web payments integration guide overview to help standardize and streamline how payments are done on the web, the worldwide web consortium w3c has introduced a payment request api to provide an interface between a merchant web page and a mobile payment app, like samsung pay, to facilitate payment transactions samsung internet browser leverages the w3c payment request api to support samsung pay as a payment method for web purchases chrome also supports a samsung pay web payment method why integrate samsung pay into your website? samsung pay is accepted at more retail locations than any other mobile payment service available because of its unique ability to transact with newer nfc-supported payment terminals and legacy payment terminals it continues to enjoy the best user reviews among mobile payment apps now available for mobile website integration, samsung pay is secure, easy to set up, simple to use, and pre-installed on all new samsung galaxy-class smartphones when integrated with your website, samsung pay presents your users with a common checkout process that leverages samsung pay’s secure purchase authentication technology, eliminating manual entry or re-entry of card details and shipping destinations checkout is streamlined, conversions are maximized, and the exposure of sensitive data is kept to the absolute minimum simplifying the transaction process the benefits of the new process, certainly from an end-user perspective, is that the previous tedium ― request, authorization, payment, and result ― can now be handled in a single step for the web developer, it entails a single javascript api call for samsung pay users, there’s no change at all in the way a payment card is selected and authenticated after selecting the desired merchandise from the merchant’s web site, the user initiates checkout, selects samsung pay as the preferred payment method, authenticates with a fingerprint or pin, and voila ― payment complete that’s the user experience at its most basic when properly implemented, the api also supports editing the billing/shipping address in samsung pay and selecting a different enrolled card before approving the transaction with a fingerprint scan or entering a pin in terms of convenience, it’s a remote shopper’s dream ― no complicated, input-intensive forms to fill out, no fumbling for a plastic card to enter the account number, card expiration, and security code, and no worrying that someone other than the legitimate cardholder is attempting to make the payment meanwhile, samsung pay’s tokenized payload securely protects the transaction from intercept and replay attacks about this guide intended for web developers with a working knowledge of javascript and json, this guide takes you through the complete process of onboarding as a samsung pay merchant partner, creating/registering the w3c service for your domain, adding the w3c payment request object to your website, then testing and releasing your merchant website offering samsung pay as a payment method let's get started determining your gateway integration mode the api methods for integrating samsung pay with your website depend on the type of payment token your payment gateway pg handles — either gateway tokens or network tokens samsung pay supports requests for both types for instance, if stripe is your pg, you will want to request a gateway token from samsung pay on the other hand, if you’re using first data, you’ll want to request an encrypted network token bundle, for which you handle the token decryption yourself or work with the pg first data in this case to handle decrypting the token bundle the process begins when your merchant website makes a payment request and passes all required information to the browser, which then determines compatibility between the accepted payment methods for your website and the methods apps installed on the target device let’s take a brief look at how each integration mode — gateway token and network token — works with samsung pay gateway token mode although samsung pay doesn’t process the payment, your merchant website will still need to invoke the appropriate payment gateway apis to charge and process the token returned by your pg hence, when samsung pay returns a gateway token from stripe, for example, the recommended flow looks like this user selects samsung pay as the payment method at checkout in the merchant's website and the samsung pay app requests partner verification from the samsung pay online payment server encrypted payment information and the partner id are passed to the samsung-pg interface server samsung-pg interface server sends a transaction authorization request to the pg on behalf of the merchant; pg authenticates the partner id before generating a transaction reference id samsung-pg interface server returns the payment token to the pg i e , the gateway token it received from the samsung pay app in step 2 pg continues payment processing with the acquirer and payment network the result approved/declined is returned to the merchant website on the device for display to the user in this mode, samsung pay makes a call to your pg on your behalf and returns a chargeable gateway token network token mode under network token mode, the samsung pay api returns an encrypted network token bundle, which you can then either decrypt yourself or leverage the apis of your pg first data, for example to handle decryption and charge the token user selects samsung pay as the payment method at checkout in the merchant's website and the samsung pay app requests partner verification from the samsung pay online payment server encrypted payment information is passed from the