Security Concerns about Transmitting Google Pay Payment Token on Network

2
votes

I am working on building our server system to accept users to buy the product through Google Pay.

In our use case, our users will make a payment request (PaymentDataRequest object) to google pay server from mobile app to get the payment token(PaymentMethodTokenizationData object in the response) and mobile app will send it to our backend server and our server will forward this token to the payment gateway for further payment process.

API Reference: https://developers.google.com/pay/api/web/reference/object#PaymentMethodTokenizationData

Tokenization type is set to PAYMENT_GATEWAY

However, we have some security concerns about transmitting the PaymentMethodTokenizationData in our server system.

Since I cannot find any explanation about these questions in the official Google Pay API document, could someone please help me to clarify the following questions?

(1) Does google payment token (PaymentMethodTokenizationData object) represent ‘one tokenized credit card' or 'one-time transaction info'?

(2) Can the same payment token be reused to purchase the product for multiple times without requesting a new token?

(3) Is this payment token restricted to be used only for one specific transaction id? For example, if the token is leaked, is it possible that someone can use it to make another purchase?

(4) Can this payment token only be used by payment gateway to collect money? In other words, except for the payment gateway, there is no one can extract any payment information(credit number, transaction info...) from the token, so we don't need any further secure mechanism to transmit this token on the network.

Thanks

1
payment-gatewaypayment-processinggoogle-pay

1 Answers

3
votes

Apologies if this did not come across clearly reading the docs. You can learn more about these details in the API explanation video, or the payment data cryptography section in the docs. If you think there are more obvious areas where this information should be included, we'd love to hear your thoughts.

To your questions:

  1. A PaymentMethodTokenizationData payload contains information about the payment method selected by the user to complete the transaction (eg.: a card).
  2. As specified under the terms of service, the information returned by these APIs, can only be used to fulfill the one transaction initiated by the user.
  3. (& 4) The payload obtained from Google Pay is not usable outside the domains of your payment processor. Before leaving the Google servers, the payload is encrypted asymmetrically, with a key pair of which only your processor holds the private key necessary to decrypt the contents of the message –or your own servers if your business processes payments. Hence, if the encrypted payload is leaked, it is nothing but a random sequence of characters with no specific application.
  4. There is no additional security mechanism needed other than making sure you relay the encrypted payload to the servers / systems processing the payment and delete / clear any data returned by these APIs as soon as the transaction is completed.

Hope it helps.