Google Pay™ Integration

Last updated: February 25, 2026 · Google Pay™ API for Web · Payment Method Token (ECv2)

Executive Summary

Merchants use Google Pay JavaScript to obtain an encrypted payment token (tokenizationData.token).
The merchant forwards the raw token string to RapidCents via our server-to-server API.
RapidCents decrypts and validates the token server-side (Java Tink), applies risk controls (including risk-based 3DS step-up), and submits the transaction to Visa, Mastercard, Discover, Amex.

What Google Reviews (at a Glance)

This documentation covers the items typically reviewed in the Google Pay go-live checklist:

Tokenization parameters used in tokenizationSpecification (gateway, gatewayMerchantId)
Payment token handling — raw token forwarding, no client re-serialization
Decryption & validation — server-side, using Google Pay ECv2 + Java Tink
Transaction processing path — submission to Visa, Mastercard, Discover, Amex
3D Secure handling — risk-based step-up applied to PAN_ONLY
Environment separation — TEST vs PRODUCTION keys and tooling
Security & compliance — PCI DSS-compliant handling of sensitive payment data

Required Acknowledgement: PAN_ONLY and 3D Secure

✅

RapidCents Inc. confirms that its existing criteria to selectively trigger 3D Secure (step-up authentication) for normal card transactions based on risk are also applied to Google Pay PAN_ONLY transactions.

In practice:

We detect the token's authMethod (CRYPTOGRAM_3DS or PAN_ONLY).
For PAN_ONLY, we apply the same risk-based decisioning used for non-Google Pay card transactions.
When step-up is required, we trigger our standard 3DS flow (where the merchant channel supports it) or return an appropriate decline/soft-decline result if step-up cannot be completed in the current context.

Terminology

Term	Definition
PaymentData	Object returned by Google Pay JS after user authorization
Payment Method Token	Encrypted token in `paymentMethodData.tokenizationData.token`
DPAN	Device PAN (tokenized PAN)
`CRYPTOGRAM_3DS`	Auth method where token includes a 3DS cryptogram / ECI
`PAN_ONLY`	Auth method where token may not include a cryptogram (risk-based 3DS step-up applies)

Decrypted Payload Fields (Server-Side — RapidCents Internal)

⚠️

Merchants do not interact with these fields. The table below describes the fields that RapidCents extracts after decrypting the ECv2 token on the server side. Merchants only forward the raw encrypted token string — RapidCents handles all decryption and field extraction internally.

After decrypting the ECv2 payload, RapidCents processes the following fields to authorize the transaction:

Decrypted Field	Description	Extracted By
`paymentMethodDetails.pan`	Device PAN (DPAN) or Funding PAN	RapidCents server
`paymentMethodDetails.expirationMonth`	Card expiration month	RapidCents server
`paymentMethodDetails.expirationYear`	Card expiration year	RapidCents server
`paymentMethodDetails.authMethod`	`PAN_ONLY` or `CRYPTOGRAM_3DS`	RapidCents server
`paymentMethodDetails.cryptogram`	3DS cryptogram (present when `CRYPTOGRAM_3DS`)	RapidCents server
`paymentMethodDetails.eciIndicator`	ECI value (present when `CRYPTOGRAM_3DS`)	RapidCents server

This information is provided for transparency and completeness. The merchant’s integration does not require knowledge of these fields — simply forward the encrypted token as described in Token Handling.

End-to-End Integration Flow

MerchantBrowser — Google Pay JS

→

Google Pay™Returns ECv2 Token

→

RapidCentsDecrypt & Process

↔

Visa · Mastercard · Discover · Amex

The merchant’s frontend uses the Google Pay JavaScript API (paymentsClient.loadPaymentData()) to present the Google Pay™ payment sheet to the customer.
After the customer authorizes payment, Google Pay returns an encrypted ECv2 token (paymentMethodData.tokenizationData.token) to the merchant’s frontend.
The merchant’s server forwards the raw token string (without parsing or re-serializing) to the RapidCents server-to-server API along with the amount, currency, and order details.
RapidCents verifies the token signature and decrypts the ECv2 payload using Java Tink.
RapidCents applies risk controls. For PAN_ONLY, 3DS step-up logic is triggered if needed.
RapidCents submits the transaction (with DSRP cryptogram if present) to Visa, Mastercard, Discover, Amex.
RapidCents returns the transaction result (approved/declined) back to the merchant.