samsung pay app to the pg through the merchant app via the pg sdk applying the merchant's private key, pg decrypts the payment information structure and processes the payment through the acquirer and payment network upon receiving authorization or rejection, pg notifies the merchant website through its pg sdk to simplify integration of network tokens, you can pass the encrypted payload directly to your pg and let it handle decryption in general, decrypting the payload yourself is more complex and involves private key management see your particular pg’s documentation for details once you determine which mode your pg supports, you're ready to register with the portal first, however, there are a number of prerequisites you'll need to satisfy prerequisites registering with the samsung pay developers portal and adapting the appropriate payment request apis for your website in accordance with the guidance contained herein will help to ensure a successful implementation to that end, the following requirements apply release contents minimum samsung pay app version 2 8 xx minimum samsung internet browser version 5 4 minimum chrome browser version 61 supported device models samsung galaxy-class smartphones running minimum version of the wallet app and browser supported payment gateways pgs view the most current list in the portal's payment gateway drop-down menu in service create/edit mode see step 5 under registering your domain for the w3c service registering with the portal through the samsung pay developers portal you can access valuable resources to help you manage the samsung pay features you incorporate into you partner app, including the ability to create multiple samsung pay service groups so you can use different services without the need to create multiple accounts invite co-workers to the portal to help you manage samsung pay features for your website register your website with samsung pay configure your samsung pay w3c service s to create a member account on the samsung pay developers portal open a browser like chrome, go to https //pay samsung com/developers, click sign up and confirm/acknowledge that you accept the samsung pay terms and conditions and understand the privacy policy, then do one of the following a if you already have a valid samsung account, click sign up and enter your samsung account id and password b if you do not have a samsung account, click create a samsung account to create one open the account activation email you receive and click the account activation link if you’re the first samsung pay member of your company to register, select the first option, click next, and complete a company and user profile if, on the other hand, you were given a samsung pay partner id by a co-worker, select the second option — my company is already registered — and enter your company’s partner id in the field provided, then click next after you receive notification by email that your membership is approved, typically within 2 business days, return to https //pay samsung com/developers, click sign in and enter your samsung account id and password for site access as a new member registering your domain for the w3c service your domain is the url associated with your website, whether in test or production the service type specifically associates w3c with your domain once you create the service, you will be prompted to configure the domain you want associated with it to create a new service go to my projects > service management and click create a new service select for test to define the service for initial integration with samsung pay, then click next select w3c mobile web payments as the service type and click next enter a service name and select “united states” as the service country select a payment gateway from the list of supported pgs if your payment gateway uses the network token mode, upload the certificate signing request csr you obtained from your pg supported formats are csr or pem contact your pg for details otherwise, key management is already established for pgs supporting samsung pay’s gateway token mode; hence, click connect with to create a new service connection with the pg and click ok enter the payment domain name s for your website in the service domain field and click add for example, if your domain is mywebstore com but the checkout page is hosted on the subdomain payments mywebstore com, you’ll need to enter payments mywebstore com as the service domain in the portal for each additional domain name, click add notewhen entering the domain name on the portal, do not include an https // prefix confirm your agreement with the terms and conditions, then click next adding w3c payment requests objects to your website in order to accept payments from samsung pay, your website must adhere to the w3c payment request api specification you can get started with the basics by completing the steps that follow and making the appropriate substitutions for your website step 1 feature detect prior making a w3c payment request, it’s wise to run a feature detect to ensure the browser in use supports the w3c payment request api if not, you should fall back to your traditional/normal checkout page example if window paymentrequest { // use payment request api } else { // fallback to traditional checkout window location href = ‘/checkout/traditional’; } step 2 create the paymentrequest constructor the first step is to create a paymentrequest object by calling the paymentrequest constructor, which has the following parameters methoddata – contains a list of payment methods that the website supports e g , visa, amex, samsung pay details – contains information about the