Content
Sommaire | ||||
---|---|---|---|---|
|
Introduction
Banking and Connection Prerequisites 3DSecureConnection 3DSecure prerequisites
This
treatmentprocess is
based
on
theestablishment
of
anadditional
control
during
an
online
purchase:
in
addition
to
banking
data,
the
buyer
will
validate
his
payment
by
entering
a
secret
data
that
will
have
provided
hisby the bank.
This
system
is
accompanied
by
a
regulatory
change
called
"liability
shift
" or "transfer of responsibility",
the principle of which is to bear the risk of unpaid invoices for the bearer's challenge to the bearer's bank and no longer to the merchant, if the holder has validated his payment by filling in the 3D Secure data and the merchant has complied with the security measures set out in the general terms and conditions of his e-commerce contract with his bank. The payment solution Payline has performed a 3DSecure certification with banks, as well as with Visa andthe purpose is to support the risk of chargeback to the buyer and no longer to the merchant, if the buyer has validated his payment by filling in 3D Secure data (One Time Password) and the merchant respects security measures set out in general terms and conditions with the bank.
The payment solution Payline has performed a 3DSecure certification, as well as with Visa and MCI.
Subscription
The merchant must subscribe to a VADS to TPV Secure contract (VAD TPV type 3D Secure). The merchant informs Payline that he has subscribed to a VADS contract with 3DSecure, and the customer wishes to subscribe to the 3DSecure option. send to Payline the TPV with 3DSecure.
The Payline team must register the merchant with Visa and MCI, "10 days is required" Upon upon confirmation of the Visa and MCI networks, the Payline team informs the merchant that he will activate the VADS contract. Upon activation of the VADS contract, all flows on this contract will be 3DS transactionsVADS contract is activated.
Prerequisites for using Payline payment solution
La solution 3D Secure en mode interface Direct assure le transfert sécurisé des données sensibles et traite les demandes d'authentification, d'autorisation.
Les points d'intégration :
- verifyEnrollment est nécessaire pour assurer l'authentification et doAuthorization pour réaliser l'autorisation ;
- récupérer le résultat de la transaction avec gettransactionDetails.
Vous devez vérifier la clé d'accès des services et configuration le paramétrage SOAP UI.
The 3D Secure solution in Direct interface mode ensures the secure transfer of sensitive data and , processes requests for authentication and authorization requests.
Integration points :
- verifyEnrollment is required to provide authentication and doAuthorization to perform the authorization;
- get the result of the transaction with gettransactionDetails getTransactionDetails.
You must check the service access key and configure the SOAP UI setting.
3D-Secure in Direct Interface mode with a payment
This page presents the two web services "verifyEnrollment and doAuthorization" to perform a 3DSecure transaction using the direct interface mode of the payment solution PaylineThe following steps present verifyEnrollment and doAuthorization web services for realizing 3DSecure transaction using the Payline direct interface.
Step 1 -
verifyEnrollment :verifyEnrollment
This
first
call
web
service
makes
it
possible
to
verify
the
eligibility
of the bearerto
the3DSecure
device,
and
therefore
to
know
if
the
cardholder
is
registered
with
a
VISA
or
Mastercard
Directory
Server.
Here is Find an example of a of request/response for the web services verifyEnrollment below :
verifyEnrollmentRequest | verifyEnrollmentResponse |
---|---|
<impl:verifyEnrollmentRequest> | <verifyEnrollmentResponse> <termUrlName>TermUrl</termUrlName> |
Once the verifyEnrollment is done, authentication to the ACS server must be performed. For this, it is necessary to send the information of the verifyEnrollment on the authentication server.
Sending information
To send this information, simply just create an HTML form in POST if you want to create a link if GET :
POST:
The
information
will
be
sent
to
theauthentication
server
through
the
form
below.
The
field
names
and
values
are
dynamically
retrieved
from
the
verifyEnrollmentResponse.
Following session
tracking: value to retrieve in the verifyEnrollment
responseresponse
mdFieldName = MD
mdFieldValue = 1Fz9nEnAZJNn8NvXEKDT
- authentication
Authentication request:
value
to
retrieve
in
theverifyEnrollment
pareqFieldName = PaReq
pareqFieldValue = eJxVkdtuwjAMhl+l4gGaA...
