Skip to main content

Strong customer authentication

Context#

Regulatory context#

Authentication is required for your end-customers if you are on the Retail B2C market ; it is also required for all key individuals of your professional customers, if you are on the Corporates B2B market. Strong Customer Authentication will occur in two situations :

  • Online Card Payments
  • Sensitive Operations
The Second Payment Services EU Directive (PSD2) requires that such a strong authentication happens, reuniting two criteras amongst three possible.

Technical context & customer experience#

To integrate our solution, you will require our SDK : strong authentication has to take place in a mobile application. You can find more infos on our sdk here.

Should you not have a mobile app : no problem, we have an app for you: Xpollens Authenticator integrates the SDK and can handles strong authentication notifications.

Here is a list of main Sensitive Operations. This is list is not exhaustive and may be subject to change.

SCA compliant by design#

Just plug to our API and we ensure compliance with PSD2 : if the operation is sensitive, your end user will receive a push notification in your mobile app. Execution of the sensitive operation will be conditionned by the proper strong authentication of your end user.

If more than one person has mandate over the payment account, by default only the person initiating the operation will be notified.

Sensitive operations & SDK integration#

By triggering a sensitive operation endpoint, a push notification will be generated, by our backend, onto your end user's smartphone : our back-end will find your end user's mobile application and trigger the authentication request. You must therefore code the reception of such notifications using the SDK.

Here is a list of all RAW_LIST messages you can receive:

Sensitive Operation"message""format""title""value"
Add a beneficiairyAjout d’un BénéficiaireRAW_LISTNom:
IBAN:
%Nom_Bénéficiaire
%IBAN_Masqué_Bénéficiaire
Modify a bénéficiaryModification d’un BénéficiaireRAW_LISTNom:
IBAN:
%Nom_Bénéficiaire
%IBAN_Masqué_Bénéficiaire
Read account's informationConsultations des opérationsRAW_LISTCompte:%Nom_Partenaire
Set an immédiate transferVirement immédiatRAW_LISTMontant:
Bénéficiaire:
%Montant %Devise
%Nom_Bénéficiaire
Set a future dated transferVirement planifiéRAW_LISTMontant:
Bénéficiaire:
Date planifiée:
%Montant %Devise
%Nom_Bénéficiaire
 %Date_Future
Set a recurrent transferVirement récurrentRAW_LISTMontant:
Bénéficiaire:
Récurrence:
%Montant %Devise
%Nom_Bénéficiaire
Tous les %Quantile du mois
Order a new cardCommande d’une CarteRAW_LISTType:Carte VISA %Type %Nom_Partenaire
Modify personal dataModification Donnée PersonnelleRAW_LISTRue:%adresse
Accept Terms & ConditionsAcceptation des CGURAW_LISTCompte:%Nom_Partenaire
Sign FATCA/EAI certificationDéclaratifs FiscauxRAW_LISTCompte:%Nom_Partenaire
Read PINAffichage Code PINRAW_LISTCarte:%Nom_Partenaire
Choose PINChoix d’un nouveau Code PINRAW_LISTCarte:%Nom_Partenaire
Read PAN, DLV & CVV2Affichage de votre CarteRAW_LISTCarte:%Nom_Partenaire
Your customer's security-wallet must be active and properly binded for the authentication request to reach her/his mobile app.

Initiate SEPA Instant Credit Transfer OUT#

Your customer may initiate a pay-out, which will trigger an authentication request. More information regarding this endpoint in the API reference.


In your mobile application, the notification will be received in the following RAW_LIST format:

{  "notificationMessage": "Une opération sensible requiert votre validation",  "message": "Opération sensible à confirmer",  "format":"RAW_LIST",  "data":[      {"title": "Opération \n ", "value":"Virement"},      {"title": "Date \n ", "value": "17/01/2022"},      {"title": "Montant \n ", "value": "15,00 €"},      {"title": "Bénéficiaire \n ", "value": "Sylvie"}  ]}

Modify personal data#

Your customer may modify some of his personal data, which will trigger an authentication request. More information regarding this endpoint in the API reference.


In your mobile application, the notification will be received in the following RAW_LIST format:

{  "notificationMessage": "Une opération sensible requiert votre validation",  "message": "Opération sensible à confirmer",  "format":"RAW_LIST",  "data":[      {"title": "Opération \n ", "value":"Donnée Personnelle"},      {"title": "Rue \n ", "value": "28 rue de Pont l'Abbé"},      {"title": "Code Postal \n ", "value": "29 000"},      {"title": "Ville \n ", "value": "Quimper"}  ]}

Internet payment & SDK integration#

This feature is already embeded in the Xpollens API plateform. Whenever your customer will use her/his card to pay online, a push notification will be sent onto her/his phone in the same manner as above.

You can test using our Test Merchant website, once you have created and activated a Card on a proper User whose device has been properly binded (mobileID check).


You must code the reception of such online card payments notifications. Here is the PURCHASE format you will receive:

{  "notificationMessage": "Une opération sensible requiert votre validation",  "message": "Paiement en ligne à confirmer",  "format":"PURCHASE",  "amount":"74,12 €",  "merchant":"WWW.OUI.SNCF"}

Adding a new device (soon to come)#

It is possible to add as many devices as your end-user wants. Each time, a securing process will occur, requiring a new Activation Code and the scanning of an Identity document.


Here is the payload you must watch out for from our callback type 35 :

"Payload": {        "type": "35",        "AppUserId": "e87bd13dJ",        "ActivationCode": "f825f1646665490aa7ef7942c6f2f159",        "ErrorMessage": null,        }

This activation code must either be shown on screen and then flashed (web2app) or be handed in the background directly inside the app. You must then obtain a webview URL using the getIssuerData() feature of our SDK.

Example of webview URL you may obtain:

https://pad-staging.api-ot.com/api/v2/static/dist/index.html?technicalId=DC0A9829DF8D544A581292D8CE6C4C48FCEC14A07DDD4F0C8A1B9CFD8487711CB7A49C47047521DF3C9967215B5D7937310E26743193A7D5431AB2DA9A27AFE4&token=J5Ti9Y9p

You will know when to close the webview when the URL changes, adding a #SUCCESS at the end.

Example:

https://pad-staging.api-ot.com/api/v2/static/dist/index.html?technicalId=DC0A9829DF8D544A581292D8CE6C4C48FCEC14A07DDD4F0C8A1B9CFD8487711CB7A49C47047521DF3C9967215B5D7937310E26743193A7D5431AB2DA9A27AFE4&token=J5Ti9Y9p#SUCCESS

Xpollens Authenticator app#

Should you need our on-the-shelf mobile application, it is ready for your end users, accessible in the Apple Store and Google Play Store.