Running Payer Authentication with SDK
The payer authentication process in SDK requires checking whether a customer is
participating in a card authentication program. If the customer is enrolled in payer
authentication, you validate their current status in the program and authorize the
transaction. The following procedures describe how to ensure the correct data values are
passed during the payer authentication process.
Requesting the Check Enrollment Service (SDK)
After the SDK completes the device collection from your mobile application, and after the customer clicks the Buy button, you must make a back-end, server-to-server call to request the Enrollment Check service.
The Check Enrollment service verifies that the card is enrolled in a card authentication program. The merchant ID is included as part of the header, but these fields are required in the request:
-
clientReferenceInformation.code
-
consumerAuthenticationInformation.referenceId
-
orderInformation.amountDetails.currency
-
orderInformation.amountDetails.totalAmount
-
orderInformation.billTo.address1
-
orderInformation.billTo.administrativeArea
-
orderInformation.billTo.country
-
orderInformation.billTo.email
-
orderInformation.billTo.firstName
-
orderInformation.billTo.lastName
-
orderInformation.billTo.locality
-
orderInformation.billTo.postalCode
-
paymentInformation.card.expirationMonth
-
paymentInformation.card.expirationYear
-
paymentInformation.card.number
-
paymentInformation.card.type
IMPORTANT
To reduce your issuer step-up authentication rates, you can send additional request data in order. It is best to send all available fields.
Use the enrollment check and card authorization services in the same request or in separate requests:
-
Same request:Cybersource
-
Separate requests: Manually include the enrollment check result values (Enrollment Check response fields) in the authorization service request (Card Authorization request fields).
Be sure to include the following card-specific information in your authorization request:
-
For Visa, American Express, JCB, Diners Club, Discover, China UnionPay, and Elo, include the CAVV.
-
For Mastercard only, include the collection indicator and the AAV (also known as UCAF).
These fields are listed in this table.
Identifier
|
Enrollment Check Response Field
|
Card Authorization Request Field
|
---|---|---|
E-commerce indicator
|
consumerAuthenticationInfo rmation.ecommerceIndicator
|
processingInformation.commerceIndicator
|
Collection indicator
|
consumerAuthenticationInfo rmation.ucafCollectionIndicator
|
consumerAuthenticationInfo rmation.ucafCollectionIndicator
|
CAVV
|
consumerAuthenticationInfo rmation.cavv
|
consumerAuthenticationInfo rmation.cavv
|
AAV
|
consumerAuthenticationInfo rmation.ucafAuthentication Data
|
consumerAuthenticationInfo rmation.ucafAuthentication Data
|
XID
|
consumerAuthenticationInfo rmation.xid
and
|
consumerAuthenticationInfo rmation.xid
|
Result of the enrollment check for Asia, Middle East, and Africa Gateway
|
consumerAuthenticationInfo rmation.veresEnrolled
|
consumerAuthenticationInfo rmation.veresEnrolled
|
3-D Secure version
|
consumerAuthenticationInfo rmation.specificationVersion
|
consumerAuthenticationInfo rmation.paSpecificationVersion
|
Directory server transaction ID
|
consumerAuthenticationInfo rmation.directoryServerTran sactionId
|
consumerAuthenticationInfo rmation.directoryServerTransactionId
|
Interpreting the Response
In EMV 3-D Secure, there are two possible responses:
-
Frictionless: No challenge or stepup to the cardholder. While frictionless authentication can indicate a successfully authenticated outcome because the customer's card is enrolled in a payer authentication program, it can also result from the bank failing or rejecting authentication without challenging the cardholder. In the frictionless authentication flow, you receive a PAResStatus of eitherY,A,N,I,R, orUwith an associated ECI value. With successful frictionless authentication, the PAResStatus =YorAand you receive a CAVV. You may also receive a PAResStatus =Iindicating successful authentication but it might not include a CAVV.
-
Challenge: The response contains PAResStatus =C. A challenge response has a payload and contains an ACS URL and a StepUpUrl. Challenge the cardholder to provide additional authentication information and display an authentication challenge window to the cardholder so the cardholder can respond to a validation request and receive a validation response.
Authenticating Enrolled Cards
In the response from the enrollment check service, confirm that you receive these fields and values:
-
3-D Secure version = 2.x
-
VERes enrolled = Y
-
PARes status = C
These values identify whether it is a EMV 3-D Secure 2.x transaction and that a challenge is required.
Once you validate these fields, you call
Cardinal.cca_continue
(Android SDK) or
Cardinal session continue
(iOS SDK) for the SDK to perform the challenge between the customer and the issuing bank.
Requesting the Validation Service
For enrolled cards, the next step is to make a back-end, server-to-server call to request the validation service.
When you make the validation request, you must:
-
Send theconsumerAuthenticationInformation.authenticationTransactionIdrequest field.
-
Send the credit card information including the PAN, currency, and expiration date (month and year).
The response that you receive contains the validation result.
It is recommended that you request the payer authentication and card authorization services at the same time. Doing this automatically sends the correct information to your payment processor and converts the values of these fields to the proper format required by your payment processor:
-
consumerAuthenticationInformation.ecommerceIndicator
-
consumerAuthenticationInformation.cavv
-
consumerAuthenticationInformation.ucafAuthenticationData
-
consumerAuthenticationInformation.xidandconsumerAuthenticationInformation.xid
If you request the services separately, manually include the validation result values (Validation Check response fields) in the authorization service request (Card Authorization request fields). To receive liability shift protection, you must ensure that you pass all pertinent data for the card type and processor in your request. Failure to do so might invalidate your liability shift for that transaction. Include the electronic commerce indicator (ECI), the transaction ID (XID), the 3-D Secure version, the directory server transaction ID, and this card-specific information in your authorization request.
-
For Visa, American Express, JCB, Diners Club, Discover, China UnionPay, and Elo, include the CAVV.
-
For Mastercard only, include the collection indicator and the AAV (also known as UCAF).
Identifier
|
Validation Check Response Field
|
Card Authorization Request Field
|
---|---|---|
E-commerce indicator
|
consumerAuthenticationInformation.indicator
|
processingInformation.commerceIndicator
|
Collection indicator
|
consumerAuthenticationInforma tion.ucafCollectionIndicator
|
consumerAuthenticationInfo rmation.ucafCollectionIndicator
|
CAVV
|
consumerAuthenticationInformation.cavv
|
consumerAuthenticationInformation.cavv
|
AAV
|
consumerAuthenticationInforma tion.ucafAuthenticationData
|
consumerAuthenticationInfo rmation.ucafAuthenticationData
|
XID
|
consumerAuthenticationInformation.xid
|
consumerAuthenticationInformation.xid
|
3-D Secure version
|
consumerAuthenticationInforma tion.specificationVersion
|
consumerAuthenticationInfo rmation.paSpecificationVersion
|
Directory server transaction ID
|
consumerAuthenticationInforma tion.directoryServerTransactionId
|
consumerAuthenticationInfo rmation.directoryServerTransactionId
|