User's Guide
Table Of Contents
- Payflow Fraud Protection Services User’s Guide
- Preface
- Overview
- How Fraud Protection Services Protect You
- Configuring the Fraud Protection Services Filters
- Assessing Transactions that Triggered Filters
- Activating and Configuring the Buyer Authentication Service
- Performing Buyer Authentication Transactions Using the SDK
- Testing the Buyer Authentication Service
- Buyer Authentication Transaction Overview
- Buyer Authentication Terminology
- Buyer Authentication Server URLs
- Detailed Buyer Authentication Transaction Flow
- Call 1: Verify that the cardholder is enrolled in the 3-D Secure program
- Call 2: POST the authentication request to and redirect the customer’s browser to the ACS URL
- Call 3: Validate the PARES authentication data returned by the ACS server
- Call 4: Submit the intended transaction request to the Payflow server
- Example Buyer Authentication Transactions
- Buyer Authentication Transaction Parameters and Return Values
- ECI Values
- Logging Transaction Information
- Screening Transactions Using the Payflow SDK
- Downloading the Payflow SDK (Including APIs and API Documentation)
- Transaction Data Required by Filters
- Transaction Parameters Unique to the Filters
- Existing Payflow Parameters Used by the Filters
- Response Strings for Transactions that Trigger Filters
- Accepting or Rejecting Transactions That Trigger Filters
- Logging Transaction Information
- Responses to Credit Card Transaction Requests
- Fraud Filter Reference
- Testing the Transaction Security Filters
- Good and Bad Lists
- AVS Failure Filter
- BIN Risk List Match Filter
- Country Risk List Match Filter
- Email Service Provider Risk List Match Filter
- Geo-location Failure Filter
- International IP Address Filter
- International Shipping/Billing Address Filter
- IP Address Match Filter
- Shipping/Billing Mismatch Filter
- Total Item Ceiling Filter
- Total Purchase Price Ceiling Filter
- Total Purchase Price Floor Filter
- USPS Address Validation Failure Filter
- ZIP Risk List Match Filter
- Deactivating Fraud Protection Services
- Index
Performing Buyer Authentication Transactions Using the SDK
Detailed Buyer Authentication Transaction Flow
6
36 Fraud Protection Services User’s Guide
Call 2: POST the authentication request to and redirect the customer’s
browser to the ACS URL
NOTE: XMLPay uses the ValidateAuthentication transaction for Call 2.
If the card is enrolled, you place the following values in an HTTP form and then HTTP POST
the values to the ACS URL (the issuer’s ACS site):
PAREQ: The value of the PAREQ returned in the Verify Enrollment call.
TermUrl: Your server—the one that should accept the authentication response.
MD: (Required) Any data that you want returned (echoed) to the TermUrl by the ACS
server. Typically, this is state information.
(XMLPay uses the ValidateAuthentication transaction for this purpose.)
Your server then redirects the customer’s browser to the ACS URL.
The customer views the ACS form, enters their 3-D Secure password, and submits the form to
the Issuing bank.
The issuer’s ACS server validates the password, authenticates the customer’s identity, and
then generates and digitally signs a PARES value (payer authentication response). The ACS
server then HTTP POSTs the signed PARES and the unchanged value of the MD to the
TermUrl that you specified.
Verify
Enrollment
call
Merchant
Web Store
510551055105
$42.02
AMT=42.02
DESCRIPTION=case
ACCT=5105510551055555
EXPDATE=0306
NAME=johnson
Transaction
Data
Generate the data for the intended transaction
1
BUY
TRXTYPE=E
ACCT=5105510551055555
EXPDATE=0308
PayPal's
Buyer
Authentication
Server
RESULT=0
AUTH_STATUS=E
AUTH_ID=1A3D4G
PAREQ=J84H+To4vv6K
ACSURL=www.issuer.com
ECI=7
"Is this
cardholder
enrolled?"
"Yes, the
cardholder is enrolled, and here's
the URL of the Issuing bank's
ACS page and the Payer
Authentication Request (PAYREQ)
that you'll need when you
ask the Issuing bank to
authenticate the customer."