Implementing SDK Payer Authentication

This chapter summarizes the process of integrating SDK Payer Authentication services into your mobile application. Payer authentication services use the Mobile SDK for iOS or Android to facilitate the authentication. New SDK versions are frequently released and you should ensure that you stay current with the latest release. One way to stay informed on about new releases is to subscribe to a distribution list to be informed of updates and other product announcements. You can subscribe by going to this link: CardinalMobileSDKNotifications
Implementing the SDK in your mobile application requires either Android or iOS platform application programming skills. Android API 21 or iOS 9 and XCode 8 are required.
The SDK is only designed to handle EMV 3-D Secure 2.x transactions.

Implementation Overview

Notify your account representative that you want to implement payer authentication (EMV 3-D Secure). Give the representative the merchant ID that you will use for testing. For more information, see Payer Authentication Merchant Workflow.
Implementation tasks include:
  • Download, import, and configure the Mobile SDK for either iOS or Android.
  • For each purchase request:
    • Build the authentication request.
    • Invoke the authentication.
    • Handle declines.
    • Make another back-end, server-to-server call to request these services:
      : Payer Authentication Validation
      : Card Authorization service (optional)
  • Use the test cases to test your preliminary code and make appropriate changes. See Testing Payer Authentication.
  • Ensure that your account is configured for production.
Note that calling the Payer Authentication Setup Service is not required with the SDK mobile version.

Process Flow for SDK Integration

The steps required to integrate payer authentication into an SDK mobile application are described below.
  1. Contact customer support to register for an API key.
  2. Download and import the Mobile SDK for either iOS or Android.
  3. Set up your build environment.
  4. Configure your SDK.
  5. Setup the initial call to Cardinal.
  6. Create an API call to your merchant server to request the Enrollment Check service, passing in transaction details and the
    consumerAuthenticationInformation.referenceId
    request field.
  7. If the issuing bank does not require authentication, you receive this information in the Enrollment Check response:
    • E-commerce indicator (
      consumerAuthenticationInformation.ecommerceIndicator
      )
    • CAVV (all card types except Mastercard) (
      consumerAuthenticationInformation.cavv
      )
    • AAV (Mastercard only) (
      consumerAuthenticationInformation.ucafCollectionIndicator
      )
    • Transaction ID (
      consumerAuthenticationInformation.xid
      )
    • 3-D Secure version (
      consumerAuthenticationInformation.specificationVersion
      )
    • Directory server transaction ID (
      consumerAuthenticationInformation.directoryServerTransactionId
      )
  8. If the issuing bank requires authentication, you receive a response with the payload and the transaction ID that you include in the
    Cardinal.continue
    call from your SDK.
  9. The Mobile SDK displays an authentication window, and the customer enters the authentication information into that window.
  10. The bank validates the customer credentials and a Java Web Token (JWT) is returned by the SDK in the
    onValidated
    callback that the merchant is required to validate server-side for security reasons.
  11. Create an API call to your merchant server to request the Validate Authentication service, extracting the processor transaction ID value from the JWT and sending it in the
    consumerAuthenticationInformation.authenticationTransactionId
    request field. You receive the e-commerce indicator, CAVV or AAV, transaction ID, 3-D Secure version, and directory server transaction ID.
Verify that the authentication was successful and continue processing your order.
You must pass all pertinent data for the card type and processor in your authorization request. For more information, see Requesting the Validation Service.

Prerequisites for SDK Implementation

Before you can implement payer authentication services, your business team must contact your acquirer and
Cybersource
to establish the service. Your software development team should become familiar with the API fields and technical details of this service.
Creating a mobile application with the SDK implementation, requires that you perform some preliminary procedures before the starting the actual payer authentication implementation process. These processes involving JWTs are described in this sectijava.io.PrintWriter@41920366 on.

What Mobile Device Data is Collected

One of the key components to authenticating a cardholder during an online transaction is to compare information about the mobile device that the buyer is using to the information about mobile devices that the buyer used in past transactions. This information is maintained in the acess control server (ACS) at the issuing bank.
In mobile device transactions, information collected about the buyer device can include:
  • Device ID
  • Device model
  • Operating system version
  • System language
  • Country
  • Time zone
  • Screen dimensions
A successful device data collection process that includes the eleven browser elds listed in the check enrollment step, increases the chances of a frictionless authentication. The decision to escalate a transaction to a level of risk high enough to require challenging the buyer to authenticate their identity is managed by business rules that are congured in the issuer's risk analysis software that evaluates each transaction.

Using the Android SDK

A mobile SDK is available for integrating payer authentication services into mobile applications running on the Android platform.

Using the iOS SDK

A mobile SDK is available for integrating payer authentication services into mobile applications running on the iOS platform.

Running Payer Authentication with SDK

The payer authentication process in SDK requires checking whether a customer is participating in a card authentication program. If the customer is enrolled in payer authentication, you validate their current status in the program and authorize the transaction. The following procedures describe how to ensure the correct data values are passed during the payer authentication process.