Google Pay and 3DS
Get in touch
Sign in
Google Pay and 3DS
Understand Google Pay’s protection for safer transactions

Google Pay authenticates payments using methods designed to enhance security and simplify the checkout experience. These authentication approaches directly impact transaction security, user experience, and risk management.

There are two card authentication methods for Google Pay:

  • PAN_ONLY
    The possibility to pay in a few clicks or taps without entering payment details or carrying physical cards decreases friction at the checkout and leads to increased sales. These transactions are typically authorized on a PC or laptop using a one-time password (OTP).
  • CRYPTOGRAM_3DS
    This authentication method is associated with cards stored as Android device tokens. Returned payment data includes a 3D Secure (3DS) cryptogram generated on the device. The token is specific to the device on which it was created.

Solidgate forces all Google Pay transactions using the PAN_ONLY data type to 3D Secure. There is no need to send additional parameters. Applying 3D Secure enables liability shift and minimizes payment risks for PAN_ONLY transactions. The payment processing flow is the following:

  1. The customer clicks on the Google Pay payment button and selects a payment method.
  2. Merchant initiates a payment using one of Solidgate's checkout solutions API or Google Pay API request.
  3. Google Pay securely returns a payment token for that method to the app or website.
  4. Solidgate defaults to the 3D Secure flow and forwards a verify_url embedded with the ACS URL to the merchant.
  5. To proceed with 3D Secure verification procedure, customer is redirected to the issuer`s page verify_url that can be received from the following methods:
  6. After the customer completes the authentication, merchant receives the corresponding status of the payment, and the customer is returned to the payment status page.

It is worth noting that the Google Pay transactions may not have 3D Secure authentication due to specifics of the CRYPTOGRAM_3DS authentication method.

The PAN_ONLY transactions can always be processed via 3D Secure flow where force3d parameter has the true value, while the CRYPTOGRAM_3DS transactions can only be processed via non-3D Secure flow. The latest is limited to Android devices, using the Google Chrome browser, and all other devices and browsers choose the PAN_ONLY authentication method.

This distinction exists because PAN_ONLY transactions involve authorization on a PC or laptop using OTP, while CRYPTOGRAM_3DS transactions tie the token to the specific device where the transaction occurred, ensuring a higher level of security and including a liability shift by default.


Looking for help? Contact us
Stay informed with Changelog