Running Payer Authentication with SDK
The payer authentication process in SDK requires checking whether a customer is
participating in a card authentication program. If the customer is enrolled in payer
authentication, you validate their current status in the program and authorize the
transaction. The following procedures describe how to ensure the correct data values are
passed during the payer authentication process.
Requesting the Check Enrollment Service (SDK)
After the SDK completes the device collection from your mobile application, and after the
customer clicks the Buy button, you must make a back-end, server-to-server call to
request the Enrollment Check service.
The Check Enrollment service verifies that the card is enrolled in a card authentication
program. The merchant ID is included as part of the header, but these fields are
required in the request:
- consumerAuthenticationInformation.referenceId
- orderInformation.amountDetails.currency
- orderInformation.amountDetails.totalAmount
- orderInformation.billTo.address1
- orderInformation.billTo.administrativeArea
- orderInformation.billTo.country
- orderInformation.billTo.email
- orderInformation.billTo.firstName
- orderInformation.billTo.lastName
- orderInformation.billTo.locality
- orderInformation.billTo.postalCode
- paymentInformation.card.expirationMonth
- paymentInformation.card.expirationYear
- paymentInformation.card.number
- paymentInformation.card.type
IMPORTANT
To reduce your issuer step-up authentication rates, you can send
additional request data in order. It is best to send all available fields.
Use the enrollment check and card authorization services in the same request or in
separate requests:
- Same request:attempts to authorize the card if your customer is not enrolled in a payer authentication program. In this case, the field values that are required to prove that you attempted to check enrollment are passed automatically to the authorization service. If authentication is required, processing automatically stops.Cybersource
- Separate requests: Manually include the enrollment check result values (Enrollment Check response fields) in the authorization service request (Card Authorization request fields).
Be sure to include the following card-specific information in your authorization
request:
- For Visa, American Express, JCB, Diners Club, Discover, China UnionPay, and Elo, include the CAVV.
- For Mastercard only, include the collection indicator and the AAV (also known as UCAF).
These fields are listed in this table.
Identifier | Enrollment Check Response Field | Card Authorization Request Field |
|---|---|---|
E-commerce indicator | consumerAuthenticationInfo
rmation.ecommerceIndicator | processingInformation.commerceIndicator |
Collection indicator | consumerAuthenticationInfo
rmation.ucafCollectionIndicator | consumerAuthenticationInfo
rmation.ucafCollectionIndicator |
CAVV | consumerAuthenticationInfo
rmation.cavv | consumerAuthenticationInfo
rmation.cavv |
AAV | consumerAuthenticationInfo
rmation.ucafAuthentication Data | consumerAuthenticationInfo
rmation.ucafAuthentication Data |
XID | consumerAuthenticationInfo
rmation.xid
and | consumerAuthenticationInfo
rmation.xid |
Result of the enrollment check for Asia, Middle East, and
Africa Gateway | consumerAuthenticationInfo
rmation.veresEnrolled | consumerAuthenticationInfo
rmation.veresEnrolled |
3-D Secure version | consumerAuthenticationInfo
rmation.specificationVersion | consumerAuthenticationInfo
rmation.paSpecificationVersion |
Directory server transaction ID | consumerAuthenticationInfo rmation.directoryServerTran
sactionId | consumerAuthenticationInfo
rmation.directoryServerTransactionId |
Interpreting the Response
In EMV 3-D Secure, there are two possible responses:
- Frictionless: No challenge or stepup to the cardholder. While frictionless authentication can indicate a successfully authenticated outcome because the customer's card is enrolled in a payer authentication program, it can also result from the bank failing or rejecting authentication without challenging the cardholder. In the frictionless authentication flow, you receive a PAResStatus of eitherY,A,N,I,R, orUwith an associated ECI value. With successful frictionless authentication, the PAResStatus =YorAand you receive a CAVV. You may also receive a PAResStatus =Iindicating successful authentication but it might not include a CAVV.
- Challenge: The response contains PAResStatus =C. A challenge response has a payload and contains an ACS URL and a StepUpUrl. Challenge the cardholder to provide additional authentication information and display an authentication challenge window to the cardholder so the cardholder can respond to a validation request and receive a validation response.
Authenticating Enrolled Cards
In the response from the enrollment check service, confirm that you receive
these fields and values:
- 3-D Secure version = 2.x
- VERes enrolled = Y
- PARes status = C
These values identify whether it is an EMV 3-D Secure 2.x transaction and that
a challenge is required.
Once you validate these fields, you call
Cardinal.cca_continue
(Android
SDK) or Cardinal session continue
(iOS SDK) for the SDK to perform the challenge
between the customer and the issuing bank.Requesting the Validation Service
For enrolled cards, the next step is to make a back-end, server-to-server call to request
the validation service.
When you make the validation request, you must:
- Send theconsumerAuthenticationInformation.authenticationTransactionIdrequest field.
- Send the credit card information including the PAN, currency, and expiration date (month and year).
The response that you receive contains the validation result.
It is recommended that you request the payer authentication and card authorization
services at the same time. Doing this automatically sends the correct information to
your payment processor and converts the values of these fields to the proper format
required by your payment processor:
- consumerAuthenticationInformation.ecommerceIndicator
- consumerAuthenticationInformation.cavv
- consumerAuthenticationInformation.ucafAuthenticationData
- consumerAuthenticationInformation.xidandconsumerAuthenticationInformation.xid
If you request the services separately, manually include the validation result values
(Validation Check response fields) in the authorization service request (Card
Authorization request fields). To receive liability shift protection, you must ensure
that you pass all pertinent data for the card type and processor in your request.
Failure to do so might invalidate your liability shift for that transaction. Include the
electronic commerce indicator (ECI), the transaction ID (XID), the 3-D Secure version,
the directory server transaction ID, and this card-specific information in your
authorization request.
- For Visa, American Express, JCB, Diners Club, Discover, China UnionPay, and Elo, include the CAVV.
- For Mastercard only, include the collection indicator and the AAV (also known as UCAF).
Identifier | Validation Check Response Field | Card Authorization Request Field |
|---|---|---|
E-commerce
indicator | consumerAuthenticationInformation.indicator | processingInformation.commerceIndicator |
Collection indicator | consumerAuthenticationInforma
tion.ucafCollectionIndicator | consumerAuthenticationInfo
rmation.ucafCollectionIndicator |
CAVV | consumerAuthenticationInformation.cavv | consumerAuthenticationInformation.cavv |
AAV | consumerAuthenticationInforma
tion.ucafAuthenticationData | consumerAuthenticationInfo
rmation.ucafAuthenticationData |
XID | consumerAuthenticationInformation.xid | consumerAuthenticationInformation.xid |
3-D Secure version | consumerAuthenticationInforma
tion.specificationVersion | consumerAuthenticationInfo
rmation.paSpecificationVersion |
Directory server transaction ID | consumerAuthenticationInforma
tion.directoryServerTransactionId | consumerAuthenticationInfo
rmation.directoryServerTransactionId |