Samsung Pay Online Payment CSR Guide

1. Overview

A CSR (Certificate Signing Request) is a file that contains:

  • Your public key
  • Information about your organization and domain name

A digital signature created with your private key. It’s generated before you can get an SSL/TLS certificate from a Certificate Authority (CA).

In Samsung Pay online payments, sensitive data generated during the payment process must be protected using a public key cryptography (asymmetric encryption) model.

The following data is generated during a transaction:

  • Order Information
  • Tokenized Card Data

To ensure secure transmission, this data is encrypted using the Merchant’s Public Key.

Encryption Flow

  1. The Merchant generates a CSR (Certificate Signing Request) or obtains it from a PG (Payment Gateway)
  2. The Merchant registers the CSR on the Samsung Pay Portal
  3. Samsung Pay extracts the Public Key from the CSR
  4. Payment data is encrypted using the extracted Public Key (JWE-based)
  5. The encrypted data is sent to the Merchant
  6. The Merchant decrypts the data using its Private Key

JWE-based Data Protection

Samsung Pay uses JWE (JSON Web Encryption) to protect payment data.

  • Order information + tokenized card data → packaged as JWE payload
  • Encrypted using the Merchant’s Public Key
  • Only the Merchant can decrypt using its Private Key

This ensures the following:

  • Protection of sensitive data (tokens)
  • Data confidentiality during transmission
  • Protection against man-in-the-middle attacks

Important: CSR Usage in Samsung Pay

In a typical PKI flow, a CSR is used to request a certificate from a Certificate Authority (CA), and the issued certificate is then used for encryption.

However, in Samsung Pay integration:

  • No certificate issuance is required
  • The Public Key is directly extracted from the CSR and used for encryption

Therefore, in this guide, CSR should be understood as:

A data format for delivering the Public Key,
not as a certificate request for CA issuance.

Terminology

  • CSR: A data structure containing a Public Key (used here for key exchange)
  • Public Key: Used for encryption
  • Private Key: Used for decryption (must be kept secure)
  • JWE: A standard for encrypting JSON-based data

2. CSR and Key Management Models

Samsung Pay integration supports the following three models for CSR generation and key management:

Characteristics table

Case

 CSR Generation

 CSR Registration

 Private Key Management
Case A: PG Fully Managed

 ❌ (Not required for Merchant)

 Handled by PG

 PG
Case B: PG-Assisted (Semi-Managed)

 PG or Merchant (via provided guide/tools)

 PG or Merchant

 Depends on the agreed implementation
Case C: Merchant (Self-Managed)

 Merchant

 Merchant

 Merchant

Case A. PG Fully Managed

The Payment Gateway (PG) fully manages key generation and CSR registration.

Merchant Responsibility

  • No need to generate CSR
  • Use PG-provided APIs or interfaces

Use Cases

  • Hosted Payment Page
  • Simple integrations via PG

Case B. PG-Assisted (Semi-Managed)

The PG provides tools or guidance for CSR generation.

Merchant Responsibility

  • Generate CSR via PG console or follow PG guide
  • Register CSR if required

Use Cases

  • Enterprise PG integrations
  • Console-based configuration

Case C. Merchant (Self-Managed)

The Merchant fully manages key generation, CSR creation, and registration.

Merchant Responsibility

  • Generate key pair
  • Create CSR
  • Register CSR on Samsung Pay Portal

Use Cases

  • Direct API integration
  • High-security environments

3. How to Generate a CSR

For Self-managed cases, the merchant generates their own CSR.
When the Merchant generates a CSR directly, OpenSSL is typically used.

3.1 Generate Private Key

Run the following command to your terminal:

openssl genrsa -out private.key 2048

3.2 Generate CSR

Run the following command to your terminal:

openssl req -new -key private.key -out request.csr

Example input fields:

  • Common Name (CN): Service identifier or domain
  • Organization (O): Company name
  • Country (C): Country code

3.3 Register CSR

  1. Upload the generated CSR to the Samsung Pay Portal
  2. Once registered, the included Public Key will be used for encryption

4. Security Considerations

❌ Never share the Private Key

❌ Do not send keys via email or messaging tools

✔ CSR does NOT contain the Private Key

✔ Use at least 2048-bit key length

✔ Use HSM or secure vault if available

✔ Restrict access to Private Key