Samsung is releasing a new feature to make online transactions using Samsung Pay core; they called it: Samsung Pay Mini. This will expand the Samsung Pay market into affiliated online merchants(“in-app payment partners”) Some of them: Fancy and Raise.

But how Samsung Pay Mini works, and how is integrated it?

Until today, we do not know any technical information about this new feature. But it is already integrated at the mentioned apps.

I decided to take a look into how the Fancy company implements Samsung Pay Mini inside the app; first, I added a product to my cart and tried to make a transaction using Samsung Pay Mini:

screenshot_20170120-201344
Pay with Mini

When I clicked the Samsung Pay button, seems like Samsung Pay validates the app:

screenshot_20170120-201405
Validating app

Without information for shipping, Samsung Pay requested that data:

screenshot_20170120-201418
Add address
screenshot_20170120-201450
Test data

After that, I would be able to complete the transaction:

screenshot_20170120-201511
Make payment

This seems straightforward. But what happened under the hood when a customer pressed the Samsung Pay button. I protected some sensitive information about my account by the way:

1.- Samsung Pay initializes its core with a connection to the server:20170121_171915

Yes, it implements GET with some special headers: some of the most important, dmid(device master id), did(device id), mid(master id) and Authorization. The server responses with a spk(special password key) and IV(Initial Vector):

20170121_172135

After initialization, appears the “sign in” with a POST procedure: same special headers like dmid, did, mid and Authorization. But now there is some data in the content section, some “encrypted” data(kind of paranoia with Samsung Pay encryption methods)

20170121_172421

The server answers with a public key and access token! Now the system is ready to make a transaction.

20170121_172548

With the previous authorization, the next step is to process the payment. In this process, the system validates the application to see if it is affiliated with Samsung Pay Mini. It sends data related with the app: debuggable, version, code, request type, packet name and special signature.

20170121_172738

The server responds with a JSON data: SDK version indicating the package name, Mini version and the type of partner.

20170121_170831

While Samsung Pay is working underground, the Fancy app is processing some important information: the shipping address and a token.

20170121_181733

The server responds with a final OK answer.20170121_181252