Address where the authentication server. This address must be able to retrieve a form sent in "POST" and containing
theanswer of
theuser authentication
of the user.
termUrlName = TermUrl
termUrlValue = https://acs.modirum.com/mdpayacs.php
Sample
HTML
form
to
perform
a
test
on
your
server:
HTML form |
---|
<form name="downloadForm" action="https://acs.modirum.com/mdpayacs/pareq" method="POST"> |
Receipt of information returned during authentication
The authentication server sends its message to the URL entered in the TermURL parameter (sent in the previous form). In the response form, two fields must be retrieved to continue the transaction in 3DSecure mode:
- The MD field: always the same field allowing the follow-up of the session
- the Payer Authentication Response (PaRes) field: an encrypted string containing the response of the authentication server. The value of the PaRes field will validate or not the transaction as a 3DSecure transaction.
These two fields are retrieved and allow to complete the doAuthorizationRequest in 3DSecure mode.
Sample script (here written in PHP) to retrieve the response to authentication :
Script PHP : receive_form.php |
---|
<?php |
Note: This script must be placed on a started web server and in a folder corresponding to the address sent via the TermURL field.
Example: if the server is local it is quite possible to put as value:
TermURL = http://127.0.0.1/3DSecure/receive_form.php
Step 2 : doAuthorizathion with3D Secure settings
The
web service call of the doAuthorization method allows you to directly perform the transaction with the 3DSecure parameters.The parameters entered: md / pares make it possible to check the authentication and thus the identity of the user before carrying out the transaction. If the parameters are correct, the transaction is then directly carried out as for the classic doAuthorization
doAuthorization service allows you to perform the transaction with the 3DSecure parameters.
The parameters provided : md / pares permit to check user authentication and thus the user identity before carrying out the transaction.
If the parameters are correct, the transaction is carried out as authorization request.
doAuthorizationRequest | doAuthorizationResponse |
<impl:doAuthorizationRequest> | <doAuthorizationResponse> |
hidden | true |
---|
3D-Secure en mode interface direct avec la possibilité ou pas d'effectuer un paiement
Il est possible d'utiliser la fonction 3DSecure implémentée sur la solution de paiement Payline, sans utiliser la fonction standard de Payline « effectuer un paiement », donc vous utiliserez uniquement les deux premières étapes décrites ci-dessous.
En effet l'Etape 3, permet d'effectuer une transaction de paiement en vous appuyant de la solution de paiement 3DSecure.
Étape 1 : appel du web service verifyEnrollment
Comme expliqué précédemment, cette première action permet de vérifier l'enrôlement de la carte de l'utilisateur. Les éléments obligatoires de la méthode verifyEnrollment sont :
- card : numéro de carte / type / date d'expiration / cvx
- payment : montant / devise / action / mode / numéro contrat
- orderRef
- amount = 1000
- currency = 978
- action = 101
- mode = CPT
- orderRef = RefTest01
- number = 4970100000000238
- type = CB
- expirationDate = 0610
- CVx : 123
verifyEnrollmentRequest
verifyEnrollmentResponse
<impl:verifyEnrollmentRequest>
<impl:card>
<obj:number>4970100000325734</obj:number>
<obj:type>CB</obj:type>
<obj:expirationDate>0610</obj:expirationDate>
<obj:cvx>123</obj:cvx>
</impl:card>
<impl:payment>
<obj:amount>1000</obj:amount>
<obj:currency>978</obj:currency>
<obj:action>100</obj:action>
<obj:mode>CPT</obj:mode>
<obj:contractNumber>CB3DS</obj:contractNumber>
</impl:payment>
<impl:orderRef>RefTest01</impl:orderRef>
</impl:verifyEnrollmentRequest>
<verifyEnrollmentResponse>
<result>
<code>03000</code>
<shortMessage>ACCEPTED</shortMessage>
<longMessage>Operation Successfull</longMessage>
</result> <actionUrl>
</actionUrl>
<actionMethod>POST</actionMethod>
<pareqFieldName>PaReq</pareqFieldName>
<pareqFieldValue>
eJxVkdtygjAQhl/F8QHcJAUBZ90Zj4MXbdHaXvSOC
TuVTkEM0OrU9ir7bfb4L253hnn+wro1TPjIdZ1+cC/Pxn3
lh0J4fcJksuED4TebOt+XJAdioBCuaHOM3qVlQ5jq
QCnnQ/fz1olTNc6hNFQWhnvxLysdqXbCOsWDcbM661X
aN77jvMYqefbqw4SoSRcrU6dpVyK4e0o59LOUBwG
dDdBrrDWevfQX8B2heclQ==
</pareqFieldValue>
<termUrlName>TermUrl</termUrlName>
<termUrlValue>
</termUrlValue>
<mdFieldName>MD</mdFieldName>
<mdFieldValue>8FPL0ihqQtuqr1GzmOCL</mdFieldValue>
</verifyEnrollmentResponse>
- 02101 - Internal Error - Internal Error
- 02303 – Invalid Transaction – Invalid Contract Number
- 02305 – Invalid Transaction - Invalid field format
- 03000 - Operation Successfull – Operation Successfull
- 03001- Operation Refused – Not Enrolled
- 03002 - Operation Refused - Not participating
- 03021 – Transaction Refused - Enrollment verification failed
- 09201 - Access Refused - You do not have permissions to make this API call
- PAReq : Payer Authentication Request : suite de caractères regroupant la requête à envoyer au serveur d'authentification, permet d'identifier la carte et son le titulaire.