shopping cart purchases e g , total, tax, fees, etc options – details pertaining to shipping address, user contact information, etc example var request = new paymentrequest methoddata, // required payment method data details, // required information about transaction options // optional parameter for things like shipping, etc ; step 3 add samsung pay to the methoddata parameter the methoddata parameter contains a list of payment methods supported by the merchant to support samsung pay, you’ll need to add it as a supported payment method notebasic-card is an optional supportedmethod for credit and debit cards saved in the browser, the card details of which are returned directly to the website from the browser before configuring this method, make sure your website and pg can handle generic payment information received from the browser and process with required pci compliance, if applicable see the [w3c basic card payment specification][7] for additional details be aware, however, that if you intend to support a branded samsung pay button, only samsung pay can be enabled as a payment method within the paymentrequest object; basic-card or any other payment method cannot be included if you already offer a generic payment request method, you can continue to do so — and include samsung pay as a payment method within that paymentrequest object from a user experience standpoint, the two distinct pathways look like this standard w3c implementation a standard w3c implementation adds samsung pay to your standard paymentrequest object as one of many supportedmethods available for user selection tapping checkout or its equivalent launches the standard browser payment sheet for user selection of the payment method and/or to add a debit/credit card to the list of options selecting samsung pay as the payment method and tapping pay launches the samsung pay payment sheet branded samsung pay implementation a branded implementation displays a "buy with samsung pay" button in place of your standard checkout button tapping the button will skip directly to the samsung pay payment sheet for authentication unless you specify paymentoptions if paymentoptions is not null, the browser payment sheet is launched see paymentoptions in step 7 for additional guidance first launching your website's checkout page is recommended for branded implementations this is because the samsung pay payment sheet only provides the user's billing address, which means your website will need to capture the user's preferred shipping address, where applicable for physical delivery of purchased goods if no shipping address and/or other options are needed, set the paymentoptions parameter to null as mentioned above, if you populate paymentoptions, the browser payment sheet is automatically launched keeping the foregoing implementations in mind, let's look at how to construct the methoddata argument for the network token mode and gateway token mode, respectively the fields in methoddata comprise supportedmethods – required; specifies https //spay samsung com/ i e , the samsung pay app and other methods suppored by your website data – values specific to the method; for samsung pay, these include version specifies the data structure being used by the merchant; should always be set to 1 until further notice required productid the service id obtained from the samsung pay partner portal required for partner verification; see step #8 under registering your domain for the w3c service merchantgatewayparameter this is the userid value registered with your pg required for gateway token mode in addition, userid should be set in the request parameter for mada token if a merchan request mada token, this field is mandatory as this filed should be included in the payload for mada token, there is a 15-character length limit paymentprotocol defaults to “protocol_3ds,” the only protocol currently supported by samsung pay optional allowedcardnetworks specifies the card brands/networks accepted by the merchant and supported by the pg required merchantname the name of the merchant to be displayed on the payment sheet; must be identical to the merchant name registered on the samsung pay partner portal required ordernumber unique value for merchant use as an external reference id optional isrecurring specifies transaction on subscription basis optional; default = false billingaddressrequired determines if a billing address must be filled-in by the user optional; default = false shown next are examples of the methoddata parameter for each of the supported token modes please note that samsung pay's w3c support for card brands is currently limited to mastercard, visa and american express discover is scheduled for support soon example – network token mode var methoddata = [ { supportedmethods ['https //spay samsung com'], data { 'version' '1', // always 1 until further notice 'productid' '2bc3e6da781e4e458b18bc', // service id from partner portal 'allowedcardnetworks' ['mastercard','visa'], 'merchantname' 'shop samsung demo ', // merchantname must be identical to merchant name on portal 'ordernumber' '1233123', } }] example – gateway token mode var methoddata = [ { supportedmethods ['https //spay samsung com'], data { 'version' '1', // always 1 until further notice 'productid' '7qr7h9ws1872bc3e6da781', // service id from partner portal 'merchantgatewayparameter' {"userid" "acct_ 17irf7f6ypzj7wor"}, 'allowedcardnetworks' ['mastercard','visa'], 'merchantname' 'shop samsung demo ', //merchantname must be identical with merchant name on portal 'ordernumber' '1233123', } }] step 4 fill out the transaction details parameter the details parameter contains