Step 3. Opayo Handles Authentication and Authorisation

On this page:

Overview

When 3D-Secure is either not set up on your Opayo account or it is not active for the transaction, then we will automatically request Authorisation.

Card transactions must be Authenticated and Authorised:

  • Authentication is the process of identifying your customer as the rightful card holder.
  • Authorisation is the acquiring bank's authorisation of the payment.
Important: To help guide a smooth customer experience and limit your liability for fraudulent transactions, we recommend you activate 3D-Secure on your account.

We will check whether you, the merchant, and the card issuer are enrolled in the 3D-Secure scheme. When the card issuer is not, then we check the Ruleset set-up in your account. By default, transactions that cannot be authenticated will be forwarded to your acquiring back for Authorisation.

In most cases 3D-Secure verification will be possible, and the process continues to Authorisation by the acquiring bank. After Authorisation, we POST the outcome to your web servers. Anti-tampering mechanisms attached to the POST assure you that the content has not been modified in transit.

About 3D-Secure

3D-Secure is like an online version of Chip and Pin Authentication. It ensures that the person using the card is the rightful card owner. For example, an issuing bank may ask a customer to verify their identity by answering questions that only the rightful card owner will know the answers to.

Some low-risk transactions may be 3D-Secure Authenticated by the issuing bank automatically without interacting with the customer or asking any questions.

When your customer is Authenticated as the rightful cardholder:

  • The issuer assumes liability for the fraudulent use of that card during the transaction.
  • You are protected from what are known as ‘Chargebacks’.

Chargebacks occur when a cardholder challenges the authenticity of a transaction with their issuing bank. They claim it is fraudulent and want compensation. 3D-Secure is the only protection against chargebacks. We recommend you enable 3D-Secure on your Opayo account. You can enable and specify rules for 3D-Secure in MySagePay.

Note: For more information on chargebacks and the rules around liability shift, please connect with your acquiring bank.

a. We Check 3D-Secure Scheme Enrolment

To determine whether you, the merchant, and the card issuer are enrolled in the 3D-Secure scheme:

  1. The Opayo servers send your customer's card details to the Opayo 3D-Secure Merchant Plug-In (MPI).
  2. The MPI formats a verification request called a VEReq,
  3. The VEReq is sent to the 3D- Secure directory servers to query enrolment in the 3D-Secure scheme.
  4. The 3D-Secure directory servers return a verification response called a VERes back to our MPI.
  5. The VERes is decoded and the Opayo system knows the 3D-Secure scheme's inclusion or exclusion.
Important: To help guide a smooth customer experience and limit your liability for fraudulent transactions, we recommend you activate 3D-Secure on your account.

Example 3D directories include:

  • Verified by Visa
  • MasterCard SecureCode
  • Amex SafeKey

When a Card is Enrolled with 3D-Secure

When the card issuer is enrolled in the 3D-Secure scheme, we will redirect your customer to the Card Issuing Bank’s 3D-Secure authentication pages site for Authentication. Your customer must then Authenticate theirself as the valid cardholder at Step 3.d.

When a Card is Not Enrolled with 3D-Secure

When the card issuer is not part of the scheme, we will check whether you have a Rulebase. When so, we check your rules to determine if Authorisation should occur, or not.

Your Ruleset

You may or may not have a Rulebase set up for your account. When you do and the card issuer is not enrolled in the 3D-Secure scheme, we check your rules to determine:

  • If you want your customer to attempt Authorisation using your acquirer or,
  • You want your customer to return to your card selection page and select an alternative payment method.

Choose an Alternative Payment Method

When your Rulebase directs your customer to choose an alternative payment method, this process is repeated.

If three payment methods are unsuccessful, we will send a response to your NotificationURL:

  • Status is REJECTED
  • StatusDetail will include the reason for the failure
  • 3DSecureStatus contains the results of the authentication.

You must reply to the notification POST with a RedirectURL. This is the page we redirect your customer to where you can explain why the transaction is cancelled.

