if you are PCI-compliant

Learn how to decrypt Google Pay tokens.

A Google Pay token contains encrypted card details that a shopper has stored in their Google Pay wallet. Google Pay tokens let you securely pass the data of your shoppers to a payment service provider, like Adyen, to process payments.

If you are PCI-compliant you can handle the token decryption and pass raw card details to Adyen.

A benefit of handling the decryption is that auditing transactions is easier when you have more information, such as the shopper name. See Google's documentation for the full list of details in a decrypted token.

Only handle the token decryption on your own in advanced setup scenarios, like when you have to submit Merchant Plug-In (MPI) data in a Google Pay request.

Handle the decryption

Requirements

To decrypt Google Pay tokens on your own, you must:

  • Have a Google Pay merchant ID.
  • Be PCI-compliant to handle unencrypted card details.
  • Have an API-only integration.

Decryption process

To decrypt Google Pay tokens, follow the steps outlined on the Google developer portal.

Overview:

  1. Fetch the Google root signing keys.
  2. Verify that the signature of the intermediate signing key is valid by any of the root signing keys that is not expired.
  3. Verify that the intermediate signing key of the payload is not expired.
  4. Verify that the signature of the payload is valid by the intermediate signing key.
  5. Decrypt the contents of the payload after you verify the signature.
  6. Verify that the message isn't expired. This requires you to check that the current time is earlier than the messageExpiration field in the decrypted contents.
  7. Use the payment method details you just decrypted to make the payment.

Depending on whether the card is stored as FPAN or DPAN, you get the following output:

API reference

The parameters listed in this section are specific to using decrypted Google Pay tokens. For descriptions of other parameters go to /payments.

The parameters you must send in the request are different for cards stored as FPAN and cards stored as DPAN.

FPAN payments may trigger 3D Secure 2, which requires additional fields. You can handle 3D Secure 2 for FPAN in a similar way to other scheme payment methods described here.