Authenticating Cards Using Redirection

After verifying that a customer’s card is enrolled in a card authentication program, you must redirect the customer to the URL of the card-issuing bank’s Access Control Server (ACS URL).
The HTTP POST request web form must contain the following:
  • PAReq data
  • Termination URL (TermURL)
  • merchant data (MD)
The MD value must be posted for RuPay. If necessary, you can include it for other card brands as well.

HTML Frame Requirements

When your customers are redirected to the ACS URL, their browsers display the frame containing the password authentication page of the card-issuing bank or the option to sign up for the program (activation form).
On the page that contains the in-line frame for the ACS URL:
  • Ensure that the HTML frame is large enough to accommodate the card-issuer’s authentication or activation form, and the text that describes the process to the customer.
  • Provide a brief message outside the HTML frame to guide customers through the process. For example, “We are processing your request. Do not click the Back button or refresh the page or this transaction may be interrupted.”

HTTP Post Form

The page typically includes JavaScript that automatically posts the form. This code provides:
  • A page that receives the reply fields for the enrollment check service.
  • A form that contains the required data for the card-issuing bank.

Example: POST Form

if card is enrolled == TRUE Then
   variable acsURL = <acsURL reply field>
   variable paReq = <paReq reply field>

   <body onload=”document.PAEnrollForm.submit ();”>
   <form id=”PAEnrollForm” name=”PAEnrollForm” action=”acsURL value”
   method=”post” target=”paInlineFrame”>
      <input type=”hidden” name=”PaReq” value=”paReq value”
      <input type=”hidden” name=”TermUrl” value=”http://
      myPAValidationPage.ext” /
      <input type=”hidden” name=”MD” value=”<xid value>” />
   </form>
else

PARes Message from the RuPay Card-Issuing Bank

The card-issuing bank sends a PARes message to your TermURL in response to the PAReq data that was sent with the web form. The PARes message is sent by using an HTTP POST request and contains the result of the requested authentication.
The signed PaRes field contains a base64-encoded string with this information:
  • PARes—Digitally signed payer authentication response message that contains the authentication result. (Note that while the field name has a lowercase “a” (PaRes), the message name has an uppercase “A” (PARes)).
  • MD—Merchant data, which must be submitted for RuPay.