Implementing SDK Payer Authentication
This chapter summarizes the process of integrating SDK Payer Authentication services into
your mobile application. Payer authentication services use the Mobile SDK for iOS or
Android to facilitate the authentication. New SDK versions are frequently released and
you should ensure that you stay current with the latest release. One way to stay
informed on about new releases is to subscribe to a distribution list to be informed of
updates and other product announcements. You can subscribe by going to this link: CardinalMobileSDKNotifications
Implementing the SDK in your mobile application requires either Android or iOS platform
application programming skills. Android API 21 or iOS 9 and XCode 8 are required.
The SDK is only designed to handle EMV 3-D Secure 2.x transactions.
Implementation Overview
Notify your account representative that you want to implement payer authentication (EMV
3-D Secure). Give the representative the merchant ID that you will use for
testing. For more information, see Payer Authentication Merchant Workflow.
IMPORTANT
The SDK integration operates in a similar
manner to the Direct API integration, but SDK does not have a Setup service step.
Implementation tasks include:
- Download, import, and configure the Mobile SDK for either iOS or Android.
- For each purchase request:
- Build the authentication request.
- Invoke the authentication.
- Handle declines.
- Make another back-end, server-to-server call to request these services:: Payer Authentication Validation: Card Authorization service (optional)
- Use the test cases to test your preliminary code and make appropriate changes. See Testing Payer Authentication.
- Ensure that your account is configured for production.
Note that calling the Payer Authentication Setup Service is not required with the SDK
mobile version.
Process Flow for SDK Integration
The steps required to integrate payer authentication into an SDK mobile application are
described below.
- Contact customer support to register for an API key.
- Download and import the Mobile SDK for either iOS or Android.
- Set up your build environment.
- Configure your SDK.
- Setup the initial call to Cardinal.
- Create an API call to your merchant server to request the Enrollment Check service, passing in transaction details and theconsumerAuthenticationInformation.referenceIdrequest field.
- If the issuing bank does not require authentication, you receive this information in the Enrollment Check response:
- E-commerce indicator (consumerAuthenticationInformation.ecommerceIndicator)
- CAVV (all card types except Mastercard) (consumerAuthenticationInformation.cavv)
- AAV (Mastercard only) (consumerAuthenticationInformation.ucafCollectionIndicator)
- Transaction ID (consumerAuthenticationInformation.xid)
- 3-D Secure version (consumerAuthenticationInformation.specificationVersion)
- Directory server transaction ID (consumerAuthenticationInformation.directoryServerTransactionId)
- If the issuing bank requires authentication, you receive a response with the payload and the transaction ID that you include in theCardinal.continuecall from your SDK.
- The Mobile SDK displays an authentication window, and the customer enters the authentication information into that window.
- The bank validates the customer credentials and a JSON Web Token (JWT) is returned by the SDK in theonValidatedcallback that the merchant is required to validate server-side for security reasons.
- Create an API call to your merchant server to request the Validate Authentication service, extracting the processor transaction ID value from the JWT and sending it in theconsumerAuthenticationInformation.authenticationTransactionIdrequest field. You receive the e-commerce indicator, CAVV or AAV, transaction ID, 3-D Secure version, and directory server transaction ID.
Verify that the authentication was successful and continue processing your
order.
You must pass all pertinent data for the card type and processor in your
authorization request. For more information, see Requesting the Validation Service.
Prerequisites for SDK Implementation
Before you can implement payer authentication services, your business team must contact
your acquirer and to establish the service. Your
software development team should become familiar with the API fields and technical
details of this service.
Cybersource
Creating a mobile application with the SDK implementation, requires that you perform some
preliminary procedures before the starting the actual payer authentication
implementation process. These processes involving JWTs are described in this
section.
What Mobile Device Data is Collected
One of the key components to authenticating a cardholder during an online transaction is
to compare information about the mobile device that the buyer is using to the
information about mobile devices that the buyer used in past transactions. This
information is maintained in the acess control server (ACS) at the issuing bank.
In mobile device transactions, information collected about the buyer device can
include:
- Device ID
- Device model
- Operating system version
- System language
- Country
- Time zone
- Screen dimensions
A successful device data collection process that includes the eleven browser elds listed
in the check enrollment step, increases the chances of a frictionless authentication.
The decision to escalate a transaction to a level of risk high enough to require
challenging the buyer to authenticate their identity is managed by business rules that
are congured in the issuer's risk analysis software that evaluates each
transaction.
Using the Android SDK
A mobile SDK is available for integrating payer authentication services into mobile
applications running on the Android platform.
Using the iOS SDK
A mobile SDK is available for integrating payer authentication services into mobile
applications running on the iOS platform.
Running Payer Authentication with SDK
The payer authentication process in SDK requires checking whether a customer is
participating in a card authentication program. If the customer is enrolled in payer
authentication, you validate their current status in the program and authorize the
transaction. The following procedures describe how to ensure the correct data values are
passed during the payer authentication process.