Push provisioning - GooglePay

Push provisioning - GooglePay

Tokenization of payment cards through the bank's app

Google is a registered token requestor and digital wallet provider. The company provides the Google Pay API for the Push Provisioning scheme to issuing banks. The issuing bank can develop its own full-featured payment application that will integrate the tokenization function using Google Pay. Bank customers will be able to select a card in the familiar mobile banking app and tokenize it for payment in stores using NFC-enabled devices and online stores.

Tokenization process through the app for the customer

In the issuing bank's app, customers can see a list of cards they use. If the card is not yet tokenized, there should be an "Add to Google Pay" button nearby. When the button is pressed, the Google Pay tokenization process begins.

After selecting the card and clicking the button, users will see a screen with a request to confirm activation of card tokenization. After user confirmation, they will need to accept the issuer's terms of service for this card to be added to Google Wallet - this must be done. Then a confirmation screen about tokenization will appear. And after this screen, there is a return to the issuer's app. In the bank's app, such a card will be marked with a special icon or "Added to Google Pay".

The process can be more extensive if the customer is doing this for the first time. And in addition, the risk verification procedure at the issuing bank is included.

Extended Push Provisioning process:

  1. Issuer APP Push-provisioning starts from the issuer's mobile app. From the card list screen, after clicking the "Added to Google Pay" button
  2. Google Pay Shows this screen for confirmation to all users.
  3. Google Pay Shows this screen during the first card preparation for Google Pay or if the address service requires the user to correct the address.
  4. Google Pay Shows the issuer's terms of service (mandatory requirement).
  5. Google Pay Shows this screen only if the user has not set up keyboard lock on their device. This triggers the secure screen lock setup workflow managed by Google according to the preparation process.
  6. Google Pay Supports identification and authentication (ID&V) methods during push-provisioning. However, yellow or red paths are very rarely used during push-provisioning, since the user has already confirmed their identity by logging into the issuer's app.
  7. Google Pay Shows this screen to confirm completion of tokenization and successful card activation.
  8. Issuer APP After tokenization is complete, control and user interface returns to the issuing bank's app

Security on rooted phones

Google Pay performs attestation verification during API calls. If the device is rooted, it will not pass this verification. The issuing bank can perform its own SafetyNet check before transmitting confidential information. Performing this check ensures the correct operation of the Android app sandbox environment and protects the banking app from malicious apps.

Tokenization process through the app

In the issuing bank's app, customers can see a list of cards they use. If the card is not tokenized, the customer can start this process directly from the bank's app.

Fig. Tokenization procedure from the bank's app.

Benefits of tokenization through the app

For the issuing bank's customer who has everyday experience using the issuing bank's app, performing card tokenization won't be stressful.

For the customer.

  • 1. Instant card linking to wallet. No need to manually enter PAN, expiration date, CVV. The card is tokenized in Google Pay in a few clicks.
  • 2. Enhanced security. Data transfer occurs in encrypted form from the bank's app to MDES/VTS, eliminating the risk of compromise during manual entry.
  • 3. Best user experience (UX). The user performs tokenization in a familiar app. Token generation is possible immediately after card issuance, and the customer can pay with their smartphone.

For the issuing bank.

  • 1. Increased card activity. Customers can use the card immediately.
  • 2. Reduced rejections. Fewer errors when entering card data manually. No unactivated tokens.
  • 3. Token lifecycle management through the app. The bank gets more control over the token: activation, blocking, deletion through its app.