I am trying to integrate Google Pay into our online store using the Google Pay API, and in the tutorial, there is this snippet which set the amount to pay, and currency code in a JavaScript object like this:
paymentDataRequest.transactionInfo = {
totalPriceStatus: 'FINAL',
totalPrice: '123.45',
currencyCode: 'USD'
};
This looks awfully insecure, in that anyone can tamper with the values on the client-side before eventually clicking on the "Buy With Google Pay" button.
Of course, I can also check that values eventually sent back from the payment gateway, and then flag the order as fraud, but I'd also like to prevent this as early into the process as I can, if possible..
Thanks.
I can also check that values eventually sent back from the payment gateway
This is the only approach that will work.
I'd also like to prevent this as early into the process as I can, if possible.
It isn't possible. The client belongs to the visitor and, ultimately, is completely under their control.
You can make it harder, with obfuscation, but that makes your code harder for you to debug and doesn't stop someone from just looking at the final HTTP requests and recreating them without using your code at all.
Any data written to a device is subject to be read. When referring to secret
in the technological sense, this principle is more prominent on user-facing devices, because these are typically more exposed to other agents and individuals than machines that act as servers.
The transaction information you are passing to loadPaymentData
never determines the amount that will finally be charged. What you get back from this call is a payment method that is encrypted with a key that only your processor has, and hence, the payment processor (on the server side) is the only agent who can access this information. The final request to issue the charge continues to happen through a secure call between your server and your processor's.
In essence, using Google Pay to retrieve payment information to issue a charge is equivalent to how it's done without Google Pay except for the fact that the payment information is never exposed on the client side (since the user does not need to type it in), and thus, the process occurs with an additional layer of security in this aspect.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With