Encryption / Decryption Responsibilities

🔒

The merchant frontend does not encrypt the token. Google Pay returns an already-encrypted ECv2 token. The merchant must send the token as a raw string without parsing or re-serialization. RapidCents performs signature validation and decryption server-side.

Merchant Integration (Google Pay™ API for Web)

Merchants should implement Google Pay™ Web per Google's official documentation:

Required Google Resources

Google Pay API for Web — Developer Documentation
Payment Data Cryptography
Google Pay Web Brand Guidelines — required for button rendering, logo usage, and brand compliance
Google Pay Web Integration Checklist — complete all items before requesting production access
Publish Your Integration — submit your integration for Google review to obtain production access

Android Integration

If your application also supports Android, you must additionally follow the Android-specific documentation:

Compliance Requirements

⚠️

Mandatory: All merchants integrating Google Pay™ through RapidCents must adhere to the Google Pay API Acceptable Use Policy and accept the Google Pay API Terms of Service before processing live transactions.

By using Google Pay™ through RapidCents, the merchant agrees to:

Use Google Pay™ only for lawful transactions in compliance with all applicable laws and regulations.
Display the Google Pay™ button and branding in accordance with the Google Pay Brand Guidelines.
Not store, log, or transmit decrypted card data outside of PCI DSS-compliant systems.
Complete the Integration Checklist and publish the integration before going live.

PaymentDataRequest Example

JavaScript

const paymentDataRequest = {
  apiVersion: 2,
  apiVersionMinor: 0,
  allowedPaymentMethods: [
    {
      type: "CARD",
      parameters: {
        allowedAuthMethods: ["PAN_ONLY", "CRYPTOGRAM_3DS"],
        allowedCardNetworks: ["VISA", "MASTERCARD", "AMEX", "DISCOVER"],
      },
      tokenizationSpecification: {
        type: "PAYMENT_GATEWAY",
        parameters: {
          gateway: "rapidcentspay",
          gatewayMerchantId: "googletest",
        },
      },
    },
  ],
  merchantInfo: {
    merchantName: "Acme Corp",  // REQUIRED — enter your own business name
  },
  transactionInfo: {
    totalPriceStatus: "FINAL",
    totalPrice: "10.00",
    currencyCode: "CAD",
  },
};

⚠️

merchantName — You must replace the example value with your actual business name (e.g. "Acme Corp"). This name is displayed to the customer in the Google Pay™ payment sheet. An empty or placeholder value will be flagged during Google's integration review.

Billing Address Configuration

If your integration requires the customer's billing address for verification (AVS) or compliance purposes, add the billingAddressRequired parameter to allowedPaymentMethods[].parameters:

JavaScript

parameters: {
  allowedAuthMethods: ["PAN_ONLY", "CRYPTOGRAM_3DS"],
  allowedCardNetworks: ["VISA", "MASTERCARD", "AMEX", "DISCOVER"],
  billingAddressRequired: true,
  billingAddressParameters: {
    format: "FULL",  // "MIN" for postal code + country only
    phoneNumberRequired: false,
  },
}

🛈

Setting billingAddressRequired: true with format: "FULL" requests the complete billing address (street, city, state, postal code, country). Use "MIN" if you only need postal code and country for basic AVS checks. If billing address verification is not needed for your use case, you may omit this parameter.

After paymentsClient.loadPaymentData(paymentDataRequest), use:

paymentData.paymentMethodData.tokenizationData.token (string)

Critical Token Handling Requirements

⚠️

Do not JSON.parse() and JSON.stringify() the token prior to sending to RapidCents. Send tokenizationData.token as the exact raw string received from Google. Do not log the full token client-side.

