Google Secure Payment Authentication
Google Secure Payment Authentication (SPA) enables you to authenticate cardholders to comply with Strong Customer Authentication (SCA) requirements, including the revised Payment Services Directive (PSD2).
Cardholders complete biometric authentication directly from the merchant domain, using the Google web front end. This eliminates the need to redirect the cardholder to perform a 3D Secure (3DS) challenge. For example, the cardholder can authenticate the payment with their fingerprint instead of retrieving a one-time password externally.
Google SPA is available for payments performed using a Visa card on Google Chrome for Android.
Note
Google SPA does not support network token payments.
After the initial authentication, the cardholder's payment credentials are bound to the device, enabling easy reuse for future transactions.

With Google SPA you benefit by:
- Providing an enhanced user experience for your cardholders
- Increasing your protection against fraud, as the cardholder must complete Strong Customer Authentication (SCA) to approve the transaction
- Reducing your liability shift, as transactions benefit from the same fraud protection rules as DPAN transactions in Google Pay
Information
Electronic Commerce Indicator (ECI) value 05
will be applied to successful Visa transactions.
If you authenticate payments using our integrated authentication solution, you can specify your preferred authentication experiences in your request using the authentication.preferred_experiences
field.
The order in which you specify values in the array determines your preference. For example, if you specify google_spa
as the first value in the array, Google SPA is your primary authentication experience.
To enable automatic fallback to 3DS if Google SPA is not available, you must include 3ds
in the array. For example, ["google_spa", "3ds"]
.
Information
If you authenticate payments using our standalone authentication solution, see the Hosted standalone or Non-hosted standalone documentation.
Checkout.com automatically routes the cardholder to a Google SPA or 3DS authentication experience, based on which is more likely to result in a successful completion. For the automatic routing to function, you must provide 3DS authentication data in all of your payment requests.
If the initial authentication experience fails or is declined by the customer, we automatically fall back to the alternative authentication experience to prevent a lost transaction.
If you host the payment page in an iframe, you must explicitly add payment permission to the iframe to allow payments to complete. Include the allow="payment *"
attribute in all parent frames:
1<iframe src="https://example.com" allow="payment *"></iframe>