- MD : Merchant Date : identifiant permettant d'identifier le commerçant et de simuler une session entre les requêtes d'enrôlement et d'authentification sur les serveurs Access Control Server (ACS) et Merchant Plug-in (ou MPI).
- actionURL : URL indiquant où doivent être envoyées les informations permettant de vérifier l'authentification de l'utilisateur (voir ci-dessous).
- actionMethod : méthode devant être utilisée pour envoyée les informations au serveur d'authentification (voir ci-dessous).
Exemple : paresFieldName / paresFieldValue.
Étape 2 : authentification
Une fois le verifyEnrollment effectué, l'authentification auprès du serveur ACS doit être effectuée. Pour cela, il est nécessaire d'envoyer les informations du verifyEnrollment sur le serveur d'authentification. Les informations attendues par le MPI sont le MD (pour le suivi de session) et le paReq (requête d'authentification).
Envoi des informations
Pour envoyer ces informations, il suffit de créer un formulaire HTML regroupant les champs MD et paReq et pointant vers le serveur d'authentification.
Exemple de formulaire HTML :Formulaire HTML
<form name="downloadForm" action="https://acs.modirum.com/mdpayacs/pareq" method="POST">
<input type="hidden" name="TermUrl" value="http://127.0.0.1/3DSecure/receive_form.php">
PAREQ : <input type="text" name="PaReq">
<br />
MD : <input type="text" name="MD">
<br />
<input type="submit" name="submit" value="Submit">
</form>
- MD : suivi de la session : valeur à récupérer dans la réponse du verifyEnrollment
- PaReq : requête d'authentification : valeur à récupérer dans le verifyEnrollment
- TermURL : adresse où le serveur d'authentification envoie la réponse de l'authentification. Concrètement cette adresse doit être capable de récupérer un formulaire envoyé en « POST » et contenant la réponse de l'authentification de l'utilisateur.
Attention ces valeurs sont générés de manière dynamique et se renouvelleront à chaque demande.
Réception des informations retournées lors de l'authentification
Le serveur d'authentification envoi son message sur l'URL renseignée dans le paramètre TermURL (envoyé dans le formulaire précédent). Dans le formulaire de réponse, deux champs doivent être récupérés pour poursuivre la transaction en mode 3DSecure :le champ MD : toujours le même champ permettant le suivi de la session
le champ PaRes : Payer Authentication Response : chaine de caractères cryptée contenant la réponse du serveur d'authentification. La valeur du champ PaRes va permettre de valider ou non la transaction comme une transaction 3DSecure.
Ces deux champs sont récupérés et permettent de compléter le doAuthorizationRequest en mode 3DSecure
(Voir Etape 3 : doAuthorization).
Exemple de script (ici écrit en PHP) permettant de récupérer la réponse à l'authentification :
Script PHP : receive_form.php
$pares = $_POST['PaRes'];
$md = $_POST['MD'];
echo "MD : ".$md."<br />PARES : ".$pares;
?>Remarque : ce script doit être placé sur un serveur web démarré et dans un dossier correspondant à l'adresse envoyé via le champ TermURL.
