When to step-up your Google Pay transactions as a PSP

NOV 28, 2022

Posted by Dominik Mengelt, Developer Relations Engineer, Google Pay and Nick Alteen, Technical Writer, Engineering, Wallet

What is step-up authentication?

When processing payments, step-up authentication (or simply “step-up”) is the practice of requiring additional authentication measures based on user activity and certain risk signals. For example, redirecting the user to 3D Secure to authenticate a transaction. This can help to reduce potential fraud and chargebacks. The following graphic shows the high-level flow of a transaction to determine what's to be done if step-up is needed.

graphic showing the high-level flow of a transaction
Figure 1: Trigger your Risk Engine before sending the transaction to authorization if step-up is needed

It depends! When making a transaction, the Google Pay API response will return one of the following:

You can use the allowedAuthMethods parameter to indicate which authentication methods you want to support for Google Pay transactions:

"allowedAuthMethods": [


In this case, you’re asking Google Pay to display the payment sheet for both types. For example, if the user selects a PAN_ONLY card (a card not tokenized, not enabled for contactless) from the payment sheet during checkout, step-up is needed. Let's have a look at two concrete scenarios:

In the first scenario, the Google Pay sheet shows a card previously added to Google Wallet. The card art and name of the user's issuing bank are displayed. If the user selects this card during the checkout process, no step-up is required because it would fall under the CRYPTOGRAM_3DS authentication method.

On the other hand, the sheet in the second scenario shows a generic card network icon. This indicates a PAN_ONLY authentication method and therefore needs step-up.


Whether or not you decide to accept both forms of payments is your decision. For CRYPTOGRAM_3DS, the Google Pay API additionally returns a cryptogram and, depending on the network, an eciIndicator. Make sure to use those properties when continuing with authorization.


This authentication method is associated with payment cards from a user’s Google Account. Returned payment data includes the PAN with the expiration month and year.


This authentication method is associated with cards stored as Android device tokens provided by the issuers. Returned payment data includes a cryptogram generated on the device.

When should you step-up Google Pay transactions?

When calling the loadPaymentData method, the Google Pay API will return an encrypted payment token (paymentData.paymentMethodData.tokenizationData.token). After decryption, the paymentMethodDetails object contains a property, assuranceDetails, which has the following format:

"assuranceDetails": {
    "cardHolderAuthenticated": true,
    "accountVerified": true

Depending on the values of cardHolderAuthenticated and accountVerified, step-up authentication may be required. The following table indicates the possible scenarios and when Google recommends step-up authentication for a transaction:



Step-up needed







Step-up can be skipped only when both cardHolderAuthenticated and accountVerified return true.

Next steps

If you are not using assuranceDetails yet, consider doing so now and make sure to step-uptransactions if needed. Also, make sure to check out our guide on Strong Customer Authentication (SCA) if you are processing payments within the European Economic Area (EEA). Follow @GooglePayDevs on Twitter for future updates. If you have questions, mention @GooglePayDevs and include #AskGooglePayDevs in your tweets.