information about the transaction there are two major components a total, which reflects the total amount and currency to be charged, and an optional set of displayitems that indicate how the final amount was calculated this parameter is not intended to be a line-item list, but is rather a summary of the order’s major components subtotal, discounts, tax, shipping costs, etc example var details = { displayitems [ { label "total of all items", amount { currency "usd", value "65 00" }, // us$65 00 }, { label "friends & family discount", amount { currency "usd", value "-10 00" }, // -us$10 00 pending true // the price is not yet determined } ], total { label "total", amount { currency "usd", value "55 00" }, // us$55 00 } } step 5 check eligibility to display samsung pay button if you do not support basic-card and you try to call show in step 6 when samsung pay or any other supportedmethod is not present on the device, the returned promise will reject with the following error domexception the payment method is not supported you can, however, check beforehand to see if the user has an available/supported method set up this is done with the canmakepayment method, which tells you whether the user has a payment method that can fulfill the current payment request example – canmakepayment const paymentrequest = new paymentrequest supportedpaymentmethods, transactiondetails, options ; // if canmakepayment isn’t available, default to assume the method is supported const canmakepaymentpromise = promise resolve true ; // feature detect canmakepayment if request canmakepayment { canmakepaymentpromise = paymentrequest canmakepayment ; } canmakepaymentpromise then result => { if !result { // the user does not have a supported payment method // todo redirect to traditional checkout flow return; } // todo the user has a payment - call show } catch err => { // todo either fall back to traditional checkout or call show } ; notebranded samsung pay buttons can be found on the [samsung pay developers][8] portal under the resources tab direct cdn links will be available soon step 6 call the show method to display the payment sheet the payment sheet can be activated by calling its show method this method invokes the browser’s native ui so the user can examine the details of the purchase, add or change the information, and submit it for payment a promise, indicated by its then method and callback function, resolves what will be returned when the user accepts or rejects the payment request example – show request show then function paymentresponse { // process paymentresponse here paymentresponse complete "success" ; } catch function err { console error "uh oh, something bad happened", err message ; } ; step 7 handle the paymentresponse once the user approves the payment request by verifying the payment option and shipping option if provided , the show method’s promise resolves, resulting in a paymentresponse object comprised of the following fields methodname string indicating the chose payment method e g , visa details dictionary containing information for methodname shippingaddress shipping address of the user, if requested shippingoption id of the selected shipping option, if requested payeremail email address of the payer, if requested payerphone telephone number of the payer, if requested payername name of the payer, if requested here, it’s important to remember that the response from the payment request api must be submitted by the merchant in accordance with the pg’s integration model and apis in all cases, the samsung pay response is encapsulated within the paymentresponse details parameter, which comprises the following fields paymentcredential – contains the payment credential information necessary for processing the transaction with the pg in network token mode, this field includes 3ds data in gateway token mode, it includes token information network token mode type use “s” version 1 0 0; standard for payment authentication aka mastercard securecode, verified by visa, and american express safekey data encrypted payload value gateway token mode reference token id reference status authorized or rejected/declined billingaddress – contains the billing address and related attributes for the cardholder, possibly including country [iso3166] alpha-2 code; canonical form is upper case for example, “us” addressline[n] most specific part of the address; can include a street name, a house number, apartment number, a rural delivery route, descriptive instructions, or a post office box number region top level administrative subdivision of the country; can be a state, a province, an oblast, or a prefecture city city/town portion of the address dependentlocality dependent locality or sub-locality within a city; fused for neighborhoods, boroughs, districts, or uk dependent localities postalcode postal code or zip code, also known as pin code in india sortingcode bank sorting code; for example, in the british and irish banking industries, the sort code is a six-digit number, is usually formatted as three pairs of numbers, for example 12-34-56, identifying both the bank and the branch where the account is held languagecode [bcp47] language tag for the address, in canonical form; used to determine the field separators and the order of fields when formatting the address for display organization organization, firm, company, or institution at this address recipient name of the recipient or contact person this member may, under certain circumstances, contain multiline information; for example, it might contain “care of” information phone telephone number of the recipient or contact person paymentinfo – contains