Notify your Cybersource account representative that you want to implement payer authentication (3D Secure). Give them the Cybersource merchant ID that you will use for testing. For more information, see Required Merchant Information.
Implementation tasks include:
nAdd the JavaScript code to your checkout page
nFor each purchase request
lBuild the authentication request
lInvoke the authentication
lHandle declines
lCall the following services:
-ics_pa_enroll: Payer Authentication Enrollment Check
-ics_auth: Card Authorization service (optional)
nUse the test cases to test your preliminary code and make appropriate changes. You can change to the test environment by changing the URL in your JavaScript code. See Testing Payer Authentication Services.
nEnsure that your account is configured for production.
Process Flow for Standard Integration
1You generate a JSON Web Token (JWT).
2You add the JavaScript tag to your checkout page.
3Call Cardinal.setup().
4Run BIN detection. If the BIN is eligible for 3D Secure 2.x, it gathers the proper Method URL JavaScript required by the issuer to collect additional device data.
5When the customer places an order on your website, you call the cardinal.start function to pass in the transaction level data including the full PAN and order details.
6The JavaScript verifies with the bank that the card is enrolled in a 3D Secure card authentication program by using a server-to-server call.
7If the issuing bank requires authentication, the JavaScript displays the authentication window.
8If required, the customer enters the authentication information.
9The bank validates the customer credentials, and a JWT is returned that the merchant is required to validate server-side for security reasons.
10You request the ICS Enrollment Check service, extracting the processor transaction ID value from the JWT and sending it in the pa_authentication_transaction_id request field. You receive this information:
nE-commerce indicator
nCAVV (all card types except Mastercard)
nAAV (Mastercard only)
nTransaction ID
n3D Secure version
nDirectory server transaction ID
Verify that the authentication was successful and continue processing your order.
You must pass all pertinent data for the card type and processor in your authorization request. For more information, see Requesting the Check Enrollment Service (Standard).
Before you can implement payer authentication services, your business team must contact your acquirer and Cybersource to establish the service. Your software development team should become familiar with the API fields and technical details of this service.
API keys are required in order to create the JSON Web Token (JWT). For further information, contact Cybersource Customer Support.
Create the JSON Web Token (JWT)
The Standard integration uses JWTs as the method of authentication.
|
|
For security reasons, all JWT creation must be done on the server side. |
When creating the JWT, use your company API Key as the JWT secret. You can use any JTW library that supports JSON Web Signature (JWS). For further information about JWTs, see https://jwt.io/.
JWT Claims
Table 36 lists the standard claims that can be used in a JWT claim set.
|
Claim Name |
Description |
|
|
Required |
Note Each claim key is case sensitive. |
|
|
jti |
JWT ID - unique identifier for the JWT. This field should change each time a JWT is generated. |
|
|
|
iat |
Issued at - the epoch time in seconds beginning when the JWT is issued. This value indicates how long a JWT has existed and can be used to determine if it is expired. |
|
|
iss |
Issuer - identifier of who is issuing the JWT. Contains the API key identifier or name. |
|
|
OrgUnitId |
The merchant SSO Org Unit Id. |
|
|
Payload |
The JSON data object being sent. This object is usually an order object. |
|
Optional |
ReferenceId |
Merchant-supplied identifier that can be used to match up data collected from the Standard integration API and enrollment check service. |
|
ObjectifyPayload |
Boolean flag that indicates how the API should consume the payload claim. If set to true, the payload claim is an object. If set to false, the payload claim is a stringified object. Some JWT libraries do not support passing objects as claims; this allows those who only allow strings to use their libraries without customization. |
|
|
exp |
Expiration - the numeric epoch time in which the JWT should be considered expired. This value is ignored if it is more than 4 hours. |
|
JWT Examples
Example 44 shows the JSON content of a basic JWT payload that passes an object within the payload claim.
Example 48Raw JWT
|
{ "jti": "a5a59bfb-ac06-4c5f-be5c-351b64ae608e", "iat": 1448997865, "iss": "56560a358b946e0c8452365ds", "OrgUnitId": "565607c18b946e058463ds8r", "Payload": { "OrderDetails": { "OrderNumber": "0e5c5bf2-ea64-42e8-9ee1-71fff6522e15", "Amount": "1500", "CurrencyCode": "840" } }, "ObjectifyPayload": true, "ReferenceId": "c88b20c0-5047-11e6-8c35-8789b865ff15", "exp": 1449001465, } |
Example 45 shows the JSON content of a basic JWT payload that passes a string within the payload claim.
Example 49Stringified JWT
|
{ "jti": "29311a10-5048-11e6-8c35-8789b865ff15", "iat": 1448997875, "iss": "56560a358b946e0c8452365ds", "OrgUnitId": "565607c18b946e058463ds8r", "Payload": "{\"OrderDetails\":{\"OrderNumber\":\"19ec6910-5048-11e6-8c35-8789b865ff15\",\"Amount\":\"1500\",\"CurrencyCode\":\"840\"}}", "ObjectifyPayload" false "ReferenceId": "074fda80-5048-11e6-8c35-8789b865ff15" "exp":1449001465, } |
Add Songbird.js to your checkout page and complete the additional steps:
1Configure it: create the configuration object and pass it to Cardinal.configure().
