A few Android news sites have a story about why Google Pay won’t work on rooted Android devices, and how Jason Clinton of Google posted a message on the XDA forum with more details on why this happens. Excerpt of Jason’s post:
While the platform can and should continue to thrive as a developer-friendly environment, there are a handful of applications (that are not part of the platform) where we have to ensure that the security model of Android is intact. That “ensuring” is done by Android Pay and even third-party applications through the SafetyNet API. As you all might imagine, when payment credentials and–by proxy–real money are involved, security people like me get extra nervous. I and my counterparts in the payments industry took a long, hard look at how to make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model. We concluded that the only way to do this for Android Pay was to ensure that the Android device passes the compatibility test suite–which includes checks for the security model. The earlier Google Wallet tap-and-pay service was structured differently and gave Wallet the ability to independently evaluate the risk of every transaction before payment authorization. In contrast, in Android Pay, we work with payment networks and banks to tokenize your actual card information and only pass this token info to the merchant. The merchant then clears these transactions like traditional card purchases.
A bit more on Android SafetyNet API, from their web site:
“SafetyNet provides services for analyzing the configuration of a particular device, to make sure that apps function properly on a particular device and that users have a great experience. The service provides an API your app can use to analyze the device where it is installed. The API uses software and hardware information on the device where your app is installed to create a profile of that device. The service then attempts to match it to a list of device models that have passed Android compatibility testing. This check can help you decide if the device is configured in a way that is consistent with the Android platform specifications and has the capabilities to run your app.”
https://source.android.com/compatibility/cts/index.html
https://developer.android.com/training/safetynet/index.html
Google security engineer explains why Android Pay doesn’t work on rooted devices
Firmware Security 