the payment information, including card_last4digits last four digits of the card’s dpan cardbrand currently, either mastercard or visa ordernumber merchant’s unique external reference id supplied in the original request’s methoddata parameter if the user pays with a credit card using the basic-card method, then the details response returned directly to your website from the browser will contain cardholdername, cardnumber, expirymonth, expiryyear, cardsecuritycode, billingaddress example request show then paymentresponse => { var paymentdata = { // payment method string, e g “amex” method paymentresponse methodname, // payment details contains payment information details paymentresponse details /* request details depends on pg token mode network - e g , first data; or gateway - e g , stripe ---------------------------------------------------------|------------------------------------------------------| * gateway token mode |* network token mode | * “details” { |* “details { | * “paymentcredential” { |* “method” “3ds”, | * “reference” “tok_1asceoyf6ypzj7f8se6grp0i”, |* “paymentcredential” { | * “status” “authorized” |* “type” “s”, | * }, |* “version” “100”, | * |* “data” “long_encrypted_payload_value”, | * |* }, | *--------------------------------------------------------|------------------------------------------------------| * “paymentinfo” { * “card_last4digits” “1489”, * “cardbrand” “mastercard”, * “ordernumber” “1233123”, * “billingaddress” { * “country” “usa”, * “addressline” [“chhccy”, “hdyxych”], * “region” “ca”, * “city” “mountain view”, * “dependentlocality” “”, * “postalcode” “94043”, * “sortingcode” “”, * “languagecode” “en”, * “organization” “”, * “recipient” “”, * “phone” “” * } * } * } * */ }; return fetch ‘/validatepayment’, { method ‘post’, headers { ‘content-type’ ‘application/json’ }, body json stringify paymentdata } then res => { if res status === 200 { return res json ; } else { throw ‘payment error’; } } then res => { paymentresponse complete “success” ; }, err => { paymentresponse complete “fail” ; } ; } catch err => { console error “error, something went wrong”, err message ; } ; once payment information is received from samsung pay, the website should submit the payment information to the merchant’s pg for transaction processing the ui will show a spinner while the request takes place when a response is received, the website should call complete to close the ui the website is then free to show an order complete or order confirmation page for user feedback as previously mentioned, you can simplify integration of network tokens by passing the encrypted payload directly to your pg and letting it handle decryption in all cases, how you handle a submitted network token depends on the payment gateway refer to your particular pg’s documentation for details paymentoptions is an optional parameter in thepaymentrequest constructor depending on your particular requirements, you may want additional information, such as the user’s shipping address for physical goods purchased and contact details for guest users paymentoptions currently comprises the following requestpayername true if payer name is required; otherwise, false requestpayeremail true if payer email address is required; otherwise, false requestpayerphone true if payer telephone number is required; otherwise, false requestshipping true if shipping address is required; otherwise, false shippingtype available label options “shipping/pickup/delivery” for indicating to user; solely for display purposes example var options = { requestpayeremail false, requestpayername true, requestpayerphone false, requestshipping true, shippingtype "delivery" } noteif any of the elements listed above are set to true, the browser payment sheet is launched; otherwise, the samsung pay payment sheet is displayed putting it all together let’s assemble the various code blocks into a prototype to demonstrate the w3c payment request api in action function onbuyclicked { const samsung_pay = 'https //spay samsung com'; if !window paymentrequest { // paymentrequest api is not available - forwarding to legacy form based experience location href = '/checkout'; } // setup var supportedinstruments = [{ supportedmethods [ samsung_pay ], // 'https //spay samsung com' data { "version" "1", "productid" "2bc3e6da781e4e458b18bc", //service id from partner portal "allowedcardnetworks" ['mastercard','visa'], "ordernumber" "1233123", "merchantname" "shop samsung demo ", //merchant name in partner portal "merchantgatewayparameter" {"userid" "acct_17irf7f6ypzj7wor"}, "isrecurring" false, "billingaddressrequired" false, "paymentprotocol" "protocol_3ds" } }]; var details = { displayitems [{ label 'original donation amount', amount { currency 'usd', value '65 00' } }, { label 'friends and family discount', amount { currency 'usd', value '-10 00' } }], total { label 'total due', amount { currency 'usd', value '55 00' } }; var options = { requestshipping true, requestpayeremail true, requestpayerphone true, requestpayername true }; // initialization var request = new paymentrequest supportedinstruments, details, options ; // when user selects a shipping address request addeventlistener 'shippingaddresschange', e => { e updatewith details, addr => { var shippingoption = { id '', label '', amount { currency ‘usd’, value ‘0 00’ }, selected true}; // shipping to us is supported if addr country === 'us' { shippingoption id = 'us'; shippingoption label = 'standard shipping in us'; shippingoption amount value = '0 00'; details total amount value = '55 00'; // shipping to jp is supported } else if addr country === 'jp' { shippingoption id = 'jp'; shippingoption