Exemple : si le serveur est en local il est tout à fait possible de mettre comme valeur :
TemrURL = http://127.0.0.1/3DSecure/receive_form.php
Étape 3 : doAutorization
La dernière étape dans le cadre d'une transaction 3DSecure via l'interface Payline DIRECT est l'envoi d'une requête doAuthorization. Comme dans le cadre d'une transaction classique, le doAuthorization contiendra les champs obligatoires suivant :
- payment : informations sur la transaction : montant, devise, contrat, etc.
- card : informations sur la carte de paiement : numéro, type, date d'expiration, etc.
- order : information sur la commande : référence, montant, pays, etc.
Et donc dans le cadre d'un paiement 3DSecure, la requête doAuthorization devra être complétée avec les informations renvoyées par le serveur d'authentification : - MD : suivi de session 3DSecure.
- PaRes : résultat de l'authentification.
doAuthorizationRequest
doAuthorizationResponse
<payment>
<amount>1000</amount>
<currency>978</currency>
<action>100</action>
<mode>CPT</mode>
<contractNumber>CB3DS</contractNumber>
</payment>
<card>
<number>4970100000325734</number>
<type>CB</type>
<expirationDate>1212</expirationDate>
<cvx>123</cvx>
</card>
<order>
<ref>REF0989</ref>
<amount>1000</amount>
<currency>978</currency>
<date>24/02/2008 09:28</date>
</order>
<authentication3DSecure>
<md>2vS6uabMBUzx9LrEDS9c</md>
<pares>eJzFV2mvosoW/Sudvh9NN7NKhzYpRlEL
avfp887t93Lz8gYSYtV216q9qbV2VTFmcosi3ojC+y1
i888rZg/0qH6aCopcLGiCnoxtdKvTS7nCvqJfcQb52Z
pjJMYgP7pMEd1kfkUvF3OKQV4dBvk1an9/tOoplj49
RLN1UHfmeQhwdz9JtohaMojeI4+QkjvmHUN4pmk
CntW1....................
</pares>
</authentication3DSecure>
</doAuthorizationRequest>
<doAuthorizationResponse>
<result>
<code>00000</code>
<shortMessage>ACCEPTED</shortMessage>
<longMessage>Transaction approved</longMessage>
</result>
<transaction>
<id>90224141650893</id>
<date>24/02/09 14:16</date>
<isDuplicated>0</isDuplicated>
<isPossibleFraud>0</isPossibleFraud>
<fraudResult/>
<explanation/>
<threeDSecure>Y</threeDSecure>
<score xsi:nil="true" />
</transaction>
<authorization>
<number>A55A</number>
<date>24/02/09 14:16</date>
</authorization>
</doAuthorizationResponse>
Back Office
Menu 'Technical follow-up of webservice calls' to find the call of the web service verifyEnrollment allows to see the details of the verifyEnrollment.
The result of the 3DSecure transaction is then visible in the Payline Administration Center: on the results of a search and in the detail of the transaction 3DSecure tab.
Screen searches for transactions:
3DSecure transaction Details:
3D Secure payment scheme
- The consumer validates his cart shopping then the merchant prepares web page to where will be filled the payment data.
A VEReq (Verification Enrollment Request) message allows access to Directory Server to verify cart registration in the directory containing cards declared "enlisted" 3-D Secure and provide ACS URL.
Verification enrollment response containing authentication result, that will be returned to Merchand Plug-in (MPI) to manage the dialogue with Directory and ACS to allow the buyer to authenticate. - The merchant redirects the consumer to ACS URL for authentication.
The request "PAReq" (Payer authentication request) allows access to bank ACS to trigger the authentication phase.
The response "PARes" (Pay authentication response), containing the authentication result of cardholder will be transmitted to the merchant. - The merchant can trigger a request for authorization and payment validation by calling service doAuthorizationRequest.
- The merchant retrieves details transaction by calling service getTransactionDetails.
Diagramme draw.io | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Boack Office
Menu 'Technical follow-up of webservice calls' to find the call of the web service verifyEnrollment allows to see the details of the verifyEnrollment.
The result of the 3DSecure transaction is then visible in the Payline Administration Center: on the results of a search and in the detail of the transaction 3DSecure tab:
Screen searches for transactions:
Detail of the 3DSecure transaction
3D Secure payment scheme
hidden | true |
---|