2Listen for Events: subscribe to events with Cardinal.on() and set up callback functions for:
npayments.setupComplete: this optional event triggers when the JavaScript successfully initializes, after calling Cardinal.setup().
npayments.validated: this event triggers when the transaction completes.
3Initialize it: call Cardinal.setup() to trigger and pass your JWT to the JavaScript for each transaction.
To complete these steps, see the JavaScript Documentation.
BIN detection is required and allows the card-issuing bank’s ACS provider to collect additional device data; it can help speed up the authentication process by collecting this data before the checkout page launches. This step occurs prior to authentication and must occur before the Cardinal.start event (Standard integration) or Check Enrollment service request (Hybrid integration). For further information, see the JavaScript Documentation.
Implementing Standard Payer Authentication
The JavaScript handles the device data collection, initiates the transaction for authentication, displays the authentication window if required, and returns the authentication results.
You initiate this authentication process, usually when the customer clicks the Place Order or Submit Order button, by triggering Cardinal.start(). Cardinal.start() invokes the authentication and authenticates the customer.
Create an order object to pass to the Cardinal.start() event. The more fields you include, the less likely the cardholder will be challenged to provide credentials.
Initiate Cardinal.start() before the authorization as shown in Example 50 . The second argument of data is a Request Order Object. You can construct this object ahead of time or pass it directly as shown.
Example 50Cardinal.start with Request Order Object
|
Cardinal.start("cca", { OrderDetails: { OrderNumber: "1234567890" }, Consumer: { Account: { AccountNumber: "4000000000001000", ExpirationMonth: "01", ExpirationYear: "2099" ... <Other 2.x required/optional fields>
} } ... }); |
Payments.validated returns the authentication results and response JWT along with the processor transaction ID as shown in Example 51 .
Example 51Decoded Response JWT
|
{ "iss": "5a4504be6fe3d1127cdfd94e", "iat": 1555075930, "exp": 1555083130, "jti": "cc532159-636d-4fa8-931d-d4b0f4c83b99", "ConsumerSessionId": "0_9a16b7f5-8b94-480d-bf92-09cd302c9230", "aud": "d0cf3392-62c5-4107-bf6a-8fc3bb49922b", "Payload": { "Payment": { "Type": "CCA", "ProcessorTransactionId": "YGSaOBivyG0dzCFs2Zv0" }, "ErrorNumber": 0, "ErrorDescription": "Success" } } |
Redirecting Customers to Pass or Fail Message Page
After authentication is complete, redirect the customer to a page containing a success or failure message. You must ensure that all messages that display to customers are accurate, complete, and that they address all possible scenarios for enrolled and nonenrolled cards. For example, if the authentication fails, a message such as the following should be displayed to the customer:
Authentication Failed
Your card issuer cannot authenticate this card. Please select another card or form of payment to complete your purchase.
Requesting the Check Enrollment Service (Standard)
Once the validation is complete, use the Check Enrollment service to obtain the values needed for authorization.
To request the Check Enrollment service, extract the processor transaction ID value from the JWT and send it in the pa_authentication_transaction_id request field. The following fields are also required:
|
|
You can send additional request data in order to reduce your issuer step-up authentication rates. It is best to send all available fields. |
For further details on required and optional fields, see Request-Level Fields.
Cybersource recommends that you request both payer authentication and card authorization services at the same time. When you do so, Cybersource automatically sends the correct information to your payment processor; Cybersource converts the values of these fields to the proper format required by your payment processor:
nE-commerce indicator: pa_enroll_e_commerce_indicator
nCAVV: pa_validate_cavv
nAAV: pa_validate_ucaf_authentication_data
nXID: pa_enroll_xid and pa_validate_xid
If you request the services separately, you must manually include the enrollment check result values (Enrollment Check Response Fields) in the authorization service request (Card Authorization Request Fields). To receive liability shift protection, you must ensure that you pass all pertinent data for the card type and processor in your request. Failure to do so may invalidate your liability shift for that transaction. Include the electronic commerce indicator (ECI), the transaction ID (XID), the 3D Secure version, the directory server transaction ID, and the following card-specific information in your authorization request:
nFor Visa, American Express, JCB, Diners Club, Discover, China UnionPay, and Elo include the CAVV (cardholder authentication verification value).
nFor Mastercard, include the UCAF (universal cardholder authentication field) and the collection indicator.
Table 40 lists these fields.
|
Identifier |
Enrollment Check Response Field |
Card Authorization Request Field |
|
pa_enroll_e_commerce_indicator |
e_commerce_indicator |
|
|
CAVV (Visa and American Express only) |
pa_enroll_cavv |
cavv |
|
pa_enroll_ucaf_authentication_data |
ucaf_authentication_data |
|
|
pa_enroll_xid |
xid |
|
|
3D Secure version |
pa_enroll_specification_version |
pa_specification_version |
|
Directory server transaction ID Note Not required for 3D Secure 1.0. |
pa_enroll_directory_server_transaction_id |
directory_server_transaction_id |
In most cases, you request card authorization only once for each purchase. However, you must send multiple authorization requests if the original authorization expires before it is captured, which can occur when order fulfillment is split or delayed. In these cases, you must include in subsequent authorization requests the same payer authentication data contained in the original request so that your acquiring bank can track all related requests if a dispute occurs. Authentication data can only be used for one authorization and cannot be used multiple times or on subsequent authorizations.