3.5 App-to-App Identity Verification

3.5.1 Overview

In mobile payment push provisioning, Identity & Verification (ID&V) ensures that only the rightful cardholder can add their payment card to Samsung Wallet. Samsung Wallet supports multiple ID&V methods to prevent unauthorized access and fraud, including – SMS, Email, Phone call, Access code, Bank website, app, or support, and App-to-App ID&V.

App-to-App ID&V allows users to verify their identity through their bank's mobile application during push provisioning.

Samsung Wallet supports two integration paths:

1. Using Samsung Wallet SDK (requires integration within bank app)
2. Using Android Intents (does not require SDK) – this guide focuses on this method.

3.5.2 User Experience

The following figure illustrates the UI flow for app-to-app ID&V when the user wants to add a payment card to Samsung Wallet and selects the “Open banking app” option.

3.5.3 Implementing App-to-App ID&V

This method allows Samsung Wallet to launch a bank’s mobile app, where the user’s identity is verified before provisioning their payment card.

3.5.4 Key Concepts

Term	Description
ID&V	Identity & Verification – confirms the cardholder’s identity before provisioning a card.
TSP	Token Service Provider – handles tokenization and supplies ID&V methods.
Samsung TR	Samsung Token Requestor – communicates with the TSP on behalf of Samsung Wallet.
App-to-App ID&V	Launches the bank’s app from Samsung Wallet to complete identity verification.

3.5.5 App-to-App ID&V Process Flow

To verify their payment card in the Samsung Wallet application, the user must accept the terms and conditions, after which Samsung Wallet initiates token provision through the Samsung Token Requestor (TR) from the Trust Service Provider (TSP). The TSP provides Samsung Wallet with the available ID&V methods and the data needed to perform user verification through your application.

When the user selects “Open banking app” in Samsung Wallet, an Android activity launches your application through an intent. The intent contains information from the TSP server.

You can implement app-to-app ID&V support in your banking application in 2 ways:

• Token activation through bank server - After user verification, the token is activated through your bank’s backend and TSP APIs.
• Token activation through Samsung Wallet application - After user verification, your bank server returns an authorization code to Samsung Wallet, which is used to activate the token the Samsung TR and TSP.

The following figure shows the app-to-app ID&V process flow:

Launch the application

To launch your application, the Samsung Wallet application calls the startActivityForResult() method, providing the following intent data from the TSP server:

1. Package name of your application
2. Intent action, whose specific name depends on the TSP
3. Additional data in the Intent.EXTRA_TEXT key, depending on the card type:
   • Mastercard: A Base64-encoded JSON object with the following elements: paymentAppProviderId, paymentAppInstanceId, tokenUniqueReference, accountPanSuffix, and accountExpiry
   • Visa: An encrypted JSON payload including PAN ID, TR ID, token reference ID, last 4 digits of PAN, device ID, and wallet account ID

Intent data is generated with the getApp2AppIntent() method in the Samsung Wallet application:

public Intent getApp2AppIntent() {
 
    Intent app2appIntent = new Intent();
    app2appIntent.setPackage(packageName);
    app2appIntent.setAction(action);
 
    if(!TextUtils.isEmpty(extraText)) {
        app2appIntent.putExtra(Intent.EXTRA_TEXT, extraText);
    }
    return intent;
}

Process the ID&V request

To enable your application to handle the intent data transmitted from the Samsung Wallet application, in your “AndroidManifest.xml” file, define an activity with the intent action used by the TSP:

<activity android:name="App2AppIdnvActivity">
  <intent-filter>
    <action android:name="com.bank.mobileapp.action.LAUNCH_A2A_IDV"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

When your application is called by Samsung Wallet, start the activity to process the ID&V request. The data passed by the intent can be processed through your backend server along with other data that the application already has, such as user and account information.
If user verification is successful, you can activate the token by calling the TSP API.

Return to Samsung Wallet

After the user has completed verification, your application must direct the user back to Samsung Wallet using the Activity.setResult(resultCode, resultIntent) method.

If the value of resultCode is RESULT_OK, the resultIntent object must contain extra bundle data.

The STEP_UP_RESPONSE key must have one of the following values depending on the scenario:

Intent result = new Intent();
 
// Authentication successful
result.putExtra("STEP_UP_RESPONSE", "accepted");
 
// Authentication failed; do not add the user’s card
result.putExtra("STEP_UP_RESPONSE", "declined");
 
// Authentication failed; allow user to retry or select another ID&V method
result.putExtra("STEP_UP_RESPONSE", "failure");
 
// Authentication failed because the application was not ready
result.putExtra("STEP_UP_RESPONSE", "appNotReady");
 
activity.setResult(RESULT_OK, result);

To use an authentication code to activate the token in Samsung Wallet, you must also include the ACTIVATION_CODE key-value:

Intent result = new Intent();
 
result.putExtra("STEP_UP_RESPONSE", "accepted");
result.putExtra("ACTIVATION_CODE", authCode);
 
activity.setResult(RESULT_OK, result);

Otherwise, the value of resultCode is RESULT_CANCEL, when the user has canceled the operation:

Intent result = new Intent();
 
activity.setResult(RESULT_CANCEL);

3.5.6 Samsung UI Wallet Flow

The Samsung Wallet UI flow for push provisioning using App-to-App Identity Verification (ID&V) refers to the sequence of user interface steps a user experience when adding a payment card and verifying their identity via their bank’s mobile app.