Merchant Decryption Method

Document created by gjsissons on Aug 2, 2016Last modified by gjsissons on Aug 2, 2016
Version 4Show Document
  • View in full screen mode

Using this process, the responsibility for the decryption of the encrypted payload from Android Pay falls to you. The steps that follow, along with Figure 2, illustrate the high level flow of messages associated with an Android Pay purchase, when you perform the decryption of the encrypted payload.


NOTE: This process assumes you have integrated with Google using the method that returns the encrypted payload from Google following the Full Wallet



1. When the consumer clicks the Android Pay button in your application, the action triggers a MaskedWalletRequest to Google. The information returned by Google in the MaskedWallet object may include a masked card number (last-four digits exposed) and shipping information. The consumer has the option of changing this information. If any info changes, Android Pay returns an updated MaskedWallet object.


2. Upon confirmation of the order by the consumer your application initiates a FullWalletRequest to Google. Google also returns the encrypted payload. The encrypted payload is a UTF-8 encoded serialized JSON dictionary with the following keys:

  • encryptedMessage (string base64) - an encrypted message containing the payment credentials
  • ephemeralPublicKey (string base64) - the ephemeral public key associated with the private key to encrypt the message
  • tag (string base64) - MAC of encryptedMessage


3. Your application sends the encrypted payload along with the transaction information to your server.


4. Your server decrypts the encrypted payload extracting the payment, which is a UTF-8 encoded, serialized JSON dictionary with the following keys:

  • dpan (string (digits only)) - the device-specific personal account number (i.e., device token)
  • expirationMonth (number) - the expiration month of the dpan (1 = January, 2 = February, etc.)
  • expirationYear (number) - The four-digit expiration year of the dpan (e.g., 2015)
  • authMethod (string) - the constant 3DS (may change in future releases).
  • 3dsCryptogram (string) - the 3DSecure cryptogram
  • 3dsEciIndicator ((optional) string) - ECI indicator per 3DSecure specification


Example of Decrypted Credentials in JSON


     “dpan”: “4444444444444444”,
     “expirationMonth”: 10,
     “expirationYear”: 2015,
     “authMethod”: “3DS”,
     “3dsCryptogram”: “AAAAAA...”,
     “3dsEciIndicator”: “eci indicator”


After decryption, submit the Authorization/Sale transaction to Vantiv, setting the orderSource element to androidpay and populating the following LitleXML elements with the decrypted information:

  • number - dpan value
  • expDate - MMYY derived from the expirationMonth and expirationYear values
  • authenticationValue - the 3dsCryptogram value


5. Vantiv processes your transaction normally and returns the results in the response message.


FIGURE 2 High Level Message Flow for Android Pay using Merchant Decryption









Next: Certification Testing