User's Guide
Table Of Contents
- Payflow Fraud Protection Services User’s Guide
- Preface
- Overview
- How Fraud Protection Services Protect You
- Configuring the Fraud Protection Services Filters
- Assessing Transactions that Triggered Filters
- Activating and Configuring the Buyer Authentication Service
- Performing Buyer Authentication Transactions Using the SDK
- Testing the Buyer Authentication Service
- Buyer Authentication Transaction Overview
- Buyer Authentication Terminology
- Buyer Authentication Server URLs
- Detailed Buyer Authentication Transaction Flow
- Call 1: Verify that the cardholder is enrolled in the 3-D Secure program
- Call 2: POST the authentication request to and redirect the customer’s browser to the ACS URL
- Call 3: Validate the PARES authentication data returned by the ACS server
- Call 4: Submit the intended transaction request to the Payflow server
- Example Buyer Authentication Transactions
- Buyer Authentication Transaction Parameters and Return Values
- ECI Values
- Logging Transaction Information
- Screening Transactions Using the Payflow SDK
- Downloading the Payflow SDK (Including APIs and API Documentation)
- Transaction Data Required by Filters
- Transaction Parameters Unique to the Filters
- Existing Payflow Parameters Used by the Filters
- Response Strings for Transactions that Trigger Filters
- Accepting or Rejecting Transactions That Trigger Filters
- Logging Transaction Information
- Responses to Credit Card Transaction Requests
- Fraud Filter Reference
- Testing the Transaction Security Filters
- Good and Bad Lists
- AVS Failure Filter
- BIN Risk List Match Filter
- Country Risk List Match Filter
- Email Service Provider Risk List Match Filter
- Geo-location Failure Filter
- International IP Address Filter
- International Shipping/Billing Address Filter
- IP Address Match Filter
- Shipping/Billing Mismatch Filter
- Total Item Ceiling Filter
- Total Purchase Price Ceiling Filter
- Total Purchase Price Floor Filter
- USPS Address Validation Failure Filter
- ZIP Risk List Match Filter
- Deactivating Fraud Protection Services
- Index
Performing Buyer Authentication Transactions Using the SDK
Detailed Buyer Authentication Transaction Flow
6
38 Fraud Protection Services User’s Guide
<h3>Click <b>Submit</b> to continue processing your 3-D
Secure
transaction.</h3>
<input type="submit" value="Submit"/>
</center>
</noscript>
<input type="hidden" name="TermUrl" value="{$redirectUrl}"/>
<input type="hidden" name="MD" value="{$messageId}"/>
<input type="hidden" name="PAREQ" value="{$paReq}"/>
</form>
</body>
</HTML>
Call 3: Validate the PARES authentication data returned by the ACS server
Your application at TermUrl performs the Validate Authentication call for security reasons.
You validate that the PARES is the proper data from the Issuer by sending a request for
validation of the digital signature on the PARES to the Buyer Authentication server. Use
TRXTYPE=Z.
The server uses the Issuer’s digital certificate to validate the signature and then returns the
parsed authentication information from the PARES: AUTHENTICATION_STATUS (Y means
valid signature), AUTHENTICATION_ID, CAVV (cardholder authentication verification
value), XID, and ECI.
Call 4: Submit the intended transaction request to the Payflow server
NOTE: For Call 4 when using XMLPay, pass the following in ExtData for Authorization and
Sale transactions:
AUTHENTICATION_STATUS=<status>, AUTHENTICATION_ID=<id>,
CAVV=<cavv value>, and XID=<xid value>, ECI=<eci value>.
Now that when the buyer authentication process is complete, you submit the intended sale or
authorization payment transaction (TRXNTYPE=S or A) to the Payflow server. In addition to
Normal
Submission
partner=verisign
vendor=merchant
password=a1b2c3
amt=42.02
description=case
acct=5105510551055555
lastname=johnson
partner=verisign
vendor=merchant
password=a1b2c3
amt=42.02
description=case
acct=5105510551055555
lastname=johnson
partner=verisign
vendor=merchant
password=a1b2c3
amt=42.02
description=case
acct=5105510551055555
lastname=johnson
Validate
Authentication
call
3
TRXTYPE=Z
PARES=Qi84$nFWpx2M93
PayPal's
Buyer
Authentication
Server
RESULT=0
AUTH_STATUS=Y
AUTH_ID=1A3D4G
CAVV=li409JK4aUv5Kq
ECI=2
XID=3Pm95VwzG8YeJ
"Is the
PaRes
valid?"
"Yes, the signature is valid,
the content of PaRes is valid,
the authentication was successful,
and here's the data that I
parsed from the PaRes ."