RapidCents Server-to-Server API

RapidCents provides Google Pay processing endpoints:

Method	Endpoint	Description
`POST`	`/api/google-pay/payment/process`	Process a Google Pay payment
`POST`	`/api/google-pay/processor/process`	Direct processor submission

RapidCents Gateway Parameters

Parameter	Test Value	Production Value	Where Used
`gateway`	`rapidcentspay`	`rapidcentspay`	`tokenizationSpecification.parameters`
`gatewayMerchantId`	`googletest`	Your assigned Merchant ID (MID)	`tokenizationSpecification.parameters`
`merchant_id`	`gateway:rapidcentspay`	`gateway:rapidcentspay`	Server-to-server API requests

🛈

Production gatewayMerchantId: The test value googletest is for development and testing only. For production, replace it with your unique RapidCents Merchant ID (MID) assigned during merchant onboarding. You can find your MID in the RapidCents merchant dashboard under Settings → Business Information, or contact the RapidCents integration team to obtain it.

Request Example

HTTP

POST /api/google-pay/payment/process
Content-Type: application/json
Accept: application/json

JSON Body

{
  "payment_token": "{\"signature\":\"...\",\"intermediateSigningKey\":{...},\"protocolVersion\":\"ECv2\",\"signedMessage\":\"...\"}",
  "merchant_id": "gateway:rapidcentspay",
  "amount": 10.00,
  "currency": "CAD",
  "order_id": "ORDER-12345",
  "merchant_reference": "optional-reference"
}

Response Example

JSON

{
  "success": true,
  "transaction_result": {
    "status": "Approved",
    "auth_code": "123456"
  }
}

Environments and Key Management

🔒

Gateway integration model: Because RapidCents is the payment gateway (gateway: "rapidcentspay"), all ECv2 decryption keys are managed exclusively by RapidCents on the server side. Merchants do not need to generate, store, or manage any private or public decryption keys. The merchant’s only responsibility is to forward the raw encrypted token to RapidCents.

RapidCents uses strictly separated TEST and PRODUCTION key material internally:

Environment	Managed By	Usage
Staging / TEST	RapidCents (internal)	Development and testing
PRODUCTION	RapidCents (internal)	Live transactions

Merchant Configuration

Merchants only need the following parameters in their tokenizationSpecification — no key management is required:

Parameter	Value	Description
`gateway`	`rapidcentspay`	RapidCents gateway identifier (same for TEST and PRODUCTION)
`gatewayMerchantId`	`googletest` (TEST) / Your MID (PRODUCTION)	Merchant identifier — see Gateway Parameters

✅

All ECv2 private keys, public keys, and protocol configuration are managed by RapidCents infrastructure. Merchants never handle decryption keys.

Testing and Diagnostics

Optional status and testing endpoints (access may be restricted per deployment):

Method	Endpoint	Description
`GET`	`/api/google-pay/status`	Service health check
`POST`	`/api/google-pay/decrypt`	Token decryption test
`GET`	`/api/google-pay/payment/status`	Payment status lookup

Troubleshooting

🔍

Signature verification failed — Token was parsed and re-serialized, or using TEST token with PRODUCTION keys (or vice versa), or wrong merchant key pair.

⏰

Token expired — Google Pay tokens are time-limited (messageExpiration). Ensure the token is submitted promptly after generation.

Security and Compliance

All requests must use HTTPS.
Treat tokens and decrypted payment data as sensitive and handle per PCI DSS requirements.
Do not persist decrypted PAN/cryptogram unless required and compliant.
Keep key material in a secret manager and rotate if needed.

Support

For integration assistance, please provide:

Merchant name and MID / identifier
Environment (TEST vs PRODUCTION)
Approximate timestamps and request IDs

📧

Contact the RapidCents integration team for further support.