In Rupay Redirection Flow, the card issuer hosts an entry page on the payment terminal
where the cardholder enters a one-time password (OTP). Redirecting the OTP process from
the merchant to the issuer results in extra processing time and timeouts. In RuPay
Seamless Flow, the merchant, who must be PCI DSS compliant, hosts the OTP entry page,
providing a more seamless experience and reducing transaction timeouts. You might have
to use tokenization to ensure PCI DSS compliance.
Figure:
Example of an OTP Page
To use the RuPay Seamless workflow, contact the merchant reseller or customer support to
have the account configured with this service.
The OTP entry page is part of the two-factor authentication used in payer authentication
for the transaction. If you are PCI DSS compliant and can host the OTP entry page, use
this workflow:
When payer authentication is initiated, it checks if the transaction is with RuPay.
When the transaction is not with RuPay, Cardinal Direct does the payer
authentication.
When it is a RuPay transaction, the BIN of the issuer is checked to determine
whether to use the Redirection Flow or the Seamless Flow.
If the Seamless Flow is used, the Payer Authentication Enrollment service sends a
call to the issuer to create and send an OTP to the cardholder.
Payer Authentication prompts the merchant to display a page on the payment terminal
for the cardholder to enter the OTP that is received on their phone.
The OTP entered by the cardholder is authenticated with the Payer Authentication
Validation service using the ID associated with the OTP that was sent to the
cardholder.
After the OTP is validated, the validation response returns a validation transaction
context ID. Send this ID in the authorization request.
