Samsung is releasing a new feature to make online transactions using Samsung Pay core; they called it: Samsung Pay Mini. This will expand the Samsung Pay market into affiliated online merchants(“in-app payment partners”) Some of them: Fancy and Raise.

But how Samsung Pay Mini works, and how is integrated it?

Until today, we do not know any technical information about this new feature. But it is already integrated at the mentioned apps.

I decided to take a look into how the Fancy company implements Samsung Pay Mini inside the app; first, I added a product to my cart and tried to make a transaction using Samsung Pay Mini:

Pay with Mini

When I clicked the Samsung Pay button, seems like Samsung Pay validates the app:

Validating app

Without information for shipping, Samsung Pay requested that data:

Add address
Test data

After that, I would be able to complete the transaction:

Make payment

This seems straightforward. But what happened under the hood when a customer pressed the Samsung Pay button. I protected some sensitive information about my account by the way:

1.- Samsung Pay initializes its core with a connection to the server:20170121_171915

Yes, it implements GET with some special headers: some of the most important, dmid(device master id), did(device id), mid(master id) and Authorization. The server responses with a spk(special password key) and IV(Initial Vector):


After initialization, appears the “sign in” with a POST procedure: same special headers like dmid, did, mid and Authorization. But now there is some data in the content section, some “encrypted” data(kind of paranoia with Samsung Pay encryption methods)


The server answers with a public key and access token! Now the system is ready to make a transaction.


With the previous authorization, the next step is to process the payment. In this process, the system validates the application to see if it is affiliated with Samsung Pay Mini. It sends data related with the app: debuggable, version, code, request type, packet name and special signature.


The server responds with a JSON data: SDK version indicating the package name, Mini version and the type of partner.


While Samsung Pay is working underground, the Fancy app is processing some important information: the shipping address and a token.


The server responds with a final OK answer.20170121_181252