label = 'international shipping'; shippingoption amount value = '10 00'; details total amount value = '65 00'; // shipping to elsewhere is unsupported } else { // empty array indicates rejection of the address details shippingoptions = []; return promise resolve details ; { // hardcoded for simplicity if details displayitems length === 2 { details displayitems[2] = shippingoption; } else { details displayitems push shippingoption ; } details shippingoptions = [shippingoption]; return promise resolve details ; } details, request shippingaddress ; } ; // when user selects a shipping option request addeventlistener 'shippingoptionchange', e => { e updatewith details => { // there should be only one option do nothing return promise resolve details ; } details ; } ; // show ui then continue with user payment info request show then result => { // post the result to the server return fetch '/pay', { method 'post', credentials ‘include’, headers { 'content-type' 'application/json' }, body json stringify result tojson } then res => { // only if successful if res status === 200 { return res json ; } else { throw 'failure'; } } then response => { // you should have received a json object if response success == true { return result complete 'success' ; } else { return result complete 'fail' ; } } then => { console log 'thank you!', result shippingaddress tojson , result methodname, result details tojson ; } catch => { return result complete 'fail' ; } ; } catch function err { console error 'uh oh, something bad happened ' + err message ; } ; } document queryselector '#start' addeventlistener 'click', onbuyclicked ; refer to the official w3c integration specs for additional details and definition testing once you have the code saved and loaded, you’re ready to test be sure to test your website or test domain on a device running samsung internet browser and with the samsung pay wallet app already set up and ready to go in accordance with the prerequisites cited above if you use a separate subdomain for your test environment, be sure to add it as an eligible service domain for the service you configured under registering your domain for the w3c service remember that any/all subdomains for production must also be added to the service, up to a maximum of 10 service domains again, please note that samsung pay’s webpay api currently supports mastercard and visa only support for american express and discover is under development and will be available soon be sure to test using the samsung internet and chrome mobile browser apps to test select samsung pay as the payment method by clicking on the branded samsung pay button branded implementations or the samsung pay radio button standard w3c implementations this should launch the samsung pay payment sheet authenticate payment validate your results end to end isolate issues in the log, debug, and test again contact your samsung pay rm to coordinate assistance with troubleshooting recommended test cases check if the samsung pay is available in the payment option on the website verify samsung pay logo on browser sheet verify order summary on the payment sheet verify “edit” and “pay” buttons on payment sheet verify purchased item in the summary verify the billing address on the payment sheet change the billing address try to change the card in payment sheet when only one card is enrolled in samsung pay try to change the card when multiple cards is enrolled in samsung pay verify the payment amount verify the payment options verify the payment completion screen verify merchant name on the payment sheet verify merchant domain name on the payments sheet verify “cancel” and “pay” buttons on browser sheet try to make payment with large amount larger than max allowed amount and verify the behavior make a payment using samsung pay with a card already added for the merchant’s website basic-card verify transaction notification after w3c purchase verify transaction notification after refund set payment options for shipping address and verify that browser payment sheet launches and captures shipping address input/changes by user verify that the shipping cost is updated based on a shipping address change and is reflected in the updated total amount release once your tests are successful and you are satisfied with the results, take the following steps to ready your integrated with samsung pay website for release go to the samsung pay developers portaland create a new release service sharing identical attributes with the service you successfully tested a click on service management, then click create new service b select for release pictured , then click next c select w3c mobile web payments as the service type, then click next d enter a "release" service name and select "united states" as the service country e select united states as the service country f select your payment gateway from the drop-down menu, then click connect with for gateway token mode or provide a valid csr for network token mode g enter your service domain and click add for each additional domain name, click add remember, when entering domain names on the portal, do not include a "https"//" prefix h confirm your agreement with the terms and conditions, then click next retrieve the service id from the service details page and enter copy-paste it into your website's methoddata object in place of the current testing service id when your service is approved by your samsung pay rm — as indicated in the status column of your service management dashboard — you're ready to release your integrated website to the public send queries concerning service package approval to webpayment@samsungpay com