REJECTED transactions:

  • Will not be sent for settlement
  • Your customer is not charged

b. We Manage the Authentication Result

When Authentication is Successful

After a successful Authentication, the issuer returns your customer to Opayo with a unique authentication value of either a:

  • CAVV for Visa
  • UCAF for MasterCard.

This is passed to your acquiring back during Authorisation to secure the liability shift for fraudulent transactions involving chargebacks.

When Authentication is Not Successful

When Authentication is not successful:

  • Your customer is returned to the Opayo server without the CAVV or UCAF value.
  • We consult your 3D-Secure Rulebase to determoine if authorisation should be attempted.
  • By default 3D-Authentication failures are not sent for authorisation.
Note: For more information on 3D-Secure and Rulebases, please refer to our Fraud Prevention Guide available on opayo.co.uk

When Authentication is Not Possible

If Authorisation is not possible, your customer must choose an alternative payment method, and the Authentication process is repeated.

If three payment methods are unsuccessful, we will send a response to your NotificationURL:

  • Status is REJECTED
  • StatusDetail will include the reason for the failure
  • 3DSecureStatus contains the results of the authentication.

You must reply to the notification POST with a RedirectURL. This is the page we redirect your customer to where you can explain why the transaction is cancelled.

REJECTED transactions:

  • Will not be sent for settlement
  • Your customer is not charged

MPI Errors

When an MPI error occurs, we will check whether you have a Rulebase. When so, we check your rules to determine if Authorisation should occur, or not.

c. We Obtain Authorisation

The Opayo servers format a bank-specific Authorisation message including any issued 3D-Secure authentication values. This is sent to your merchant acquirer over the private banking network.

Meanwhile, your customer waits on a page containing the text, “Please wait while your transaction is authorised with the bank”.

A response is obtained directly from the issuing bank by the acquiring bank in real time and normally within 1 or 2 seconds. It includes either an authorisation code or a declined message.

Authorisation Failures

Opayo handles all authorisation failures:

  • When the first two attempts fail, your customer returns to your card selection screen to choose an alternative card.
  • On the third failure, we send you a NOTAUTHED message with a blank authorisation code.

When a subsequent payment card is Authorised, the acquirer return an Authorisation Code and Opayo prepares an OK response to send to you.

Fraud Checks

When AVS/CV2 fraud checks are performed, the results are compared to the Rulebase you have set up. (Refer to our Fraud Prevention Guide available on opayo.co.uk). 

If the bank Authorises the transaction and the card fails your fraud screening rules, we will:

  • Immediately Reverses the Authorisation with the bank.
  • Requesting the shadow on the card for this transaction is cleared
  • Prepare and send a REJECTED response to you.

The card issuing bank may decline the Reversal:

  • This can leave an authorisation shadow on the card for up to 10 working days.
  • The transaction will not be settled by Opayo
  • The transaction will appear as a failed transaction in MySagePay.
Note: The funds may appear to your customer to have been taken until their bank clears the shadow automatically.

d. We Notify You of the Authentication and Authorisation Results

The outcome of the Authentication and Authorisation process is notified to you by our Opayo servers:

  1. Our server sends the POST to the NotificationURL script on your server.
    Note: You set this in the original transaction registration at Step 1.
  2. The POST includes the outcome of the transaction using ports 80 and 443.
    Important: Only use ports 80 and 443 as hard coding alternative ports will generate errors.
  3. Your notification script must determine how to process each Status and direct your customer accordingly.

Status

This POST Status will contain one of the values listed in the following table. The StatusDetail value explains why the Status is returned.

Notification Status Values

Value

Description

OK

The transaction is Authorised

PENDING

(European Payment Types only). The transaction is yet to be accepted or rejected

NOTAUTHED

The authorisation was failed by the bank.

ABORT

Your customer cancelled the transaction while on our payment pages

REJECTED

Your fraud screening rules are not met.

ERROR

When an error has occurred at Opayo.

Note. Errors are rare and your site should handle them in case they occur. Errors normally indicate a problem with bank connectivity.

 

Customer-Cancelled Transactions

When a customer chooses to cancel the transaction, then you will receive a cancellation notification and no details are sent to your acquiring bank.

 

❮ Back to Step 2. Next: Step 4. ❯