Content
Introduction
Connection 3DSecure prerequisites
This process is based on establishment of additional control during an online purchase: in addition to banking data, the buyer will validate his payment by entering a secret data that will have provided by the bank.
This system is accompanied by a regulatory change called "liability shift", the purpose is to support the risk of chargeback to the buyer and no longer to the merchant, if the buyer has validated his payment by filling in 3D Secure data (One Time Password) and the merchant respects security measures set out in general terms and conditions with the bank.
The payment solution Payline has performed a 3DSecure certification with Visa and MCI.
Subscription
The merchant must subscribe to TPV Secure contract (TPV type 3D Secure). The merchant send to Payline the TPV with 3DSecure.
The Payline team must register the merchant with Visa and MCI, "10 days is required" upon confirmation of Visa and MCI networks, the Payline team informs the merchant that VADS contract is activated.
Prerequisites for using Payline payment solution
The 3D Secure solution in Direct interface mode ensures the secure transfer of sensitive data, processes authentication and authorization requests.
Integration points :
- verifyEnrollment is required to provide authentication and doAuthorization to perform the authorization;
- get the result of the transaction with getTransactionDetails.
You must check the service access key and configure the SOAP UI setting.
3D-Secure in Direct Interface mode with a payment
The following steps present verifyEnrollment and doAuthorization web services for realizing 3DSecure transaction using the Payline direct interface.
Step 1 - verifyEnrollment
This first call web service makes it possible to verify the eligibility to 3DSecure, and therefore to know if the cardholder is registered with a VISA or Mastercard Directory Server.
Find an example of request/response for web services verifyEnrollment below :
verifyEnrollmentRequest | verifyEnrollmentResponse |
---|---|
<impl:verifyEnrollmentRequest> | <verifyEnrollmentResponse> <termUrlName>TermUrl</termUrlName> |
Once the verifyEnrollment is done, authentication to ACS server must be performed. For this, it is necessary to send the information of the verifyEnrollment on the authentication server.
Sending information
To send this information, just create an HTML form in POST if you want to create a link if GET :
POST: The information will be sent to authentication server through the form below. The field names and values are dynamically retrieved from the verifyEnrollmentResponse.
Following session: value to retrieve in the verifyEnrollment response
mdFieldName = MD
mdFieldValue = 1Fz9nEnAZJNn8NvXEKDT
Authentication request: value to retrieve in verifyEnrollment
pareqFieldName = PaReq
pareqFieldValue = eJxVkdtuwjAMhl+l4gGaA...
Address where the authentication server. This address must be able to retrieve a form sent in "POST" and containing answer of user authentication.
termUrlName = TermUrl
termUrlValue = https://acs.modirum.com/mdpayacs.php
Sample HTML form to perform a test on your server:
HTML form |
---|
<form name="downloadForm" action="https://acs.modirum.com/mdpayacs/pareq" method="POST"> |
Receipt of information returned during authentication
The authentication server sends its message to the URL entered in the TermURL parameter (sent in the previous form). In the response form, two fields must be retrieved to continue the transaction in 3DSecure mode:
- The MD field: always the same field allowing the follow-up of the session
- the Payer Authentication Response (PaRes) field: an encrypted string containing the response of the authentication server. The value of the PaRes field will validate or not the transaction as a 3DSecure transaction.
These two fields are retrieved and allow to complete the doAuthorizationRequest in 3DSecure mode.
Sample script (here written in PHP) to retrieve the response to authentication :
Script PHP : receive_form.php |
---|
<?php |
Note: This script must be placed on a started web server and in a folder corresponding to the address sent via the TermURL field.
Example: if the server is local it is quite possible to put as value:
TermURL = http://127.0.0.1/3DSecure/receive_form.php
Step 2 : doAuthorizathion with3D Secure settings
The doAuthorization service allows you to perform the transaction with the 3DSecure parameters.
The parameters provided : md / pares permit to check user authentication and thus the user identity before carrying out the transaction.
If the parameters are correct, the transaction is carried out as authorization request.
doAuthorizationRequest | doAuthorizationResponse |
<impl:doAuthorizationRequest> | <doAuthorizationResponse> |
Back Office
Menu 'Technical follow-up of webservice calls' to find the call of the web service verifyEnrollment allows to see the details of the verifyEnrollment.
The result of the 3DSecure transaction is then visible in the Payline Administration Center: on the results of a search and in the detail of the transaction 3DSecure tab.
Screen searches for transactions:
3DSecure transaction Details:
3D Secure payment scheme
- The consumer validates his cart shopping then the merchant prepares web page to where will be filled the payment data.
A VEReq (Verification Enrollment Request) message allows access to Directory Server to verify cart registration in the directory containing cards declared "enlisted" 3-D Secure and provide ACS URL.
Verification enrollment response containing authentication result, that will be returned to Merchand Plug-in (MPI) to manage the dialogue with Directory and ACS to allow the buyer to authenticate. - The merchant redirects the consumer to ACS URL for authentication.
The request "PAReq" (Payer authentication request) allows access to bank ACS to trigger the authentication phase.
The response "PARes" (Pay authentication response), containing the authentication result of cardholder will be transmitted to the merchant. - The merchant can trigger a request for authorization and payment validation by calling service doAuthorizationRequest.
- The merchant retrieves details transaction by calling service getTransactionDetails.