Payment Confirmation
Under PSD2, payment confirmation involves verifying the identity of the customer and ensuring the security of the payments. It typically requires the use of two or more factors from the following categories:
- Knowledge factors: Something the end-customer knows, such as a password.
- Possession factors: Something the end-customer possesses, such as a mobile phone
- Inherence factors: Something inherent to the end-customer, such as biometric data (FingerId, FaceID etc.).
The purpose of using multiple factors is to provide an extra layer of security by requiring the end-customer to provide evidence from different categories. This helps to mitigate the risks of unauthorized access and fraud.
PSD2 Exemptions
In line with PSD2, certain outgoing wire transfers & sends may be exempted from Strong Customer Authentication (SCA).
- Low Value Transaction: Payments below €30 or equivalent will not be challenged, unless the user exceeds a cumulative transfer amount of €100 (or equivalent) or 5 successful payments or the payments is deemed as high risk.
Please contact our support team to enable the Low Value exemption.
- Trusted Suppliers: The destination instrument of the send payments is the identity's trusted supplier list [insert link].
The status of payments that do not require SCA will automatically move to EXECUTED and no further action is required.
Authentication factors
To verify a Payment Run, the logged-in user with Controller permissions must have enrolled their mobile device for strong customer authentication.
We currently support SMS. More channels, including Biometrics, are coming soon.
Payment Run Confirmation
For the Payment Run to be executed, the logged-in user with role Controller must authenticate the Payment Run
Sending a Challenge
You can trigger the Payment Run verification process by calling the challenge API. The Controller will be requested to perform a two-factor authentication based on the channel
By default SMS is used then a text message is sent to the mobile number associated with the user's credentials. For admin users, this will be the mobile number provided when onboarding the buyer, while for authorised users, this will be the mobile number provided when onboarding the user.
If you would like to authenticate the second-factor via SMS the wire transfer SCA challenge API endpoint needs to be triggered, which will send an OTP via text message.
[link endpoint]
Verifying the Challenge
By default SMS was the selected channel, then you must build a page in your application where the Controller can enter the verification code that they received in the text message which you will need to submit to via the challenge verify API.
[link endpoint]